def testRuleAutorun(self):
"""Tests the autorun tagging rule."""
# Test: data_type is 'fs:stat' AND
# timestamp_desc is 'HFS_DETECT crtime' AND
# filename contains 'LaunchAgents/' AND
# filename contains '.plist'
event = events.EventObject()
event.timestamp = self._TEST_TIMESTAMP
event.timestamp_desc = 'HFS_DETECT crtime'
event_data = filestat.FileStatEventData()
event_data.filename = '/LaunchDaemons/test.plist'
storage_writer = self._TagEvent(event, event_data, None)
self.assertEqual(storage_writer.number_of_event_tags, 0)
self._CheckLabels(storage_writer, [])
event_data = filestat.FileStatEventData()
event_data.filename = '/LaunchAgents/test.plist'
storage_writer = self._TagEvent(event, event_data, None)
self.assertEqual(storage_writer.number_of_event_tags, 1)
self._CheckLabels(storage_writer, ['autorun'])
def testRuleAutorun(self):
"""Tests the autorun tagging rule."""
# Test: data_type is 'fs:stat' AND
# timestamp_desc is 'Creation Time' AND
# filename contains PATH('LaunchAgents') AND
# filename contains '.plist'
event = events.EventObject()
event.timestamp = self._TEST_TIMESTAMP
event.timestamp_desc = definitions.TIME_DESCRIPTION_CREATION
event_data = filestat.FileStatEventData()
event_data.filename = '/LaunchDaemons/test.plist'
event_data.parser = 'filestat'
storage_writer = self._TagEvent(event, event_data, None)
self._CheckLabels(storage_writer, [])
event_data = filestat.FileStatEventData()
event_data.filename = '/LaunchAgents/test.plist'
event_data.parser = 'filestat'
storage_writer = self._TagEvent(event, event_data, None)
self._CheckLabels(storage_writer, ['autorun'])
def testRuleFileDownload(self):
"""Tests the file_download tagging rule."""
event = events.EventObject()
event.timestamp = self._TEST_TIMESTAMP
event.timestamp_desc = definitions.TIME_DESCRIPTION_UNKNOWN
event_data = chrome.ChromeHistoryFileDownloadedEventData()
storage_writer = self._TagEvent(event, event_data)
self.assertEqual(storage_writer.number_of_event_tags, 1)
self._CheckLabels(storage_writer, ['file_download'])
event_data = ls_quarantine.LsQuarantineEventData()
storage_writer = self._TagEvent(event, event_data)
self.assertEqual(storage_writer.number_of_event_tags, 1)
self._CheckLabels(storage_writer, ['file_download'])
event_data = filestat.FileStatEventData()
storage_writer = self._TagEvent(event, event_data)
self.assertEqual(storage_writer.number_of_event_tags, 0)
self._CheckLabels(storage_writer, [])
event.timestamp_desc = definitions.TIME_DESCRIPTION_FILE_DOWNLOADED
storage_writer = self._TagEvent(event, event_data)
self.assertEqual(storage_writer.number_of_event_tags, 1)
self._CheckLabels(storage_writer, ['file_download'])
def testRuleFileDownload(self):
"""Tests the file_download tagging rule."""
# Test: data_type is 'chrome:history:file_downloaded'
attribute_values_per_name = {}
self._CheckTaggingRule(chrome.ChromeHistoryFileDownloadedEventData,
attribute_values_per_name, ['file_download'])
# Test: data_type is 'macosx:lsquarantine'
attribute_values_per_name = {}
self._CheckTaggingRule(ls_quarantine.LsQuarantineEventData,
attribute_values_per_name, ['file_download'])
# Test: timestamp_desc is 'File Downloaded'
event = events.EventObject()
event.timestamp = self._TEST_TIMESTAMP
event.timestamp_desc = definitions.TIME_DESCRIPTION_UNKNOWN
event_data = filestat.FileStatEventData()
storage_writer = self._TagEvent(event, event_data, None)
self.assertEqual(storage_writer.number_of_event_tags, 0)
self._CheckLabels(storage_writer, [])
event.timestamp_desc = definitions.TIME_DESCRIPTION_FILE_DOWNLOADED
storage_writer = self._TagEvent(event, event_data, None)
self.assertEqual(storage_writer.number_of_event_tags, 1)
self._CheckLabels(storage_writer, ['file_download'])
def testApplicationExecution(self):
"""Tests the application_execution tagging rule."""
