def testDocumentOpen(self):
"""Tests the document_open tagging rule."""
# Test: data_type is 'windows:registry:bagmru'
attribute_values_per_name = {}
self._CheckTaggingRule(bagmru.BagMRUEventData,
attribute_values_per_name, ['document_open'])
# Test: data_type is 'windows:registry:mrulist' AND
# entries not contains '.exe' AND timestamp > DATETIME(0)
event = events.EventObject()
event.timestamp = self._TEST_TIMESTAMP
event.timestamp_desc = definitions.TIME_DESCRIPTION_UNKNOWN
event_data = mrulist.MRUListEventData()
event_data.entries = 'Index: 0 [MRU Value a]: file.txt'
event_data.parser = 'winreg/mrulist'
event.timestamp = 0
storage_writer = self._TagEvent(event, event_data, None)
self._CheckLabels(storage_writer, [])
event.timestamp = self._TEST_TIMESTAMP
storage_writer = self._TagEvent(event, event_data, None)
self._CheckLabels(storage_writer, ['document_open'])
# Test: data_type is 'windows:registry:mrulistex' AND
# entries not contains '.exe' AND timestamp > DATETIME(0)
event = events.EventObject()
event.timestamp = self._TEST_TIMESTAMP
event.timestamp_desc = definitions.TIME_DESCRIPTION_UNKNOWN
event_data = mrulistex.MRUListExEventData()
event_data.entries = 'Index: 0 [MRU Value 1]: file.txt'
event_data.parser = 'winreg/mrulistex'
event.timestamp = 0
storage_writer = self._TagEvent(event, event_data, None)
self._CheckLabels(storage_writer, [])
event.timestamp = self._TEST_TIMESTAMP
storage_writer = self._TagEvent(event, event_data, None)
self._CheckLabels(storage_writer, ['document_open'])
# Test: data_type is 'windows:registry:office_mru'
attribute_values_per_name = {}
self._CheckTaggingRule(officemru.OfficeMRUWindowsRegistryEventData,
attribute_values_per_name, ['document_open'])
# Test: data_type is 'windows:registry:office_mru_list'
attribute_values_per_name = {}
self._CheckTaggingRule(officemru.OfficeMRUListWindowsRegistryEventData,
attribute_values_per_name, ['document_open'])
def testApplicationExecution(self):
"""Tests the application_execution tagging rule."""
event = events.EventObject()
event.timestamp = self._TEST_TIMESTAMP
event.timestamp_desc = definitions.TIME_DESCRIPTION_UNKNOWN
# Test: data_type is 'fs:stat' AND filename contains 'Windows/Tasks/At'
event_data = filestat.FileStatEventData()
event_data.filename = 'bogus'
storage_writer = self._TagEvent(event, event_data)
self.assertEqual(storage_writer.number_of_event_tags, 0)
self._CheckLabels(storage_writer, [])
event_data.filename = 'C:/Windows/Tasks/At/bogus.job'
storage_writer = self._TagEvent(event, event_data)
self.assertEqual(storage_writer.number_of_event_tags, 1)
self._CheckLabels(storage_writer, ['application_execution'])
# Test: data_type is 'windows:evt:record' AND source_name is 'Security' AND
# event_identifier is 592
event_data = winevt.WinEvtRecordEventData()
event_data.event_identifier = 592
event_data.source_name = 'bogus'
storage_writer = self._TagEvent(event, event_data)
self.assertEqual(storage_writer.number_of_event_tags, 0)
self._CheckLabels(storage_writer, [])
event_data.event_identifier = 1
event_data.source_name = 'Security'
storage_writer = self._TagEvent(event, event_data)
self.assertEqual(storage_writer.number_of_event_tags, 0)
self._CheckLabels(storage_writer, [])
event_data.event_identifier = 592
storage_writer = self._TagEvent(event, event_data)
self.assertEqual(storage_writer.number_of_event_tags, 1)
self._CheckLabels(storage_writer, ['application_execution'])
# Test: data_type is 'windows:evtx:record' AND
# source_name is 'Microsoft-Windows-Security-Auditing' AND
# event_identifier is 4688
event_data = winevtx.WinEvtxRecordEventData()
event_data.event_identifier = 4688
event_data.source_name = 'bogus'
storage_writer = self._TagEvent(event, event_data)
self.assertEqual(storage_writer.number_of_event_tags, 0)
