def testLoginFailed(self): """Tests the login_failed tagging rule.""" event = events.EventObject() event.timestamp = self._TEST_TIMESTAMP event.timestamp_desc = definitions.TIME_DESCRIPTION_UNKNOWN # Test: data_type is 'windows:evtx:record' AND # source_name is 'Microsoft-Windows-Security-Auditing' AND # event_identifier is 4625 event_data = winevtx.WinEvtxRecordEventData() event_data.event_identifier = 4625 event_data.source_name = 'bogus' storage_writer = self._TagEvent(event, event_data) self.assertEqual(storage_writer.number_of_event_tags, 0) self._CheckLabels(storage_writer, []) event_data.event_identifier = 1 event_data.source_name = 'Microsoft-Windows-Security-Auditing' storage_writer = self._TagEvent(event, event_data) self.assertEqual(storage_writer.number_of_event_tags, 0) self._CheckLabels(storage_writer, []) event_data.event_identifier = 4625 storage_writer = self._TagEvent(event, event_data) self.assertEqual(storage_writer.number_of_event_tags, 1) self._CheckLabels(storage_writer, ['login_failed'])
def testApplicationUpdate(self): """Tests the application_update tagging rule.""" event = events.EventObject() event.timestamp = self._TEST_TIMESTAMP event.timestamp_desc = definitions.TIME_DESCRIPTION_UNKNOWN # Test: data_type is 'windows:evtx:record' AND # source_name is 'Microsoft-Windows-Application-Experience' AND # event_identifier is 905 event_data = winevtx.WinEvtxRecordEventData() event_data.event_identifier = 905 event_data.source_name = 'bogus' storage_writer = self._TagEvent(event, event_data) self.assertEqual(storage_writer.number_of_event_tags, 0) self._CheckLabels(storage_writer, []) event_data.event_identifier = 1 event_data.source_name = 'Microsoft-Windows-Application-Experience' storage_writer = self._TagEvent(event, event_data) self.assertEqual(storage_writer.number_of_event_tags, 0) self._CheckLabels(storage_writer, []) event_data.event_identifier = 905 storage_writer = self._TagEvent(event, event_data) self.assertEqual(storage_writer.number_of_event_tags, 1) self._CheckLabels(storage_writer, ['application_update'])
def testLogoff(self): """Tests the logoff tagging rule.""" event = events.EventObject() event.timestamp = self._TEST_TIMESTAMP event.timestamp_desc = definitions.TIME_DESCRIPTION_UNKNOWN # Test: data_type is 'windows:evt:record' AND source_name is 'Security' AND # event_identifier is 538 event_data = winevt.WinEvtRecordEventData() event_data.event_identifier = 538 event_data.source_name = 'bogus' storage_writer = self._TagEvent(event, event_data) self.assertEqual(storage_writer.number_of_event_tags, 0) self._CheckLabels(storage_writer, []) event_data.event_identifier = 1 event_data.source_name = 'Security' storage_writer = self._TagEvent(event, event_data) self.assertEqual(storage_writer.number_of_event_tags, 0) self._CheckLabels(storage_writer, []) event_data.event_identifier = 538 storage_writer = self._TagEvent(event, event_data) self.assertEqual(storage_writer.number_of_event_tags, 1) self._CheckLabels(storage_writer, ['logoff']) # Test: data_type is 'windows:evtx:record' AND # source_name is 'Microsoft-Windows-Security-Auditing' AND # event_identifier is 4634 event_data = winevtx.WinEvtxRecordEventData() event_data.event_identifier = 4634 event_data.source_name = 'bogus' storage_writer = self._TagEvent(event, event_data) self.assertEqual(storage_writer.number_of_event_tags, 0) self._CheckLabels(storage_writer, []) event_data.event_identifier = 1 event_data.source_name = 'Microsoft-Windows-Security-Auditing' storage_writer = self._TagEvent(event, event_data) self.assertEqual(storage_writer.number_of_event_tags, 0) self._CheckLabels(storage_writer, []) event_data.event_identifier = 4634 storage_writer = self._TagEvent(event, event_data) self.assertEqual(storage_writer.number_of_event_tags, 1) self._CheckLabels(storage_writer, ['logoff']) # Test: data_type is 'windows:evtx:record' AND source_name is # 'Microsoft-Windows-TerminalServices-LocalSessionManager' AND # (event_identifier is 23 OR event_identifier is 1103) event_data = winevtx.WinEvtxRecordEventData() event_data.event_identifier = 23 event_data.source_name = 'bogus' storage_writer = self._TagEvent(event, event_data) self.assertEqual(storage_writer.number_of_event_tags, 0) self._CheckLabels(storage_writer, []) event_data.event_identifier = 1 event_data.source_name = ( 'Microsoft-Windows-TerminalServices-LocalSessionManager') storage_writer = self._TagEvent(event, event_data) self.assertEqual(storage_writer.number_of_event_tags, 