def testRegexMatchConditionWithDifferentActions(self): expected_files = ["auth.log"] non_expected_files = ["dpkg.log", "dpkg_false.log"] regex_condition = file_finder.FileFinderCondition( condition_type=( file_finder.FileFinderCondition.Type.CONTENTS_REGEX_MATCH), contents_regex_match=file_finder.FileFinderContentsRegexMatchCondition( mode=(file_finder.FileFinderContentsRegexMatchCondition.Mode. ALL_HITS), bytes_before=10, bytes_after=10, regex="session opened for user .*?john")) for action in sorted(file_finder.FileFinderAction.Action.enum_dict.values( )): self.RunFlowAndCheckResults(action=action, conditions=[regex_condition], expected_files=expected_files, non_expected_files=non_expected_files) fd = aff4.FACTORY.Open( self.client_id.Add(self.output_path), aff4_type=collects.RDFValueCollection, token=self.token) self.assertEqual(len(fd), 1) self.assertEqual(len(fd[0].matches), 1) self.assertEqual(fd[0].matches[0].offset, 350) self.assertEqual(fd[0].matches[0].data, "session): session opened for user dearjohn by (uid=0")
def testFindsKeyIfItMatchesRegexMatchCondition(self): value_regex_match = file_finder.FileFinderContentsRegexMatchCondition( bytes_before=10, bytes_after=10, regex="Windows.+\\.exe") self.RunFlow( ["HKEY_USERS/S-1-5-20/Software/Microsoft/Windows/CurrentVersion/Run/*"], [registry.RegistryFinderCondition( condition_type= registry.RegistryFinderCondition.Type.VALUE_REGEX_MATCH, value_regex_match=value_regex_match)]) results = self.GetResults() self.assertEqual(len(results), 1) self.assertEqual(len(results[0].matches), 1) self.assertEqual(results[0].matches[0].offset, 15) self.assertEqual(results[0].matches[0].data, "ramFiles%\\Windows Sidebar\\Sidebar.exe /autoRun") self.assertEqual(results[0].stat_entry.aff4path, "aff4:/C.1000000000000000/registry/HKEY_USERS/S-1-5-20/" "Software/Microsoft/Windows/CurrentVersion/Run/Sidebar") self.assertEqual(results[0].stat_entry.pathspec.path, "/HKEY_USERS/S-1-5-20/Software/Microsoft/Windows/" "CurrentVersion/Run/Sidebar") self.assertEqual(results[0].stat_entry.pathspec.pathtype, rdf_paths.PathSpec.PathType.REGISTRY)
def Grep(self, source, pathtype): """Grep files in paths for any matches to content_regex_list. Args: source: artifact source pathtype: pathspec path type When multiple regexes are supplied, combine them into a single regex as an OR match so that we check all regexes at once. """ path_list = self.InterpolateList(source.attributes.get("paths", [])) content_regex_list = self.InterpolateList( source.attributes.get("content_regex_list", [])) regex_condition = file_finder.FileFinderContentsRegexMatchCondition( regex=self._CombineRegex(content_regex_list), bytes_before=0, bytes_after=0, mode="ALL_HITS") file_finder_condition = file_finder.FileFinderCondition( condition_type=( file_finder.FileFinderCondition.Type.CONTENTS_REGEX_MATCH), contents_regex_match=regex_condition) self.CallFlow("FileFinder", paths=path_list, conditions=[file_finder_condition], action=file_finder.FileFinderAction(), pathtype=pathtype, request_data={ "artifact_name": self.current_artifact_name, "source": source.ToPrimitiveDict() }, next_state="ProcessCollected")
def StartRequests(self): """Generate and send the Find requests.""" client = aff4.FACTORY.Open(self.client_id, token=self.token) if self.runner.output is not None: self.runner.output.Set( self.runner.output.Schema.DESCRIPTION("CacheGrep for {0}".format( self.args.data_regex))) usernames = ["%s\\%s" % (u.domain, u.username) for u in self.state.users] usernames = [u.lstrip("\\") for u in usernames] # Strip \\ if no domain. condition = file_finder.FileFinderCondition( condition_type= file_finder.FileFinderCondition.Type.CONTENTS_REGEX_MATCH, contents_regex_match=file_finder.FileFinderContentsRegexMatchCondition( regex=self.args.data_regex, mode= file_finder.FileFinderContentsRegexMatchCondition.Mode.FIRST_HIT)) for path in self.state.all_paths: full_paths = flow_utils.InterpolatePath(path, client, users=usernames) for full_path in full_paths: self.CallFlow( "FileFinder", paths=[os.path.join(full_path, "**5")], pathtype=self.state.args.pathtype, conditions=[condition], action=file_finder.FileFinderAction( action_type=file_finder.FileFinderAction.Action.DOWNLOAD), next_state="HandleResults")
