def testLoginFailed(self):
"""Tests the login_failed tagging rule."""
event = events.EventObject()
event.timestamp = self._TEST_TIMESTAMP
event.timestamp_desc = definitions.TIME_DESCRIPTION_UNKNOWN
# Test: data_type is 'windows:evtx:record' AND
# source_name is 'Microsoft-Windows-Security-Auditing' AND
# event_identifier is 4625
event_data = winevtx.WinEvtxRecordEventData()
event_data.event_identifier = 4625
event_data.source_name = 'bogus'
storage_writer = self._TagEvent(event, event_data)
self.assertEqual(storage_writer.number_of_event_tags, 0)
self._CheckLabels(storage_writer, [])
event_data.event_identifier = 1
event_data.source_name = 'Microsoft-Windows-Security-Auditing'
storage_writer = self._TagEvent(event, event_data)
self.assertEqual(storage_writer.number_of_event_tags, 0)
self._CheckLabels(storage_writer, [])
event_data.event_identifier = 4625
storage_writer = self._TagEvent(event, event_data)
self.assertEqual(storage_writer.number_of_event_tags, 1)
self._CheckLabels(storage_writer, ['login_failed'])
def testApplicationUpdate(self):
"""Tests the application_update tagging rule."""
event = events.EventObject()
event.timestamp = self._TEST_TIMESTAMP
event.timestamp_desc = definitions.TIME_DESCRIPTION_UNKNOWN
# Test: data_type is 'windows:evtx:record' AND
# source_name is 'Microsoft-Windows-Application-Experience' AND
# event_identifier is 905
event_data = winevtx.WinEvtxRecordEventData()
event_data.event_identifier = 905
event_data.source_name = 'bogus'
storage_writer = self._TagEvent(event, event_data)
self.assertEqual(storage_writer.number_of_event_tags, 0)
self._CheckLabels(storage_writer, [])
event_data.event_identifier = 1
event_data.source_name = 'Microsoft-Windows-Application-Experience'
storage_writer = self._TagEvent(event, event_data)
self.assertEqual(storage_writer.number_of_event_tags, 0)
self._CheckLabels(storage_writer, [])
event_data.event_identifier = 905
storage_writer = self._TagEvent(event, event_data)
self.assertEqual(storage_writer.number_of_event_tags, 1)
self._CheckLabels(storage_writer, ['application_update'])
def testLogoff(self):
"""Tests the logoff tagging rule."""
event = events.EventObject()
event.timestamp = self._TEST_TIMESTAMP
event.timestamp_desc = definitions.TIME_DESCRIPTION_UNKNOWN
# Test: data_type is 'windows:evt:record' AND source_name is 'Security' AND
# event_identifier is 538
event_data = winevt.WinEvtRecordEventData()
event_data.event_identifier = 538
event_data.source_name = 'bogus'
storage_writer = self._TagEvent(event, event_data)
self.assertEqual(storage_writer.number_of_event_tags, 0)
self._CheckLabels(storage_writer, [])
event_data.event_identifier = 1
event_data.source_name = 'Security'
storage_writer = self._TagEvent(event, event_data)
self.assertEqual(storage_writer.number_of_event_tags, 0)
self._CheckLabels(storage_writer, [])
event_data.event_identifier = 538
storage_writer = self._TagEvent(event, event_data)
self.assertEqual(storage_writer.number_of_event_tags, 1)
self._CheckLabels(storage_writer, ['logoff'])
# Test: data_type is 'windows:evtx:record' AND
# source_name is 'Microsoft-Windows-Security-Auditing' AND
# event_identifier is 4634
event_data = winevtx.WinEvtxRecordEventData()
event_data.event_identifier = 4634
event_data.source_name = 'bogus'
storage_writer = self._TagEvent(event, event_data)
self.assertEqual(storage_writer.number_of_event_tags, 0)
self._CheckLabels(storage_writer, [])
event_data.event_identifier = 1
event_data.source_name = 'Microsoft-Windows-Security-Auditing'
storage_writer = self._TagEvent(event, event_data)
self.assertEqual(storage_writer.number_of_event_tags, 0)
self._CheckLabels(storage_writer, [])
event_data.event_identifier = 4634
storage_writer = self._TagEvent(event, event_data)
self.assertEqual(storage_writer.number_of_event_tags, 1)
self._CheckLabels(storage_writer, ['logoff'])
# Test: data_type is 'windows:evtx:record' AND source_name is
# 'Microsoft-Windows-TerminalServices-LocalSessionManager' AND
# (event_identifier is 23 OR event_identifier is 1103)
event_data = winevtx.WinEvtxRecordEventData()
event_data.event_identifier = 23
event_data.source_name = 'bogus'
storage_writer = self._TagEvent(event, event_data)
self.assertEqual(storage_writer.number_of_event_tags, 0)
self._CheckLabels(storage_writer, [])
event_data.event_identifier = 1
event_data.source_name = (
'Microsoft-Windows-TerminalServices-LocalSessionManager')
storage_writer = self._TagEvent(event, event_data)
self.assertEqual(storage_writer.number_of_event_tags, 0)
