Skip to content

Commit

Permalink
updated validation results
Browse files Browse the repository at this point in the history
  • Loading branch information
Martin SK committed Aug 13, 2024
1 parent d973620 commit bca6e5f
Show file tree
Hide file tree
Showing 3 changed files with 60 additions and 44 deletions.
99 changes: 56 additions & 43 deletions regipy_tests/validation/plugin_validation.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -3,51 +3,64 @@

## Plugins with validation

| plugin_name | plugin_class_name | test_case_name | success |
|-------------------------------|---------------------------------|-----------------------------------------------|-----------|
| amcache | AmCachePlugin | AmCachePluginValidationCase | True |
| background_activity_moderator | BAMPlugin | BamValidationCase | True |
| boot_entry_list | BootEntryListPlugin | BootEntryListPluginValidationCase | True |
| bootkey | BootKeyPlugin | BootKeyPluginValidationCase | True |
| computer_name | ComputerNamePlugin | ComputerNamePluginValidationCase | True |
| domain_sid | DomainSidPlugin | DomainSidPluginValidationCase | True |
| host_domain_name | HostDomainNamePlugin | HostDomainNamePluginValidationCase | True |
| installed_programs_software | InstalledProgramsSoftwarePlugin | InstalledProgramsSoftwarePluginValidationCase | True |
| last_logon_plugin | LastLogonPlugin | LastLogonPluginValidationCase | True |
| local_sid | LocalSidPlugin | LocalSidPluginValidationCase | True |
| network_data | NetworkDataPlugin | NetworkDataPluginValidationCase | True |
| network_drives_plugin | NetworkDrivesPlugin | NetworkDrivesPluginValidationCase | True |
| ntuser_classes_installer | NtuserClassesInstallerPlugin | NtuserClassesInstallerPluginValidationCase | True |
| ntuser_persistence | NTUserPersistencePlugin | NTUserPersistenceValidationCase | True |
| ntuser_shellbag_plugin | ShellBagNtuserPlugin | ShellBagNtuserPluginValidationCase | True |
| print_demon_plugin | PrintDemonPlugin | PrintDemonPluginValidationCase | True |
| profilelist_plugin | ProfileListPlugin | ProfileListPluginValidationCase | True |
| ras_tracing | RASTracingPlugin | RASTracingPluginValidationCase | True |
| services | ServicesPlugin | ServicesPluginValidationCase | True |
| shimcache | ShimCachePlugin | AmCacheValidationCase | True |
| software_classes_installer | SoftwareClassesInstallerPlugin | SoftwareClassesInstallerPluginValidationCase | True |
| software_plugin | SoftwarePersistencePlugin | SoftwarePersistenceValidationCase | True |
| typed_paths | TypedPathsPlugin | TypedPathsPluginValidationCase | True |
| typed_urls | TypedUrlsPlugin | TypedUrlsPluginValidationCase | True |
| uac_plugin | UACStatusPlugin | UACStatusPluginValidationCase | True |
| usbstor_plugin | USBSTORPlugin | USBSTORPluginValidationCase | True |
| user_assist | UserAssistPlugin | NTUserUserAssistValidationCase | True |
| usrclass_shellbag_plugin | ShellBagUsrclassPlugin | ShellBagUsrclassPluginValidationCase | True |
| wdigest | WDIGESTPlugin | WDIGESTPluginValidationCase | True |
| winrar_plugin | WinRARPlugin | WinRARPluginValidationCase | True |
| winscp_saved_sessions | WinSCPSavedSessionsPlugin | WinSCPSavedSessionsPluginValidationCase | True |
| word_wheel_query | WordWheelQueryPlugin | WordWheelQueryPluginValidationCase | True |
| plugin_name | plugin_description | plugin_class_name | test_case_name | success |
|-------------------------------|-----------------------------------------------------------------------------------|---------------------------------|-----------------------------------------------|-----------|
| active_control_set | Get information on SYSTEM hive control sets | ActiveControlSetPlugin | ActiveControlSetPluginValidationCase | True |
| amcache | Parse Amcache | AmCachePlugin | AmCachePluginValidationCase | True |
