def testRegistryValueArtifact(self):
"""Test the basic Registry Value collection."""
with vfs_test_lib.VFSOverrider(rdf_paths.PathSpec.PathType.REGISTRY,
vfs_test_lib.FakeRegistryVFSHandler):
with vfs_test_lib.VFSOverrider(rdf_paths.PathSpec.PathType.OS,
vfs_test_lib.FakeFullVFSHandler):
source = rdf_artifact.ArtifactSource(
type=rdf_artifact.ArtifactSource.SourceType.REGISTRY_VALUE,
attributes={
"key_value_pairs": [{
"key": (r"HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet"
r"\Control\Session Manager"),
"value":
"BootExecute"
}]
})
ext_src = rdf_artifact.ExtendedSource(base_source=source)
ext_art = rdf_artifact.ExtendedArtifact(
name="FakeRegistryValue", sources=[ext_src])
request = rdf_artifact.ClientArtifactCollectorArgs(
artifacts=[ext_art], apply_parsers=False)
result = self.RunAction(artifact_collector.ArtifactCollector,
request)[0]
collected_artifact = list(result.collected_artifacts)[0]
file_stat = list(collected_artifact.action_results)[0].value
self.assertTrue(isinstance(file_stat, rdf_client.StatEntry))
urn = file_stat.pathspec.AFF4Path(self.SetupClient(0))
self.assertTrue(str(urn).endswith("BootExecute"))
def testWMIArtifact(self, registry):
registry.AddFileSource(self.test_artifacts_file)
artifact = registry.GetArtifact("WMIActiveScriptEventConsumer")
ext_src = rdf_artifact.ExtendedSource(base_source=artifact.sources[0])
ext_art = rdf_artifact.ExtendedArtifact(
name=artifact.name, sources=[ext_src])
request = rdf_artifact.ClientArtifactCollectorArgs(
artifacts=[ext_art],
knowledge_base=None,
ignore_interpolation_errors=True,
apply_parsers=False)
result = self.RunAction(artifact_collector.ArtifactCollector, request)[0]
self.assertIsInstance(result, rdf_artifact.ClientArtifactCollectorResult)
coll = artifact_collector.ArtifactCollector()
coll.knowledge_base = None
coll.ignore_interpolation_errors = True
expected = rdf_client.WMIRequest(
query="SELECT * FROM ActiveScriptEventConsumer",
base_object="winmgmts:\\root\\subscription")
for action, request in coll._ProcessWmiSource(ext_src):
self.assertEqual(request, expected)
self.assertEqual(action, self.windows.WmiQuery)
self.windows.WmiQuery.Start.assert_called_with(request)
def testCmdArtifactAction(self):
"""Test the actual client action with parsers."""
client_test_lib.Command("/bin/echo", args=["1"])
source = rdf_artifact.ArtifactSource(
type=rdf_artifact.ArtifactSource.SourceType.COMMAND,
attributes={
"cmd": "/bin/echo",
"args": ["1"]
})
ext_src = rdf_artifact.ExtendedSource(base_source=source)
ext_art = rdf_artifact.ExtendedArtifact(name="TestEchoCmdArtifact",
sources=[ext_src])
request = rdf_artifact.ClientArtifactCollectorArgs(
artifacts=list(ext_art),
knowledge_base=None,
ignore_interpolation_errors=True,
apply_parsers=True)
result = self.RunAction(artifact_collector.ArtifactCollector,
request)[0]
self.assertIsInstance(result,
rdf_artifact.ClientArtifactCollectorResult)
self.assertTrue(len(result.collected_artifacts), 1)
res = result.collected_artifacts[0].action_results[0].value
self.assertIsInstance(res, rdf_client.SoftwarePackage)
self.assertEqual(res.description, "1\n")
def testMultipleArtifacts(self, registry):
"""Test collecting multiple artifacts."""
client_test_lib.Command("/usr/bin/dpkg",
args=["--list"],
system="Linux")
registry.AddFileSource(self.test_artifacts_file)
artifact = registry.GetArtifact("TestCmdArtifact")
ext_src = rdf_artifact.ExtendedSource(
base_source=list(artifact.sources)[0])
ext_art = rdf_artifact.ExtendedArtifact(name=artifact.name,
sources=list(ext_src))
request = rdf_artifact.ClientArtifactCollectorArgs(
artifacts=list(ext_art), apply_parsers=False)
request.artifacts.append(ext_art)
result = self.RunAction(artifact_collector.ArtifactCollector,
request)[0]
collected_artifacts = list(result.collected_artifacts)
self.assertEqual(len(collected_artifacts), 2)
self.assertEqual(collected_artifacts[0].name, "TestCmdArtifact")
self.assertEqual(collected_artifacts[1].name, "TestCmdArtifact")
execute_response_1 = list(
collected_artifacts[0].action_results)[0].value
execute_response_2 = list(
collected_artifacts[1].action_results)[0].value
self.assertGreater(execute_response_1.time_used, 0)
self.assertGreater(execute_response_2.time_used, 0)
def _ExtendArtifact(knowledge_base, use_tsk, max_file_size,
processed_artifacts, art_obj):
"""Extend artifact by adding information needed for their collection.