self._CheckLabels(storage_writer, [])
event_data.event_identifier = 1
event_data.source_name = 'Microsoft-Windows-Security-Auditing'
storage_writer = self._TagEvent(event, event_data)
self.assertEqual(storage_writer.number_of_event_tags, 0)
self._CheckLabels(storage_writer, [])
event_data.event_identifier = 4688
storage_writer = self._TagEvent(event, event_data)
self.assertEqual(storage_writer.number_of_event_tags, 1)
self._CheckLabels(storage_writer, ['application_execution'])
# Test: data_type is 'windows:evtx:record' AND
# strings contains 'user mode service' AND
# strings contains 'demand start'
event_data = winevtx.WinEvtxRecordEventData()
event_data.strings = ['user mode service']
storage_writer = self._TagEvent(event, event_data)
self.assertEqual(storage_writer.number_of_event_tags, 0)
self._CheckLabels(storage_writer, [])
event_data.strings = ['user mode service', 'demand start']
storage_writer = self._TagEvent(event, event_data)
self.assertEqual(storage_writer.number_of_event_tags, 1)
self._CheckLabels(storage_writer, ['application_execution'])
# Test: data_type is 'windows:lnk:link' AND
# filename contains 'Recent' AND (local_path contains '.exe' OR
# network_path contains '.exe' OR relative_path contains '.exe')
event_data = winlnk.WinLnkLinkEventData()
event_data.filename = 'bogus'
event_data.local_path = 'file.exe'
storage_writer = self._TagEvent(event, event_data)
self.assertEqual(storage_writer.number_of_event_tags, 0)
self._CheckLabels(storage_writer, [])
event_data.filename = 'Recent'
event_data.local_path = 'file.txt'
storage_writer = self._TagEvent(event, event_data)
self.assertEqual(storage_writer.number_of_event_tags, 0)
self._CheckLabels(storage_writer, [])
event_data.local_path = 'file.exe'
storage_writer = self._TagEvent(event, event_data)
self.assertEqual(storage_writer.number_of_event_tags, 1)
self._CheckLabels(storage_writer, ['application_execution'])
event_data.local_path = None
event_data.network_path = 'file.exe'
storage_writer = self._TagEvent(event, event_data)
self.assertEqual(storage_writer.number_of_event_tags, 1)
self._CheckLabels(storage_writer, ['application_execution'])
event_data.network_path = None
event_data.relative_path = 'file.exe'
storage_writer = self._TagEvent(event, event_data)
self.assertEqual(storage_writer.number_of_event_tags, 1)
self._CheckLabels(storage_writer, ['application_execution'])
# Test: data_type is 'windows:prefetch:execution'
event_data = winprefetch.WinPrefetchExecutionEventData()
storage_writer = self._TagEvent(event, event_data)
self.assertEqual(storage_writer.number_of_event_tags, 1)
self._CheckLabels(storage_writer, ['application_execution'])
# Test: data_type is 'windows:registry:appcompatcache'
event_data = appcompatcache.AppCompatCacheEventData()
storage_writer = self._TagEvent(event, event_data)
self.assertEqual(storage_writer.number_of_event_tags, 1)
self._CheckLabels(storage_writer, ['application_execution'])
# Test: data_type is 'windows:registry:mrulist' AND
# entries contains '.exe'
event_data = mrulist.MRUListEventData()
event_data.entries = 'Index: 0 [MRU Value a]: file.txt'
# Set timestamp to 0 otherwise document_open rule triggers.
event.timestamp = 0
storage_writer = self._TagEvent(event, event_data)
self.assertEqual(storage_writer.number_of_event_tags, 0)
self._CheckLabels(storage_writer, [])
event.timestamp = self._TEST_TIMESTAMP
event_data.entries = 'Index: 0 [MRU Value a]: file.exe'
storage_writer = self._TagEvent(event, event_data)
self.assertEqual(storage_writer.number_of_event_tags, 1)
self._CheckLabels(storage_writer, ['application_execution'])
# Test: data_type is 'windows:registry:mrulistex' AND
# entries contains '.exe'
event_data = mrulistex.MRUListExEventData()
event_data.entries = 'Index: 0 [MRU Value 1]: file.txt'