0) self._CheckLabels(storage_writer, []) event_data.event_identifier = 23 storage_writer = self._TagEvent(event, event_data) self.assertEqual(storage_writer.number_of_event_tags, 1) self._CheckLabels(storage_writer, ['logoff']) event_data.event_identifier = 1103 storage_writer = self._TagEvent(event, event_data) self.assertEqual(storage_writer.number_of_event_tags, 1) self._CheckLabels(storage_writer, ['logoff']) # Test: data_type is 'windows:evtx:record' AND # source_name is 'Microsoft-Windows-User Profiles Service' AND # event_identifier is 4 event_data = winevtx.WinEvtxRecordEventData() event_data.event_identifier = 4 event_data.source_name = 'bogus' storage_writer = self._TagEvent(event, event_data) self.assertEqual(storage_writer.number_of_event_tags, 0) self._CheckLabels(storage_writer, []) event_data.event_identifier = 1 event_data.source_name = 'Microsoft-Windows-User Profiles Service' storage_writer = self._TagEvent(event, event_data) self.assertEqual(storage_writer.number_of_event_tags, 0) self._CheckLabels(storage_writer, []) event_data.event_identifier = 4 storage_writer = self._TagEvent(event, event_data) self.assertEqual(storage_writer.number_of_event_tags, 1) self._CheckLabels(storage_writer, ['logoff']) # Test: data_type is 'windows:evtx:record' AND # source_name is 'Microsoft-Windows-Winlogon' AND # event_identifier is 7002 event_data = winevtx.WinEvtxRecordEventData() event_data.event_identifier = 7002 event_data.source_name = 'bogus' storage_writer = self._TagEvent(event, event_data) self.assertEqual(storage_writer.number_of_event_tags, 0) self._CheckLabels(storage_writer, []) event_data.event_identifier = 1 event_data.source_name = 'Microsoft-Windows-Winlogon' storage_writer = self._TagEvent(event, event_data) self.assertEqual(storage_writer.number_of_event_tags, 0) self._CheckLabels(storage_writer, []) event_data.event_identifier = 7002 storage_writer = self._TagEvent(event, event_data) self.assertEqual(storage_writer.number_of_event_tags, 1) self._CheckLabels(storage_writer, ['logoff'])
def testApplicationExecution(self): """Tests the application_execution tagging rule.""" event = events.EventObject() event.timestamp = self._TEST_TIMESTAMP event.timestamp_desc = definitions.TIME_DESCRIPTION_UNKNOWN # Test: data_type is 'fs:stat' AND filename contains 'Windows/Tasks/At' event_data = filestat.FileStatEventData() event_data.filename = 'bogus' storage_writer = self._TagEvent(event, event_data) self.assertEqual(storage_writer.number_of_event_tags, 0) self._CheckLabels(storage_writer, []) event_data.filename = 'C:/Windows/Tasks/At/bogus.job' storage_writer = self._TagEvent(event, event_data) self.assertEqual(storage_writer.number_of_event_tags, 1) self._CheckLabels(storage_writer, ['application_execution']) # Test: data_type is 'windows:evt:record' AND source_name is 'Security' AND # event_identifier is 592 event_data = winevt.WinEvtRecordEventData() event_data.event_identifier = 592 event_data.source_name = 'bogus' storage_writer = self._TagEvent(event, event_data) self.assertEqual(storage_writer.number_of_event_tags, 0) self._CheckLabels(storage_writer, []) event_data.event_identifier = 1 event_data.source_name = 'Security' storage_writer = self._TagEvent(event, event_data) self.assertEqual(storage_writer.number_of_event_tags, 0) self._CheckLabels(storage_writer, []) event_data.event_identifier = 592 storage_writer = self._TagEvent(event, event_data) self.assertEqual(storage_writer.number_of_event_tags, 1) self._CheckLabels(storage_writer, ['application_execution']) # Test: data_type is 'windows:evtx:record' AND # source_name is 'Microsoft-Windows-Security-Auditing' AND # event_identifier is 4688 event_data = winevtx.WinEvtxRecordEventData() event_data.event_identifier = 4688 event_data.source_name = 'bogus' storage_writer = self._TagEvent(event, event_data) self.assertEqual(storage_writer.number_of_event_tags, 0) self._CheckLabels(storage_writer, []) event_data.event_identifier = 1 event_data.source_name = 'Microsoft-Windows-Security-Auditing' storage_writer = self._TagEvent(event, event_data) self.assertEqual(storage_writer.number_of_event_tags, 0) self._CheckLabels(storage_writer, []) event_data.event_identifier = 4688 storage_writer = self._TagEvent(event, event_data) self.assertEqual(storage_writer.number_of_event_tags, 1) self._CheckLabels(storage_writer, ['application_execution']) # Test: data_type is 'windows:evtx:record' AND # strings contains 'user mode