self._CheckLabels(storage_writer, [])
event_data.event_identifier = 23
storage_writer = self._TagEvent(event, event_data)
self.assertEqual(storage_writer.number_of_event_tags, 1)
self._CheckLabels(storage_writer, ['logoff'])
event_data.event_identifier = 1103
storage_writer = self._TagEvent(event, event_data)
self.assertEqual(storage_writer.number_of_event_tags, 1)
self._CheckLabels(storage_writer, ['logoff'])
# Test: data_type is 'windows:evtx:record' AND
# source_name is 'Microsoft-Windows-User Profiles Service' AND
# event_identifier is 4
event_data = winevtx.WinEvtxRecordEventData()
event_data.event_identifier = 4
event_data.source_name = 'bogus'
storage_writer = self._TagEvent(event, event_data)
self.assertEqual(storage_writer.number_of_event_tags, 0)
self._CheckLabels(storage_writer, [])
event_data.event_identifier = 1
event_data.source_name = 'Microsoft-Windows-User Profiles Service'
storage_writer = self._TagEvent(event, event_data)
self.assertEqual(storage_writer.number_of_event_tags, 0)
self._CheckLabels(storage_writer, [])
event_data.event_identifier = 4
storage_writer = self._TagEvent(event, event_data)
self.assertEqual(storage_writer.number_of_event_tags, 1)
self._CheckLabels(storage_writer, ['logoff'])
# Test: data_type is 'windows:evtx:record' AND
# source_name is 'Microsoft-Windows-Winlogon' AND
# event_identifier is 7002
event_data = winevtx.WinEvtxRecordEventData()
event_data.event_identifier = 7002
event_data.source_name = 'bogus'
storage_writer = self._TagEvent(event, event_data)
self.assertEqual(storage_writer.number_of_event_tags, 0)
self._CheckLabels(storage_writer, [])
event_data.event_identifier = 1
event_data.source_name = 'Microsoft-Windows-Winlogon'
storage_writer = self._TagEvent(event, event_data)
self.assertEqual(storage_writer.number_of_event_tags, 0)
self._CheckLabels(storage_writer, [])
event_data.event_identifier = 7002
storage_writer = self._TagEvent(event, event_data)
self.assertEqual(storage_writer.number_of_event_tags, 1)
self._CheckLabels(storage_writer, ['logoff'])
def testApplicationExecution(self):
"""Tests the application_execution tagging rule."""
event = events.EventObject()
event.timestamp = self._TEST_TIMESTAMP
event.timestamp_desc = definitions.TIME_DESCRIPTION_UNKNOWN
# Test: data_type is 'fs:stat' AND filename contains 'Windows/Tasks/At'
event_data = filestat.FileStatEventData()
event_data.filename = 'bogus'
storage_writer = self._TagEvent(event, event_data)
self.assertEqual(storage_writer.number_of_event_tags, 0)
self._CheckLabels(storage_writer, [])
event_data.filename = 'C:/Windows/Tasks/At/bogus.job'
storage_writer = self._TagEvent(event, event_data)
self.assertEqual(storage_writer.number_of_event_tags, 1)
self._CheckLabels(storage_writer, ['application_execution'])
# Test: data_type is 'windows:evt:record' AND source_name is 'Security' AND
# event_identifier is 592
event_data = winevt.WinEvtRecordEventData()
event_data.event_identifier = 592
event_data.source_name = 'bogus'
storage_writer = self._TagEvent(event, event_data)
self.assertEqual(storage_writer.number_of_event_tags, 0)
self._CheckLabels(storage_writer, [])
event_data.event_identifier = 1
event_data.source_name = 'Security'
storage_writer = self._TagEvent(event, event_data)
self.assertEqual(storage_writer.number_of_event_tags, 0)
self._CheckLabels(storage_writer, [])
event_data.event_identifier = 592
storage_writer = self._TagEvent(event, event_data)
self.assertEqual(storage_writer.number_of_event_tags, 1)
self._CheckLabels(storage_writer, ['application_execution'])
# Test: data_type is 'windows:evtx:record' AND
# source_name is 'Microsoft-Windows-Security-Auditing' AND
# event_identifier is 4688
event_data = winevtx.WinEvtxRecordEventData()
event_data.event_identifier = 4688
event_data.source_name = 'bogus'
storage_writer = self._TagEvent(event, event_data)
self.assertEqual(storage_writer.number_of_event_tags, 0)
self._CheckLabels(storage_writer, [])
event_data.event_identifier = 1
event_data.source_name = 'Microsoft-Windows-Security-Auditing'
storage_writer = self._TagEvent(event, event_data)
self.assertEqual(storage_writer.number_of_event_tags, 0)
self._CheckLabels(storage_writer, [])
event_data.event_identifier = 4688
storage_writer = self._TagEvent(event, event_data)
self.assertEqual(storage_writer.number_of_event_tags, 1)
self._CheckLabels(storage_writer, ['application_execution'])