# Set timestamp to 0 otherwise document_open rule triggers.
event.timestamp = 0
storage_writer = self._TagEvent(event, event_data)
self.assertEqual(storage_writer.number_of_event_tags, 0)
self._CheckLabels(storage_writer, [])
event.timestamp = self._TEST_TIMESTAMP
event_data.entries = 'Index: 0 [MRU Value 1]: file.exe'
storage_writer = self._TagEvent(event, event_data)
self.assertEqual(storage_writer.number_of_event_tags, 1)
self._CheckLabels(storage_writer, ['application_execution'])
# Test: data_type is 'windows:registry:userassist' AND
# value_name contains '.exe'
event_data = userassist.UserAssistWindowsRegistryEventData()
event_data.value_name = 'file.txt'
storage_writer = self._TagEvent(event, event_data)
self.assertEqual(storage_writer.number_of_event_tags, 0)
self._CheckLabels(storage_writer, [])
event_data.value_name = 'file.exe'
storage_writer = self._TagEvent(event, event_data)
self.assertEqual(storage_writer.number_of_event_tags, 1)
self._CheckLabels(storage_writer, ['application_execution'])
# Test: data_type is 'windows:tasks:job'
event_data = winjob.WinJobEventData()
storage_writer = self._TagEvent(event, event_data)
self.assertEqual(storage_writer.number_of_event_tags, 1)
self._CheckLabels(storage_writer, ['application_execution'])
def testDocumentOpen(self):
"""Tests the document_open tagging rule."""
event = events.EventObject()
event.timestamp = self._TEST_TIMESTAMP
event.timestamp_desc = definitions.TIME_DESCRIPTION_UNKNOWN
# Test: data_type is 'windows:registry:bagmru'
event_data = bagmru.BagMRUEventData()
storage_writer = self._TagEvent(event, event_data)
self.assertEqual(storage_writer.number_of_event_tags, 1)
self._CheckLabels(storage_writer, ['document_open'])
# Test: data_type is 'windows:registry:mrulist' AND
# entries not contains '.exe' AND timestamp > 0
event_data = mrulist.MRUListEventData()
event_data.entries = 'Index: 0 [MRU Value a]: file.txt'
event.timestamp = 0
storage_writer = self._TagEvent(event, event_data)
self.assertEqual(storage_writer.number_of_event_tags, 0)
self._CheckLabels(storage_writer, [])
event.timestamp = self._TEST_TIMESTAMP
storage_writer = self._TagEvent(event, event_data)
self.assertEqual(storage_writer.number_of_event_tags, 1)
self._CheckLabels(storage_writer, ['document_open'])
# Test: data_type is 'windows:registry:mrulistex' AND
# entries not contains '.exe' AND timestamp > 0
event_data = mrulistex.MRUListExEventData()
event_data.entries = 'Index: 0 [MRU Value 1]: file.txt'
event.timestamp = 0
storage_writer = self._TagEvent(event, event_data)
self.assertEqual(storage_writer.number_of_event_tags, 0)
self._CheckLabels(storage_writer, [])
event.timestamp = self._TEST_TIMESTAMP
storage_writer = self._TagEvent(event, event_data)
self.assertEqual(storage_writer.number_of_event_tags, 1)
self._CheckLabels(storage_writer, ['document_open'])
# Test: data_type is 'windows:registry:office_mru'
event_data = officemru.OfficeMRUWindowsRegistryEventData()
storage_writer = self._TagEvent(event, event_data)
self.assertEqual(storage_writer.number_of_event_tags, 1)
self._CheckLabels(storage_writer, ['document_open'])
# Test: data_type is 'windows:registry:office_mru_list'
event_data = officemru.OfficeMRUListWindowsRegistryEventData()
storage_writer = self._TagEvent(event, event_data)
self.assertEqual(storage_writer.number_of_event_tags, 1)
self._CheckLabels(storage_writer, ['document_open'])
def testApplicationExecution(self):
"""Tests the application_execution tagging rule."""