| background_activity_moderator | Get the computer name | BAMPlugin | BamValidationCase | True |
| boot_entry_list | List the Windows BCD boot entries | BootEntryListPlugin | BootEntryListPluginValidationCase | True |
| bootkey | Get the Windows boot key | BootKeyPlugin | BootKeyPluginValidationCase | True |
| computer_name | Get the computer name | ComputerNamePlugin | ComputerNamePluginValidationCase | True |
| domain_sid | Get the machine domain name and SID | DomainSidPlugin | DomainSidPluginValidationCase | True |
| host_domain_name | Get the computer host and domain names | HostDomainNamePlugin | HostDomainNamePluginValidationCase | True |
| installed_programs_software | Retrieve list of installed programs and their install date from the SOFTWARE Hive | InstalledProgramsSoftwarePlugin | InstalledProgramsSoftwarePluginValidationCase | True |
| last_logon_plugin | Get the last logged on username | LastLogonPlugin | LastLogonPluginValidationCase | True |
| local_sid | Get the machine local SID | LocalSidPlugin | LocalSidPluginValidationCase | True |
| network_data | Get network data from many interfaces | NetworkDataPlugin | NetworkDataPluginValidationCase | True |
| network_drives_plugin | Parse the user's mapped network drives | NetworkDrivesPlugin | NetworkDrivesPluginValidationCase | True |
| ntuser_classes_installer | List of installed software from NTUSER hive | NtuserClassesInstallerPlugin | NtuserClassesInstallerPluginValidationCase | True |
| ntuser_persistence | Retrieve values from known persistence subkeys in NTUSER hive | NTUserPersistencePlugin | NTUserPersistenceValidationCase | True |
| ntuser_shellbag_plugin | Parse NTUSER Shellbag items | ShellBagNtuserPlugin | ShellBagNtuserPluginValidationCase | True |
| print_demon_plugin | Get list of installed printer ports, as could be taken advantage by cve-2020-1048 | PrintDemonPlugin | PrintDemonPluginValidationCase | True |
| profilelist_plugin | Parses information about user profiles found in the ProfileList key | ProfileListPlugin | ProfileListPluginValidationCase | True |
| ras_tracing | Retrieve list of executables using ras | RASTracingPlugin | RASTracingPluginValidationCase | True |
| services | Enumerate the services in the SYSTEM hive | ServicesPlugin | ServicesPluginValidationCase | True |
| shimcache | Parse Shimcache artifact | ShimCachePlugin | AmCacheValidationCase | True |
| software_classes_installer | List of installed software from SOFTWARE hive | SoftwareClassesInstallerPlugin | SoftwareClassesInstallerPluginValidationCase | True |
| software_plugin | Retrieve values from known persistence subkeys in Software hive | SoftwarePersistencePlugin | SoftwarePersistenceValidationCase | True |
| typed_paths | Retrieve the typed Paths from the history | TypedPathsPlugin | TypedPathsPluginValidationCase | True |
| typed_urls | Retrieve the typed URLs from IE history | TypedUrlsPlugin | TypedUrlsPluginValidationCase | True |
| uac_plugin | Get the status of User Access Control | UACStatusPlugin | UACStatusPluginValidationCase | True |
| usbstor_plugin | Parse the connected USB devices history | USBSTORPlugin | USBSTORPluginValidationCase | True |
| user_assist | Parse User Assist artifact | UserAssistPlugin | NTUserUserAssistValidationCase | True |
| usrclass_shellbag_plugin | Parse USRCLASS Shellbag items | ShellBagUsrclassPlugin | ShellBagUsrclassPluginValidationCase | True |
| wdigest | Get WDIGEST configuration | WDIGESTPlugin | WDIGESTPluginValidationCase | True |
| winrar_plugin | Parse the WinRAR archive history | WinRARPlugin | WinRARPluginValidationCase | True |
| winscp_saved_sessions | Retrieve list of WinSCP saved sessions | WinSCPSavedSessionsPlugin | WinSCPSavedSessionsPluginValidationCase | True |
| word_wheel_query | Parse the word wheel query artifact | WordWheelQueryPlugin | WordWheelQueryPluginValidationCase | True |