service' AND # strings contains 'demand start' event_data = winevtx.WinEvtxRecordEventData() event_data.strings = ['user mode service'] storage_writer = self._TagEvent(event, event_data) self.assertEqual(storage_writer.number_of_event_tags, 0) self._CheckLabels(storage_writer, []) event_data.strings = ['user mode service', 'demand start'] storage_writer = self._TagEvent(event, event_data) self.assertEqual(storage_writer.number_of_event_tags, 1) self._CheckLabels(storage_writer, ['application_execution']) # Test: data_type is 'windows:lnk:link' AND # filename contains 'Recent' AND (local_path contains '.exe' OR # network_path contains '.exe' OR relative_path contains '.exe') event_data = winlnk.WinLnkLinkEventData() event_data.filename = 'bogus' event_data.local_path = 'file.exe' storage_writer = self._TagEvent(event, event_data) self.assertEqual(storage_writer.number_of_event_tags, 0) self._CheckLabels(storage_writer, []) event_data.filename = 'Recent' event_data.local_path = 'file.txt' storage_writer = self._TagEvent(event, event_data) self.assertEqual(storage_writer.number_of_event_tags, 0) self._CheckLabels(storage_writer, []) event_data.local_path = 'file.exe' storage_writer = self._TagEvent(event, event_data) self.assertEqual(storage_writer.number_of_event_tags, 1) self._CheckLabels(storage_writer, ['application_execution']) event_data.local_path = None event_data.network_path = 'file.exe' storage_writer = self._TagEvent(event, event_data) self.assertEqual(storage_writer.number_of_event_tags, 1) self._CheckLabels(storage_writer, ['application_execution']) event_data.network_path = None event_data.relative_path = 'file.exe' storage_writer = self._TagEvent(event, event_data) self.assertEqual(storage_writer.number_of_event_tags, 1) self._CheckLabels(storage_writer, ['application_execution']) # Test: data_type is 'windows:prefetch:execution' event_data = winprefetch.WinPrefetchExecutionEventData() storage_writer = self._TagEvent(event, event_data) self.assertEqual(storage_writer.number_of_event_tags, 1) self._CheckLabels(storage_writer, ['application_execution']) # Test: data_type is 'windows:registry:appcompatcache' event_data = appcompatcache.AppCompatCacheEventData() storage_writer = self._TagEvent(event, event_data) self.assertEqual(storage_writer.number_of_event_tags, 1) self._CheckLabels(storage_writer, ['application_execution']) # Test: data_type is 'windows:registry:mrulist' AND # entries contains '.exe' event_data = mrulist.MRUListEventData() event_data.entries = 'Index: 0 [MRU Value a]: file.txt' # Set timestamp to 0 otherwise document_open rule triggers. event.timestamp = 0 storage_writer = self._TagEvent(event, event_data) self.assertEqual(storage_writer.number_of_event_tags, 0) self._CheckLabels(storage_writer, []) event.timestamp = self._TEST_TIMESTAMP event_data.entries = 'Index: 0 [MRU Value a]: file.exe' storage_writer = self._TagEvent(event, event_data) self.assertEqual(storage_writer.number_of_event_tags, 1) self._CheckLabels(storage_writer, ['application_execution']) # Test: data_type is 'windows:registry:mrulistex' AND # entries contains '.exe' event_data = mrulistex.MRUListExEventData() event_data.entries = 'Index: 0 [MRU Value 1]: file.txt' # Set timestamp to 0 otherwise document_open rule triggers. event.timestamp = 0 storage_writer = self._TagEvent(event, event_data) self.assertEqual(storage_writer.number_of_event_tags, 0) self._CheckLabels(storage_writer, []) event.timestamp = self._TEST_TIMESTAMP event_data.entries = 'Index: 0 [MRU Value 1]: file.exe' storage_writer = self._TagEvent(event, event_data) self.assertEqual(storage_writer.number_of_event_tags, 1) self._CheckLabels(storage_writer, ['application_execution']) # Test: data_type is 'windows:registry:userassist' AND # value_name contains '.exe' event_data = userassist.UserAssistWindowsRegistryEventData() event_data.value_name = 'file.txt' storage_writer = self._TagEvent(event, event_data) self.assertEqual(storage_writer.number_of_event_tags, 0) self._CheckLabels(storage_writer, []) event_data.value_name = 'file.exe' storage_writer = self._TagEvent(event, event_data) self.assertEqual(storage_writer.number_of_event_tags, 1) self._CheckLabels(storage_writer, ['application_execution']) # Test: data_type is 'windows:tasks:job' event_data = winjob.WinJobEventData() storage_writer = self._TagEvent(event, event_data) self.assertEqual(storage_writer.number_of_event_tags, 1) self._CheckLabels(storage_writer, ['application_execution'])