def testRegexMatchConditionWithDifferentActions(self): expected_files = ["auth.log"] non_expected_files = ["dpkg.log", "dpkg_false.log"] regex_condition = file_finder.FileFinderCondition( condition_type=( file_finder.FileFinderCondition.Type.CONTENTS_REGEX_MATCH), contents_regex_match=file_finder.FileFinderContentsRegexMatchCondition( mode=( file_finder.FileFinderContentsRegexMatchCondition.Mode.ALL_HITS ), bytes_before=10, bytes_after=10, regex="session opened for user .*?john")) for action in self.CONDITION_TESTS_ACTIONS: self.RunFlowAndCheckResults( action=action, conditions=[regex_condition], expected_files=expected_files, non_expected_files=non_expected_files) fd = aff4.FACTORY.Open( self.last_session_id.Add(flow_runner.RESULTS_SUFFIX), aff4_type=sequential_collection.GeneralIndexedCollection, token=self.token) self.assertEqual(len(fd), 1) self.assertEqual(len(fd[0].matches), 1) self.assertEqual(fd[0].matches[0].offset, 350) self.assertEqual(fd[0].matches[0].data, "session): session opened for user dearjohn by (uid=0")
def testFindsNothingIfRegexMatchesNothing(self): value_regex_match = file_finder.FileFinderContentsRegexMatchCondition( regex=".*CanNotFindMe.*") self.RunFlow( ["HKEY_USERS/S-1-5-20/Software/Microsoft/Windows/CurrentVersion/Run/*"], [registry.RegistryFinderCondition( condition_type= registry.RegistryFinderCondition.Type.VALUE_REGEX_MATCH, value_regex_match=value_regex_match)]) self.AssertNoResults()
def testMemoryImageRegexMatchConditionWithNoAction(self): regex_condition = memory.MemoryCollectorCondition( condition_type=memory.MemoryCollectorCondition.Type.REGEX_MATCH, regex_match=file_finder.FileFinderContentsRegexMatchCondition( mode=file_finder.FileFinderContentsLiteralMatchCondition.Mode. ALL_HITS, regex="session opened for user .*?john")) self.RunWithNoAction(conditions=[regex_condition]) output = aff4.FACTORY.Open(self.client_id.Add(self.output_path), aff4_type="RDFValueCollection", token=self.token) self.assertEqual(len(output), 1) self.assertEqual(output[0].offset, 350) self.assertEqual(output[0].length, 52) self.assertEqual( output[0].data, "session): session opened for user " "dearjohn by (uid=0")
def testSizeAndRegexConditionsWithDifferentActions(self): files_over_size_limit = ["auth.log"] filtered_files = ["dpkg.log", "dpkg_false.log"] expected_files = [] non_expected_files = files_over_size_limit + filtered_files sizes = [ os.stat(os.path.join(self.fixture_path, f)).st_size for f in files_over_size_limit ] size_condition = file_finder.FileFinderCondition( condition_type=file_finder.FileFinderCondition.Type.SIZE, size=file_finder.FileFinderSizeCondition(max_file_size=min(sizes) - 1)) regex_condition = file_finder.FileFinderCondition( condition_type=( file_finder.FileFinderCondition.Type.CONTENTS_REGEX_MATCH), contents_regex_match=file_finder.FileFinderContentsRegexMatchCondition( mode=( file_finder.FileFinderContentsRegexMatchCondition.Mode.ALL_HITS ), bytes_before=10, bytes_after=10, regex="session opened for user .*?john")) for action in self.CONDITION_TESTS_ACTIONS: self.RunFlowAndCheckResults( action=action, conditions=[size_condition, regex_condition], expected_files=expected_files, non_expected_files=non_expected_files) # Check that order of conditions doesn't influence results for action in self.CONDITION_TESTS_ACTIONS: self.RunFlowAndCheckResults( action=action, conditions=[regex_condition, size_condition], expected_files=expected_files, non_expected_files=non_expected_files)