## Plugins without validation
**Please note that in the future, this check will be enforced for all plugins**

| plugin_name | plugin_class_name | test_case_name | success |
|------------------------------|-------------------------------|------------------|-----------|
| active_control_set | ActiveControlSetPlugin | | False |
| image_file_execution_options | ImageFileExecutionOptions | | False |
| installed_programs_ntuser | InstalledProgramsNTUserPlugin | | False |
| routes | RoutesPlugin | | False |
| safeboot_configuration | SafeBootConfigurationPlugin | | False |
| terminal_services_history | TSClientPlugin | | False |
| timezone_data | TimezoneDataPlugin | | False |
| plugin_name | plugin_description | plugin_class_name | test_case_name | success |
|------------------------------|------------------------------------------------------------------------------------------|-------------------------------|------------------|-----------|
| backuprestore_plugin | Gets the contents of the FilesNotToSnapshot, KeysNotToRestore, and FilesNotToBackup keys | BackupRestorePlugin | | False |
| codepage | Get codepage value | CodepagePlugin | | False |
| crash_dump | Get crash control information | CrashDumpPlugin | | False |
| diag_sr | Get Diag\SystemRestore values and data | DiagSRPlugin | | False |
| disable_last_access | Get NTFSDisableLastAccessUpdate value | DisableLastAccessPlugin | | False |
| disablesr_plugin | Gets the value that turns System Restore either on or off | DisableSRPlugin | | False |
| image_file_execution_options | Retrieve image file execution options - a persistence method | ImageFileExecutionOptions | | False |
| installed_programs_ntuser | Retrieve list of installed programs and their install date from the NTUSER Hive | InstalledProgramsNTUserPlugin | | False |
| previous_winver_plugin | Get previous relevant OS information | PreviousWinVersionPlugin | | False |
| processor_architecture | Get processor architecture info from the System's environment key | ProcessorArchitecturePlugin | | False |
| routes | Get list of routes | RoutesPlugin | | False |
| safeboot_configuration | Get safeboot configuration | SafeBootConfigurationPlugin | | False |
| shutdown | Get shutdown data | ShutdownPlugin | | False |
| spp_clients_plugin | Determines volumes monitored by VSS | SppClientsPlugin | | False |
| susclient_plugin | Extracts SusClient* info, including HDD SN | SusclientPlugin | | False |
| terminal_services_history | Retrieve history of RDP connections | TSClientPlugin | | False |
| timezone_data | Get timezone data | TimezoneDataPlugin | | False |
| timezone_data2 | Get timezone data | TimezoneDataPlugin2 | | False |
| winver_plugin | Get relevant OS information | WinVersionPlugin | | False |

3 changes: 2 additions & 1 deletion regipy_tests/validation/plugin_validation.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -87,7 +87,7 @@ def main():
# TODO: Move this to Click, understand how we can skip installation in setup.py, as the tests are not part of the package.
# Possibly we should need to creae an additional regipy-tests package
# which will be installed during the validation step in github/workflows/python-package.yml
if len(sys.argv[1]) == 2:
if len(sys.argv) == 2:
plugin_name = sys.argv[1]
if plugin_name in validation_cases.keys():
print(f"Running validation for plugin {plugin_name}")
Expand Down Expand Up @@ -149,6 +149,7 @@ def main():
asdict(
ValidationResult(
plugin_name=p.NAME,
plugin_description=p.DESCRIPTION,
plugin_class_name=p.__name__,
test_case_name=None,
success=False,
Expand Down
2 changes: 2 additions & 0 deletions regipy_tests/validation/validation.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -11,6 +11,7 @@
@dataclass
class ValidationResult:
plugin_name: str
plugin_description: Optional[str]
plugin_class_name: str
test_case_name: Optional[str]
success: bool
Expand Down Expand Up @@ -85,6 +86,7 @@ def validate(self):
print(f"\tValidation passed for {self.plugin.NAME}")
return ValidationResult(
plugin_name=self.plugin.NAME,
plugin_description=self.plugin.DESCRIPTION,
plugin_class_name=self.plugin.__name__,
test_case_name=self.__class__.__name__,
success=True,
Expand Down

0 comments on commit bca6e5f

Please sign in to comment.