event = events.EventObject()
event.timestamp = self._TEST_TIMESTAMP
event.timestamp_desc = definitions.TIME_DESCRIPTION_UNKNOWN
# Test: data_type is 'fs:stat' AND filename contains 'Windows/Tasks/At'
event_data = filestat.FileStatEventData()
event_data.filename = 'bogus'
storage_writer = self._TagEvent(event, event_data)
self.assertEqual(storage_writer.number_of_event_tags, 0)
self._CheckLabels(storage_writer, [])
event_data.filename = 'C:/Windows/Tasks/At/bogus.job'
storage_writer = self._TagEvent(event, event_data)
self.assertEqual(storage_writer.number_of_event_tags, 1)
self._CheckLabels(storage_writer, ['application_execution'])
# Test: data_type is 'windows:evt:record' AND source_name is 'Security' AND
# event_identifier is 592
event_data = winevt.WinEvtRecordEventData()
event_data.event_identifier = 592
event_data.source_name = 'bogus'
storage_writer = self._TagEvent(event, event_data)
self.assertEqual(storage_writer.number_of_event_tags, 0)
self._CheckLabels(storage_writer, [])
event_data.event_identifier = 1
event_data.source_name = 'Security'
storage_writer = self._TagEvent(event, event_data)
self.assertEqual(storage_writer.number_of_event_tags, 0)
self._CheckLabels(storage_writer, [])
event_data.event_identifier = 592
storage_writer = self._TagEvent(event, event_data)
self.assertEqual(storage_writer.number_of_event_tags, 1)
self._CheckLabels(storage_writer, ['application_execution'])
# Test: data_type is 'windows:evtx:record' AND
# source_name is 'Microsoft-Windows-Security-Auditing' AND
# event_identifier is 4688
event_data = winevtx.WinEvtxRecordEventData()
event_data.event_identifier = 4688
event_data.source_name = 'bogus'
storage_writer = self._TagEvent(event, event_data)
self.assertEqual(storage_writer.number_of_event_tags, 0)
self._CheckLabels(storage_writer, [])
event_data.event_identifier = 1
event_data.source_name = 'Microsoft-Windows-Security-Auditing'
storage_writer = self._TagEvent(event, event_data)
self.assertEqual(storage_writer.number_of_event_tags, 0)
self._CheckLabels(storage_writer, [])
event_data.event_identifier = 4688
storage_writer = self._TagEvent(event, event_data)
self.assertEqual(storage_writer.number_of_event_tags, 1)
self._CheckLabels(storage_writer, ['application_execution'])
# Test: data_type is 'windows:evtx:record' AND
# strings contains 'user mode service' AND
# strings contains 'demand start'
event_data = winevtx.WinEvtxRecordEventData()
event_data.strings = ['user mode service']
storage_writer = self._TagEvent(event, event_data)
self.assertEqual(storage_writer.number_of_event_tags, 0)
self._CheckLabels(storage_writer, [])
event_data.strings = ['user mode service', 'demand start']
storage_writer = self._TagEvent(event, event_data)
self.assertEqual(storage_writer.number_of_event_tags, 1)
self._CheckLabels(storage_writer, ['application_execution'])
# Test: data_type is 'windows:lnk:link' AND
# filename contains 'Recent' AND (local_path contains '.exe' OR
# network_path contains '.exe' OR relative_path contains '.exe')
event_data = winlnk.WinLnkLinkEventData()
event_data.filename = 'bogus'
event_data.local_path = 'file.exe'
storage_writer = self._TagEvent(event, event_data)
self.assertEqual(storage_writer.number_of_event_tags, 0)
self._CheckLabels(storage_writer, [])
event_data.filename = 'Recent'
event_data.local_path = 'file.txt'
storage_writer = self._TagEvent(event, event_data)
