From bca6e5f26fc25e50fbf97af075458e6210fb5d40 Mon Sep 17 00:00:00 2001 From: Martin SK Date: Tue, 13 Aug 2024 22:23:56 +0300 Subject: [PATCH] updated validation results --- regipy_tests/validation/plugin_validation.md | 99 +++++++++++--------- regipy_tests/validation/plugin_validation.py | 3 +- regipy_tests/validation/validation.py | 2 + 3 files changed, 60 insertions(+), 44 deletions(-) diff --git a/regipy_tests/validation/plugin_validation.md b/regipy_tests/validation/plugin_validation.md index cf92ad6..1b36a2d 100644 --- a/regipy_tests/validation/plugin_validation.md +++ b/regipy_tests/validation/plugin_validation.md @@ -3,51 +3,64 @@ ## Plugins with validation -| plugin_name | plugin_class_name | test_case_name | success | -|-------------------------------|---------------------------------|-----------------------------------------------|-----------| -| amcache | AmCachePlugin | AmCachePluginValidationCase | True | -| background_activity_moderator | BAMPlugin | BamValidationCase | True | -| boot_entry_list | BootEntryListPlugin | BootEntryListPluginValidationCase | True | -| bootkey | BootKeyPlugin | BootKeyPluginValidationCase | True | -| computer_name | ComputerNamePlugin | ComputerNamePluginValidationCase | True | -| domain_sid | DomainSidPlugin | DomainSidPluginValidationCase | True | -| host_domain_name | HostDomainNamePlugin | HostDomainNamePluginValidationCase | True | -| installed_programs_software | InstalledProgramsSoftwarePlugin | InstalledProgramsSoftwarePluginValidationCase | True | -| last_logon_plugin | LastLogonPlugin | LastLogonPluginValidationCase | True | -| local_sid | LocalSidPlugin | LocalSidPluginValidationCase | True | -| network_data | NetworkDataPlugin | NetworkDataPluginValidationCase | True | -| network_drives_plugin | NetworkDrivesPlugin | NetworkDrivesPluginValidationCase | True | -| ntuser_classes_installer | NtuserClassesInstallerPlugin | NtuserClassesInstallerPluginValidationCase | True | -| ntuser_persistence | NTUserPersistencePlugin | NTUserPersistenceValidationCase | True | -| ntuser_shellbag_plugin | ShellBagNtuserPlugin | ShellBagNtuserPluginValidationCase | True | -| print_demon_plugin | PrintDemonPlugin | PrintDemonPluginValidationCase | True | -| profilelist_plugin | ProfileListPlugin | ProfileListPluginValidationCase | True | -| ras_tracing | RASTracingPlugin | RASTracingPluginValidationCase | True | -| services | ServicesPlugin | ServicesPluginValidationCase | True | -| shimcache | ShimCachePlugin | AmCacheValidationCase | True | -| software_classes_installer | SoftwareClassesInstallerPlugin | SoftwareClassesInstallerPluginValidationCase | True | -| software_plugin | SoftwarePersistencePlugin | SoftwarePersistenceValidationCase | True | -| typed_paths | TypedPathsPlugin | TypedPathsPluginValidationCase | True | -| typed_urls | TypedUrlsPlugin | TypedUrlsPluginValidationCase | True | -| uac_plugin | UACStatusPlugin | UACStatusPluginValidationCase | True | -| usbstor_plugin | USBSTORPlugin | USBSTORPluginValidationCase | True | -| user_assist | UserAssistPlugin | NTUserUserAssistValidationCase | True | -| usrclass_shellbag_plugin | ShellBagUsrclassPlugin | ShellBagUsrclassPluginValidationCase | True | -| wdigest | WDIGESTPlugin | WDIGESTPluginValidationCase | True | -| winrar_plugin | WinRARPlugin | WinRARPluginValidationCase | True | -| winscp_saved_sessions | WinSCPSavedSessionsPlugin | WinSCPSavedSessionsPluginValidationCase | True | -| word_wheel_query | WordWheelQueryPlugin | WordWheelQueryPluginValidationCase | True | +| plugin_name | plugin_description | plugin_class_name | test_case_name | success | +|-------------------------------|-----------------------------------------------------------------------------------|---------------------------------|-----------------------------------------------|-----------| +| active_control_set | Get information on SYSTEM hive control sets | ActiveControlSetPlugin | ActiveControlSetPluginValidationCase | True | +| amcache | Parse Amcache | AmCachePlugin | AmCachePluginValidationCase | True | +| background_activity_moderator | Get the computer name | BAMPlugin | BamValidationCase | True | +| boot_entry_list | List the Windows BCD boot entries | BootEntryListPlugin | BootEntryListPluginValidationCase | True | +| bootkey | Get the Windows boot key | BootKeyPlugin | BootKeyPluginValidationCase | True | +| computer_name | Get the computer name | ComputerNamePlugin | ComputerNamePluginValidationCase | True | +| domain_sid | Get the machine domain name and SID | DomainSidPlugin | DomainSidPluginValidationCase | True | +| host_domain_name | Get the computer host and domain names | HostDomainNamePlugin | HostDomainNamePluginValidationCase | True | +| installed_programs_software | Retrieve list of installed programs and their install date from the SOFTWARE Hive | InstalledProgramsSoftwarePlugin | InstalledProgramsSoftwarePluginValidationCase | True | +| last_logon_plugin | Get the last logged on username | LastLogonPlugin | LastLogonPluginValidationCase | True | +| local_sid | Get the machine local SID | LocalSidPlugin | LocalSidPluginValidationCase | True | +| network_data | Get network data from many interfaces | NetworkDataPlugin | NetworkDataPluginValidationCase | True | +| network_drives_plugin | Parse the user's mapped network drives | NetworkDrivesPlugin | NetworkDrivesPluginValidationCase | True | +| ntuser_classes_installer | List of installed software from NTUSER hive | NtuserClassesInstallerPlugin | NtuserClassesInstallerPluginValidationCase | True | +| ntuser_persistence | Retrieve values from known persistence subkeys in NTUSER hive | NTUserPersistencePlugin | NTUserPersistenceValidationCase | True | +| ntuser_shellbag_plugin | Parse NTUSER Shellbag items | ShellBagNtuserPlugin | ShellBagNtuserPluginValidationCase | True | +| print_demon_plugin | Get list of installed printer ports, as could be taken advantage by cve-2020-1048 | PrintDemonPlugin | PrintDemonPluginValidationCase | True | +| profilelist_plugin | Parses information about user profiles found in the ProfileList key | ProfileListPlugin | ProfileListPluginValidationCase | True | +| ras_tracing | Retrieve list of executables using ras | RASTracingPlugin | RASTracingPluginValidationCase | True | +| services | Enumerate the services in the SYSTEM hive | ServicesPlugin | ServicesPluginValidationCase | True | +| shimcache | Parse Shimcache artifact | ShimCachePlugin | AmCacheValidationCase | True | +| software_classes_installer | List of installed software from SOFTWARE hive | SoftwareClassesInstallerPlugin | SoftwareClassesInstallerPluginValidationCase | True | +| software_plugin | Retrieve values from known persistence subkeys in Software hive | SoftwarePersistencePlugin | SoftwarePersistenceValidationCase | True | +| typed_paths | Retrieve the typed Paths from the history | TypedPathsPlugin | TypedPathsPluginValidationCase | True | +| typed_urls | Retrieve the typed URLs from IE history | TypedUrlsPlugin | TypedUrlsPluginValidationCase | True | +| uac_plugin | Get the status of User Access Control | UACStatusPlugin | UACStatusPluginValidationCase | True | +| usbstor_plugin | Parse the connected USB devices history | USBSTORPlugin | USBSTORPluginValidationCase | True | +| user_assist | Parse User Assist artifact | UserAssistPlugin | NTUserUserAssistValidationCase | True | +| usrclass_shellbag_plugin | Parse USRCLASS Shellbag items | ShellBagUsrclassPlugin | ShellBagUsrclassPluginValidationCase | True | +| wdigest | Get WDIGEST configuration | WDIGESTPlugin | WDIGESTPluginValidationCase | True | +| winrar_plugin | Parse the WinRAR archive history | WinRARPlugin | WinRARPluginValidationCase | True | +| winscp_saved_sessions | Retrieve list of WinSCP saved sessions | WinSCPSavedSessionsPlugin | WinSCPSavedSessionsPluginValidationCase | True | +| word_wheel_query | Parse the word wheel query artifact | WordWheelQueryPlugin | WordWheelQueryPluginValidationCase | True | ## Plugins without validation **Please note that in the future, this check will be enforced for all plugins** -| plugin_name | plugin_class_name | test_case_name | success | -|------------------------------|-------------------------------|------------------|-----------| -| active_control_set | ActiveControlSetPlugin | | False | -| image_file_execution_options | ImageFileExecutionOptions | | False | -| installed_programs_ntuser | InstalledProgramsNTUserPlugin | | False | -| routes | RoutesPlugin | | False | -| safeboot_configuration | SafeBootConfigurationPlugin | | False | -| terminal_services_history | TSClientPlugin | | False | -| timezone_data | TimezoneDataPlugin | | False | +| plugin_name | plugin_description | plugin_class_name | test_case_name | success | +|------------------------------|------------------------------------------------------------------------------------------|-------------------------------|------------------|-----------| +| backuprestore_plugin | Gets the contents of the FilesNotToSnapshot, KeysNotToRestore, and FilesNotToBackup keys | BackupRestorePlugin | | False | +| codepage | Get codepage value | CodepagePlugin | | False | +| crash_dump | Get crash control information | CrashDumpPlugin | | False | +| diag_sr | Get Diag\SystemRestore values and data | DiagSRPlugin | | False | +| disable_last_access | Get NTFSDisableLastAccessUpdate value | DisableLastAccessPlugin | | False | +| disablesr_plugin | Gets the value that turns System Restore either on or off | DisableSRPlugin | | False | +| image_file_execution_options | Retrieve image file execution options - a persistence method | ImageFileExecutionOptions | | False | +| installed_programs_ntuser | Retrieve list of installed programs and their install date from the NTUSER Hive | InstalledProgramsNTUserPlugin | | False | +| previous_winver_plugin | Get previous relevant OS information | PreviousWinVersionPlugin | | False | +| processor_architecture | Get processor architecture info from the System's environment key | ProcessorArchitecturePlugin | | False | +| routes | Get list of routes | RoutesPlugin | | False | +| safeboot_configuration | Get safeboot configuration | SafeBootConfigurationPlugin | | False | +| shutdown | Get shutdown data | ShutdownPlugin | | False | +| spp_clients_plugin | Determines volumes monitored by VSS | SppClientsPlugin | | False | +| susclient_plugin | Extracts SusClient* info, including HDD SN | SusclientPlugin | | False | +| terminal_services_history | Retrieve history of RDP connections | TSClientPlugin | | False | +| timezone_data | Get timezone data | TimezoneDataPlugin | | False | +| timezone_data2 | Get timezone data | TimezoneDataPlugin2 | | False | +| winver_plugin | Get relevant OS information | WinVersionPlugin | | False | \ No newline at end of file diff --git a/regipy_tests/validation/plugin_validation.py b/regipy_tests/validation/plugin_validation.py index 3311997..be2a292 100644 --- a/regipy_tests/validation/plugin_validation.py +++ b/regipy_tests/validation/plugin_validation.py @@ -87,7 +87,7 @@ def main(): # TODO: Move this to Click, understand how we can skip installation in setup.py, as the tests are not part of the package. # Possibly we should need to creae an additional regipy-tests package # which will be installed during the validation step in github/workflows/python-package.yml - if len(sys.argv[1]) == 2: + if len(sys.argv) == 2: plugin_name = sys.argv[1] if plugin_name in validation_cases.keys(): print(f"Running validation for plugin {plugin_name}") @@ -149,6 +149,7 @@ def main(): asdict( ValidationResult( plugin_name=p.NAME, + plugin_description=p.DESCRIPTION, plugin_class_name=p.__name__, test_case_name=None, success=False, diff --git a/regipy_tests/validation/validation.py b/regipy_tests/validation/validation.py index d714c3f..32f2bb1 100644 --- a/regipy_tests/validation/validation.py +++ b/regipy_tests/validation/validation.py @@ -11,6 +11,7 @@ @dataclass class ValidationResult: plugin_name: str + plugin_description: Optional[str] plugin_class_name: str test_case_name: Optional[str] success: bool @@ -85,6 +86,7 @@ def validate(self): print(f"\tValidation passed for {self.plugin.NAME}") return ValidationResult( plugin_name=self.plugin.NAME, + plugin_description=self.plugin.DESCRIPTION, plugin_class_name=self.plugin.__name__, test_case_name=self.__class__.__name__, success=True,