# Test: data_type is 'windows:evtx:record' AND
# strings contains 'user mode service' AND
# strings contains 'demand start'
event_data = winevtx.WinEvtxRecordEventData()
event_data.strings = ['user mode service']
storage_writer = self._TagEvent(event, event_data)
self.assertEqual(storage_writer.number_of_event_tags, 0)
self._CheckLabels(storage_writer, [])
event_data.strings = ['user mode service', 'demand start']
storage_writer = self._TagEvent(event, event_data)
self.assertEqual(storage_writer.number_of_event_tags, 1)
self._CheckLabels(storage_writer, ['application_execution'])
# Test: data_type is 'windows:lnk:link' AND
# filename contains 'Recent' AND (local_path contains '.exe' OR
# network_path contains '.exe' OR relative_path contains '.exe')
event_data = winlnk.WinLnkLinkEventData()
event_data.filename = 'bogus'
event_data.local_path = 'file.exe'
storage_writer = self._TagEvent(event, event_data)
self.assertEqual(storage_writer.number_of_event_tags, 0)
self._CheckLabels(storage_writer, [])
event_data.filename = 'Recent'
event_data.local_path = 'file.txt'
storage_writer = self._TagEvent(event, event_data)
self.assertEqual(storage_writer.number_of_event_tags, 0)
self._CheckLabels(storage_writer, [])
event_data.local_path = 'file.exe'
storage_writer = self._TagEvent(event, event_data)
self.assertEqual(storage_writer.number_of_event_tags, 1)
self._CheckLabels(storage_writer, ['application_execution'])
event_data.local_path = None
event_data.network_path = 'file.exe'
storage_writer = self._TagEvent(event, event_data)
self.assertEqual(storage_writer.number_of_event_tags, 1)
self._CheckLabels(storage_writer, ['application_execution'])
event_data.network_path = None
event_data.relative_path = 'file.exe'
storage_writer = self._TagEvent(event, event_data)
self.assertEqual(storage_writer.number_of_event_tags, 1)
self._CheckLabels(storage_writer, ['application_execution'])
# Test: data_type is 'windows:prefetch:execution'
event_data = winprefetch.WinPrefetchExecutionEventData()
storage_writer = self._TagEvent(event, event_data)
self.assertEqual(storage_writer.number_of_event_tags, 1)
self._CheckLabels(storage_writer, ['application_execution'])
# Test: data_type is 'windows:registry:appcompatcache'
event_data = appcompatcache.AppCompatCacheEventData()
storage_writer = self._TagEvent(event, event_data)
self.assertEqual(storage_writer.number_of_event_tags, 1)
self._CheckLabels(storage_writer, ['application_execution'])
# Test: data_type is 'windows:registry:mrulist' AND
# entries contains '.exe'
event_data = mrulist.MRUListEventData()
event_data.entries = 'Index: 0 [MRU Value a]: file.txt'
# Set timestamp to 0 otherwise document_open rule triggers.
event.timestamp = 0
storage_writer = self._TagEvent(event, event_data)
self.assertEqual(storage_writer.number_of_event_tags, 0)
self._CheckLabels(storage_writer, [])
event.timestamp = self._TEST_TIMESTAMP
event_data.entries = 'Index: 0 [MRU Value a]: file.exe'
storage_writer = self._TagEvent(event, event_data)
self.assertEqual(storage_writer.number_of_event_tags, 1)
self._CheckLabels(storage_writer, ['application_execution'])
# Test: data_type is 'windows:registry:mrulistex' AND
# entries contains '.exe'
event_data = mrulistex.MRUListExEventData()
event_data.entries = 'Index: 0 [MRU Value 1]: file.txt'
# Set timestamp to 0 otherwise document_open rule triggers.
event.timestamp = 0
storage_writer = self._TagEvent(event, event_data)
self.assertEqual(storage_writer.number_of_event_tags, 0)
self._CheckLabels(storage_writer, [])
event.timestamp = self._TEST_TIMESTAMP
event_data.entries = 'Index: 0 [MRU Value 1]: file.exe'
storage_writer = self._TagEvent(event, event_data)
self.assertEqual(storage_writer.number_of_event_tags, 1)
self._CheckLabels(storage_writer, ['application_execution'])
# Test: data_type is 'windows:registry:userassist' AND
# value_name contains '.exe'
event_data = userassist.UserAssistWindowsRegistryEventData()
event_data.value_name = 'file.txt'
storage_writer = self._TagEvent(event, event_data)
self.assertEqual(storage_writer.number_of_event_tags, 0)
self._CheckLabels(storage_writer, [])
event_data.value_name = 'file.exe'
storage_writer = self._TagEvent(event, event_data)
self.assertEqual(storage_writer.number_of_event_tags, 1)
self._CheckLabels(storage_writer, ['application_execution'])
# Test: data_type is 'windows:tasks:job'
event_data = winjob.WinJobEventData()
storage_writer = self._TagEvent(event, event_data)
self.assertEqual(storage_writer.number_of_event_tags, 1)
self._CheckLabels(storage_writer, ['application_execution'])