Args:
knowledge_base: containing information about the client
use_tsk: parameter from the ArtifactCollectorFlowArgs
max_file_size: parameter from the ArtifactCollectorFlowArgs
processed_artifacts: artifacts that are in the final extended artifact
art_obj: rdf value artifact
Returns:
rdf value representation of extended artifact containing the name of the
artifact and the extended sources
"""
source_type = rdf_artifacts.ArtifactSource.SourceType
ext_art = rdf_artifacts.ExtendedArtifact()
ext_art.name = art_obj.name
for source in art_obj.sources:
if MeetsConditions(knowledge_base, source):
ext_source = None
ext_src = rdf_artifacts.ExtendedSource()
ext_src.base_source = source
type_name = source.type
if type_name == source_type.FILE:
ext_src.path_type = _GetPathType(use_tsk)
ext_src.max_bytesize = max_file_size
elif type_name in (source_type.DIRECTORY, source_type.GREP,
source_type.REGISTRY_KEY):
ext_src.path_type = _GetPathType(use_tsk)
elif type_name in (source_type.ARTIFACT_GROUP,
source_type.ARTIFACT_FILES):
extended_sources = []
artifact_list = []
if "names" in source.attributes:
artifact_list = source.attributes["names"]
elif "artifact_list" in source.attributes:
artifact_list = source.attributes["artifact_list"]
for artifact_name in artifact_list:
if artifact_name in processed_artifacts:
continue
artifact_obj = artifact_registry.REGISTRY.GetArtifact(
artifact_name)
extended_artifact = _ExtendArtifact(
knowledge_base, use_tsk, max_file_size,
processed_artifacts, artifact_obj)
extended_sources.extend(extended_artifact.sources)
ext_source = extended_sources
if ext_source is None:
ext_source = [ext_src]
ext_art.sources.Extend(ext_source)
processed_artifacts.add(art_obj.name)
return ext_art
def testGRRClientActionArtifact(self, registry):
"""Test the GetHostname action."""
registry.AddFileSource(self.test_artifacts_file)
artifact = registry.GetArtifact("TestOSAgnostic")
ext_src = rdf_artifact.ExtendedSource(base_source=list(artifact.sources)[0])
ext_art = rdf_artifact.ExtendedArtifact(
name=artifact.name, sources=[ext_src])
request = rdf_artifact.ClientArtifactCollectorArgs(
artifacts=[ext_art], apply_parsers=False)
result = self.RunAction(artifact_collector.ArtifactCollector, request)[0]
collected_artifact = list(result.collected_artifacts)[0]
hostname = list(collected_artifact.action_results)[0].value
self.assertEqual(collected_artifact.name, "TestOSAgnostic")
self.assertTrue(hostname.string)
def testCommandArtifact(self, registry):
"""Test the basic ExecuteCommand action."""
client_test_lib.Command("/usr/bin/dpkg", args=["--list"], system="Linux")
registry.AddFileSource(self.test_artifacts_file)
artifact = registry.GetArtifact("TestCmdArtifact")
ext_src = rdf_artifact.ExtendedSource(base_source=list(artifact.sources)[0])
ext_art = rdf_artifact.ExtendedArtifact(
name=artifact.name, sources=[ext_src])
request = rdf_artifact.ClientArtifactCollectorArgs(
artifacts=[ext_art], apply_parsers=False)
result = self.RunAction(artifact_collector.ArtifactCollector, request)[0]
collected_artifact = list(result.collected_artifacts)[0]
execute_response = list(collected_artifact.action_results)[0].value
self.assertEqual(collected_artifact.name, "TestCmdArtifact")
self.assertTrue(execute_response.time_used > 0)
def testFakeFileArtifactAction(self):
file_path = os.path.join(self.base_path, "numbers.txt")
source = rdf_artifact.ArtifactSource(
type=rdf_artifact.ArtifactSource.SourceType.FILE,
attributes={"paths": [file_path]})
ext_src = rdf_artifact.ExtendedSource(base_source=source)
ext_art = rdf_artifact.ExtendedArtifact(
name="FakeFileArtifact", sources=[ext_src])
request = rdf_artifact.ClientArtifactCollectorArgs(
artifacts=[ext_art],
knowledge_base=None,
ignore_interpolation_errors=True,
apply_parsers=True)
result = self.RunAction(artifact_collector.ArtifactCollector, request)[0]
self.assertEqual(len(result.collected_artifacts[0].action_results), 1)
res = result.collected_artifacts[0].action_results[0].value
self.assertIsInstance(res, rdf_protodict.AttributedDict)
self.assertEqual(len(res.users), 1000)
self.assertEqual(res.filename, file_path)
