def testProcess(self): """Tests the Process function.""" test_file_entry = self._GetTestFileEntry(['SAM']) key_path = 'HKEY_LOCAL_MACHINE\\SAM\\SAM\\Domains\\Account\\Users' win_registry = self._GetWinRegistryFromFileEntry(test_file_entry) registry_key = win_registry.GetKeyByPath(key_path) plugin = sam_users.SAMUsersWindowsRegistryPlugin() storage_writer = self._ParseKeyWithPlugin( registry_key, plugin, file_entry=test_file_entry) self.assertEqual(storage_writer.number_of_errors, 0) self.assertEqual(storage_writer.number_of_events, 7) events = list(storage_writer.GetEvents()) event = events[0] self.CheckTimestamp(event.timestamp, '2014-09-24 03:36:06.358837') self.assertEqual( event.timestamp_desc, definitions.TIME_DESCRIPTION_WRITTEN) self._TestRegvalue(event, 'account_rid', 500) self._TestRegvalue(event, 'login_count', 6) self._TestRegvalue(event, 'username', 'Administrator') expected_message = ( '[{0:s}] ' 'account_rid: 500 ' 'comments: Built-in account for administering the computer/domain ' 'login_count: 6 ' 'username: Administrator').format(key_path) expected_short_message = '{0:s}...'.format(expected_message[:77]) self._TestGetMessageStrings(event, expected_message, expected_short_message) # Test SAMUsersWindowsRegistryEvent. event = events[1] self.CheckTimestamp(event.timestamp, '2010-11-20 21:48:12.569244') self.assertEqual( event.timestamp_desc, definitions.TIME_DESCRIPTION_LAST_LOGIN) self.assertEqual(event.account_rid, 500) self.assertEqual(event.login_count, 6) self.assertEqual(event.username, 'Administrator') expected_message = ( '[{0:s}] ' 'Username: Administrator ' 'Comments: Built-in account for administering the computer/domain ' 'RID: 500 ' 'Login count: 6').format(key_path) expected_short_message = ( 'Administrator ' 'RID: 500 ' 'Login count: 6') self._TestGetMessageStrings(event, expected_message, expected_short_message)
def testFilters(self): """Tests the FILTERS class attribute.""" plugin = sam_users.SAMUsersWindowsRegistryPlugin() key_path = 'HKEY_LOCAL_MACHINE\\SAM\\SAM\\Domains\\Account\\Users' self._AssertFiltersOnKeyPath(plugin, key_path) self._AssertNotFiltersOnKeyPath(plugin, 'HKEY_LOCAL_MACHINE\\Bogus')
def testProcess(self): """Tests the Process function.""" test_file_entry = self._GetTestFileEntry(['SAM']) key_path = 'HKEY_LOCAL_MACHINE\\SAM\\SAM\\Domains\\Account\\Users' win_registry = self._GetWinRegistryFromFileEntry(test_file_entry) registry_key = win_registry.GetKeyByPath(key_path) plugin = sam_users.SAMUsersWindowsRegistryPlugin() storage_writer = self._ParseKeyWithPlugin(registry_key, plugin, file_entry=test_file_entry) number_of_events = storage_writer.GetNumberOfAttributeContainers( 'event') self.assertEqual(number_of_events, 7) number_of_warnings = storage_writer.GetNumberOfAttributeContainers( 'extraction_warning') self.assertEqual(number_of_warnings, 0) number_of_warnings = storage_writer.GetNumberOfAttributeContainers( 'recovery_warning') self.assertEqual(number_of_warnings, 0) events = list(storage_writer.GetEvents()) expected_event_values = { 'account_rid': 500, 'comments': 'Built-in account for administering the computer/domain', 'date_time': '2014-09-24 03:36:06.3588374', 'data_type': 'windows:registry:sam_users', 'login_count': 6, 'timestamp_desc': definitions.TIME_DESCRIPTION_WRITTEN, 'username': '******' } self.CheckEventValues(storage_writer, events[0], expected_event_values) # Test SAMUsersWindowsRegistryEvent. expected_event_values = { 'account_rid': 500, 'comments': 'Built-in account for administering the computer/domain', 'date_time': '2010-11-20 21:48:12.5692440', 'data_type': 'windows:registry:sam_users', 'login_count': 6, 'timestamp_desc': definitions.TIME_DESCRIPTION_LAST_LOGIN, 'username': '******' } self.CheckEventValues(storage_writer, events[1], expected_event_values)
def testProcess(self): """Tests the Process function.""" test_file_entry = self._GetTestFileEntry([u'SAM']) key_path = u'HKEY_LOCAL_MACHINE\\SAM\\SAM\\Domains\\Account\\Users' win_registry = self._GetWinRegistryFromFileEntry(test_file_entry) registry_key = win_registry.GetKeyByPath(key_path) plugin_object = sam_users.SAMUsersWindowsRegistryPlugin() storage_writer = self._ParseKeyWithPlugin(registry_key, plugin_object, file_entry=test_file_entry) self.assertEqual(len(storage_writer.events), 7) event_object = storage_writer.events[0] self._TestRegvalue(event_object, u'account_rid', 500) self._TestRegvalue(event_object, u'login_count', 6) self._TestRegvalue(event_object, u'username', u'Administrator') expected_timestamp = timelib.Timestamp.CopyFromString( u'2014-09-24 03:36:06.358837') self.assertEqual(event_object.timestamp, expected_timestamp) self.assertEqual(event_object.timestamp_desc, eventdata.EventTimestamp.WRITTEN_TIME) expected_message = ( u'[{0:s}] ' u'account_rid: 500 ' u'comments: Built-in account for administering the computer/domain ' u'login_count: 6 ' u'username: Administrator').format(key_path) expected_short_message = u'{0:s}...'.format(expected_message[0:77]) self._TestGetMessageStrings(event_object, expected_message, expected_short_message) # Test SAMUsersWindowsRegistryEvent. event_object = storage_writer.events[1] self.assertEqual(event_object.account_rid, 500) self.assertEqual(event_object.login_count, 6) self.assertEqual(event_object.username, u'Administrator') expected_timestamp = timelib.Timestamp.CopyFromString( u'2010-11-20 21:48:12.569244') self.assertEqual(event_object.timestamp, expected_timestamp) self.assertEqual(event_object.timestamp_desc, eventdata.EventTimestamp.LAST_LOGIN_TIME) expected_message = ( u'[{0:s}] ' u'Username: Administrator ' u'Comments: Built-in account for administering the computer/domain ' u'RID: 500 ' u'Login count: 6').format(key_path) expected_short_message = (u'Administrator ' u'RID: 500 ' u'Login count: 6') self._TestGetMessageStrings(event_object, expected_message, expected_short_message)
def setUp(self): """Makes preparations before running an individual test.""" self._plugin = sam_users.SAMUsersWindowsRegistryPlugin()