# Test: data_type is 'fs:stat' AND
# filename contains PATH('Windows/Tasks/At')
attribute_values_per_name = {
'filename': ['C:/Windows/Tasks/At/bogus.job']}
self._CheckTaggingRule(
filestat.FileStatEventData, attribute_values_per_name,
['application_execution'])
# Test: data_type is 'windows:evt:record' AND source_name is 'Security' AND
# event_identifier is 592
attribute_values_per_name = {
'event_identifier': [592],
'source_name': ['Security']}
self._CheckTaggingRule(
winevt.WinEvtRecordEventData, attribute_values_per_name,
['application_execution'])
# Test: data_type is 'windows:evtx:record' AND
# source_name is 'Microsoft-Windows-Security-Auditing' AND
# event_identifier is 4688
attribute_values_per_name = {
'event_identifier': [4688],
'source_name': ['Microsoft-Windows-Security-Auditing']}
self._CheckTaggingRule(
winevtx.WinEvtxRecordEventData, attribute_values_per_name,
['application_execution'])
# Test: data_type is 'windows:evtx:record' AND
# strings contains 'user mode service' AND
# strings contains 'demand start'
attribute_values_per_name = {
'strings': [['user mode service', 'demand start']]}
self._CheckTaggingRule(
winevtx.WinEvtxRecordEventData, attribute_values_per_name,
['application_execution'])
# Test: data_type is 'windows:lnk:link' AND
# filename contains 'Recent' AND (local_path contains '.exe' OR
# network_path contains '.exe' OR relative_path contains '.exe')
attribute_values_per_name = {
'filename': ['Recent'],
'local_path': ['file.exe']}
self._CheckTaggingRule(
winlnk.WinLnkLinkEventData, attribute_values_per_name,
['application_execution'])
attribute_values_per_name = {
'filename': ['Recent'],
'network_path': ['file.exe']}
self._CheckTaggingRule(
winlnk.WinLnkLinkEventData, attribute_values_per_name,
['application_execution'])
attribute_values_per_name = {
'filename': ['Recent'],
'relative_path': ['file.exe']}
self._CheckTaggingRule(
winlnk.WinLnkLinkEventData, attribute_values_per_name,
['application_execution'])
# Test: data_type is 'windows:prefetch:execution'
attribute_values_per_name = {}
self._CheckTaggingRule(
winprefetch.WinPrefetchExecutionEventData, attribute_values_per_name,
['application_execution'])
# Test: data_type is 'windows:registry:appcompatcache'
attribute_values_per_name = {}
self._CheckTaggingRule(
appcompatcache.AppCompatCacheEventData, attribute_values_per_name,
['application_execution'])
# Test: data_type is 'windows:registry:mrulist' AND
# entries contains '.exe'
event = events.EventObject()
event.timestamp = self._TEST_TIMESTAMP
event.timestamp_desc = definitions.TIME_DESCRIPTION_UNKNOWN
event_data = mrulist.MRUListEventData()
event_data.entries = 'Index: 0 [MRU Value a]: file.txt'
# Set timestamp to 0 otherwise document_open rule triggers.
event.timestamp = 0
storage_writer = self._TagEvent(event, event_data, None)
self.assertEqual(storage_writer.number_of_event_tags, 0)
self._CheckLabels(storage_writer, [])
event.timestamp = self._TEST_TIMESTAMP
event_data.entries = 'Index: 0 [MRU Value a]: file.exe'
storage_writer = self._TagEvent(event, event_data, None)
self.assertEqual(storage_writer.number_of_event_tags, 1)
self._CheckLabels(storage_writer, ['application_execution'])
# Test: data_type is 'windows:registry:mrulistex' AND
# entries contains '.exe'
event_data = mrulistex.MRUListExEventData()
event_data.entries = 'Index: 0 [MRU Value 1]: file.txt'
# Set timestamp to 0 otherwise document_open rule triggers.
event.timestamp = 0
storage_writer = self._TagEvent(event, event_data, None)
self.assertEqual(storage_writer.number_of_event_tags, 0)
self._CheckLabels(storage_writer, [])
event.timestamp = self._TEST_TIMESTAMP
event_data.entries = 'Index: 0 [MRU Value 1]: file.exe'
storage_writer = self._TagEvent(event, event_data, None)
self.assertEqual(storage_writer.number_of_event_tags, 1)
self._CheckLabels(storage_writer, ['application_execution'])
# Test: data_type is 'windows:registry:userassist' AND
# value_name contains '.exe'
attribute_values_per_name = {
'value_name': ['file.exe']}
self._CheckTaggingRule(
userassist.UserAssistWindowsRegistryEventData,
attribute_values_per_name, ['application_execution'])
# Test: data_type is 'windows:tasks:job'
attribute_values_per_name = {}
self._CheckTaggingRule(
winjob.WinJobEventData, attribute_values_per_name,
['application_execution'])