self.assertEqual(storage_writer.number_of_event_tags, 0)
self._CheckLabels(storage_writer, [])
event_data.local_path = 'file.exe'
storage_writer = self._TagEvent(event, event_data)
self.assertEqual(storage_writer.number_of_event_tags, 1)
self._CheckLabels(storage_writer, ['application_execution'])
event_data.local_path = None
event_data.network_path = 'file.exe'
storage_writer = self._TagEvent(event, event_data)
self.assertEqual(storage_writer.number_of_event_tags, 1)
self._CheckLabels(storage_writer, ['application_execution'])
event_data.network_path = None
event_data.relative_path = 'file.exe'
storage_writer = self._TagEvent(event, event_data)
self.assertEqual(storage_writer.number_of_event_tags, 1)
self._CheckLabels(storage_writer, ['application_execution'])
# Test: data_type is 'windows:prefetch:execution'
event_data = winprefetch.WinPrefetchExecutionEventData()
storage_writer = self._TagEvent(event, event_data)
self.assertEqual(storage_writer.number_of_event_tags, 1)
self._CheckLabels(storage_writer, ['application_execution'])
# Test: data_type is 'windows:registry:appcompatcache'
event_data = appcompatcache.AppCompatCacheEventData()
storage_writer = self._TagEvent(event, event_data)
self.assertEqual(storage_writer.number_of_event_tags, 1)
self._CheckLabels(storage_writer, ['application_execution'])
# Test: data_type is 'windows:registry:mrulist' AND
# entries contains '.exe'
event_data = mrulist.MRUListEventData()
event_data.entries = 'Index: 0 [MRU Value a]: file.txt'
# Set timestamp to 0 otherwise document_open rule triggers.
event.timestamp = 0
storage_writer = self._TagEvent(event, event_data)
self.assertEqual(storage_writer.number_of_event_tags, 0)
self._CheckLabels(storage_writer, [])
event.timestamp = self._TEST_TIMESTAMP
event_data.entries = 'Index: 0 [MRU Value a]: file.exe'
storage_writer = self._TagEvent(event, event_data)
self.assertEqual(storage_writer.number_of_event_tags, 1)
self._CheckLabels(storage_writer, ['application_execution'])
# Test: data_type is 'windows:registry:mrulistex' AND
# entries contains '.exe'
event_data = mrulistex.MRUListExEventData()
event_data.entries = 'Index: 0 [MRU Value 1]: file.txt'
# Set timestamp to 0 otherwise document_open rule triggers.
event.timestamp = 0
storage_writer = self._TagEvent(event, event_data)
self.assertEqual(storage_writer.number_of_event_tags, 0)
self._CheckLabels(storage_writer, [])
event.timestamp = self._TEST_TIMESTAMP
event_data.entries = 'Index: 0 [MRU Value 1]: file.exe'
storage_writer = self._TagEvent(event, event_data)
self.assertEqual(storage_writer.number_of_event_tags, 1)
self._CheckLabels(storage_writer, ['application_execution'])
# Test: data_type is 'windows:registry:userassist' AND
# value_name contains '.exe'
event_data = userassist.UserAssistWindowsRegistryEventData()
event_data.value_name = 'file.txt'
storage_writer = self._TagEvent(event, event_data)
self.assertEqual(storage_writer.number_of_event_tags, 0)
self._CheckLabels(storage_writer, [])
event_data.value_name = 'file.exe'
storage_writer = self._TagEvent(event, event_data)
self.assertEqual(storage_writer.number_of_event_tags, 1)
self._CheckLabels(storage_writer, ['application_execution'])
# Test: data_type is 'windows:tasks:job'
event_data = winjob.WinJobEventData()
storage_writer = self._TagEvent(event, event_data)
self.assertEqual(storage_writer.number_of_event_tags, 1)
self._CheckLabels(storage_writer, ['application_execution'])
