diff --git a/assemblyline_service_utilities/common/dynamic_service_helper.py b/assemblyline_service_utilities/common/dynamic_service_helper.py index ccf5941..d46fa89 100644 --- a/assemblyline_service_utilities/common/dynamic_service_helper.py +++ b/assemblyline_service_utilities/common/dynamic_service_helper.py @@ -402,6 +402,8 @@ def __init__( integrity_level: Optional[str] = None, image_hash: Optional[str] = None, original_file_name: Optional[str] = None, + loaded_modules: Optional[List[str]] = None, + services_involved: Optional[List[str]] = None, ) -> None: """ This method initializes a process object @@ -448,6 +450,8 @@ def __init__( set_optional_argument(self, "image_hash", image_hash, str) set_optional_argument(self, "original_file_name", original_file_name, str) + set_optional_argument(self, "loaded_modules", loaded_modules, List[str]) + set_optional_argument(self, "services_involved", services_involved, List[str]) def as_primitives(self) -> Dict[str, Any]: """ diff --git a/test/test_dynamic_service_helper.py b/test/test_dynamic_service_helper.py index c6a46a1..0b5ec84 100644 --- a/test/test_dynamic_service_helper.py +++ b/test/test_dynamic_service_helper.py @@ -373,9 +373,11 @@ def test_process_as_primitives(): "pid": None, "image": current_image, "command_line": None, + 'services_involved': None, "start_time": "1970-01-01 00:00:01.001", "end_time": None, "integrity_level": None, + 'loaded_modules': None, "image_hash": None, "original_file_name": None, } @@ -1647,9 +1649,11 @@ def test_add_process(): "pid": None, "image": "C:\\Windows\\System32\\cmd.exe", "command_line": None, + 'services_involved': None, "start_time": "1970-01-01 00:00:00.000", "end_time": "9999-12-31 23:59:59.999999", "integrity_level": None, + 'loaded_modules': None, "image_hash": None, "original_file_name": None, } @@ -1834,9 +1838,11 @@ def test_set_parent_details(): "pid": None, "image": "blah", "command_line": None, + 'services_involved': None, "start_time": "1970-01-01 00:00:04.000", "end_time": "9999-12-31 23:59:59.999999", "integrity_level": None, + 'loaded_modules': None, "image_hash": None, "original_file_name": None, } @@ -1880,9 +1886,11 @@ def test_set_parent_details(): "pid": None, "image": "blah", "command_line": None, + 'services_involved': None, "start_time": "1970-01-01 00:00:03.000", "end_time": "9999-12-31 23:59:59.999999", "integrity_level": None, + 'loaded_modules': None, "image_hash": None, "original_file_name": None, } @@ -1963,9 +1971,11 @@ def test_set_child_details(): "pid": 1, "image": "blah.exe", "command_line": None, + 'services_involved': None, "start_time": "1970-01-01 00:00:02.000", "end_time": "1970-01-01 00:00:03.000", "integrity_level": None, + 'loaded_modules': None, "image_hash": None, "original_file_name": None, } @@ -1996,9 +2006,11 @@ def test_set_child_details(): "pid": 3, "image": "blah.exe", "command_line": None, + 'services_involved': None, "start_time": "1970-01-01 00:00:02.000", "end_time": "1970-01-01 00:00:03.000", "integrity_level": None, + 'loaded_modules': None, "image_hash": None, "original_file_name": None, } @@ -2897,7 +2909,9 @@ def test_get_non_safelisted_processes(): "session": None, }, "ppid": 1, + 'services_involved': None, "integrity_level": None, + 'loaded_modules': None, "image_hash": None, "original_file_name": None, "command_line": "blah", @@ -2979,10 +2993,12 @@ def test_get_non_safelisted_processes(): "session": None, }, "ppid": 1, + 'services_involved': None, "command_line": "blah", "pimage": None, "pcommand_line": None, "integrity_level": None, + 'loaded_modules': None, "image_hash": None, "original_file_name": None, "children": [ @@ -3017,6 +3033,8 @@ def test_get_non_safelisted_processes(): "pcommand_line": "blah", "children": [], "integrity_level": None, + 'loaded_modules': None, + 'services_involved': None, "image_hash": None, "original_file_name": None, } @@ -3143,6 +3161,8 @@ def test_get_non_safelisted_processes(): "pimage": None, "pcommand_line": None, "integrity_level": None, + 'loaded_modules': None, + 'services_involved': None, "image_hash": None, "original_file_name": None, "children": [ @@ -3177,6 +3197,8 @@ def test_get_non_safelisted_processes(): "pimage": "blah", "pcommand_line": "blah", "integrity_level": None, + 'loaded_modules': None, + 'services_involved': None, "image_hash": None, "original_file_name": None, } @@ -3340,6 +3362,8 @@ def test_get_non_safelisted_processes(): "pimage": None, "pcommand_line": None, "integrity_level": None, + 'loaded_modules': None, + 'services_involved': None, "image_hash": None, "original_file_name": None, "children": [ @@ -3370,6 +3394,8 @@ def test_get_non_safelisted_processes(): "pimage": None, "pcommand_line": None, "integrity_level": None, + 'loaded_modules': None, + 'services_involved': None, "image_hash": None, "original_file_name": None, "objectid": { @@ -5843,6 +5869,8 @@ def test_sort_things_by_relationship(things_to_sort, expected_result, dummy_time "integrity_level": None, "image_hash": None, "original_file_name": None, + 'services_involved': None, + 'loaded_modules': None, } }, ), @@ -5894,6 +5922,8 @@ def test_sort_things_by_relationship(things_to_sort, expected_result, dummy_time "start_time": "1970-01-01 00:00:01.000", "end_time": None, "integrity_level": None, + 'services_involved': None, + 'loaded_modules': None, "image_hash": None, "original_file_name": None, }, @@ -5918,6 +5948,8 @@ def test_sort_things_by_relationship(things_to_sort, expected_result, dummy_time "start_time": "1970-01-01 00:00:01.000", "end_time": None, "integrity_level": None, + 'loaded_modules': None, + 'services_involved': None, "image_hash": None, "original_file_name": None, }, diff --git a/test/test_sysmon_helper.py b/test/test_sysmon_helper.py index 1351930..c8b1518 100644 --- a/test/test_sysmon_helper.py +++ b/test/test_sysmon_helper.py @@ -36,7 +36,7 @@ class TestModule: 'processtree': None, 'service_name': 'CAPE',}, 'pobjectid': None, 'pimage': None, 'pcommand_line': None, 'ppid': 2, 'pid': 1, 'image': 'blah.exe', 'command_line': './blah', - 'integrity_level': None, 'image_hash': None, 'original_file_name': None}), + 'integrity_level': None, 'image_hash': None, 'original_file_name': None, 'services_involved': None, 'loaded_modules': None,}), ([{"System": {"EventID": 1}, "EventData": { @@ -57,7 +57,7 @@ class TestModule: 'processtree': None, 'service_name': 'CAPE'}, 'pobjectid': None, 'pimage': None, 'pcommand_line': None, 'ppid': 2, 'pid': 1, 'image': 'blah.exe', 'command_line': './blah', - 'integrity_level': None, 'image_hash': None, 'original_file_name': None}), + 'integrity_level': None, 'image_hash': None, 'original_file_name': None, 'loaded_modules': None, 'services_involved': None}), ([{"System": {"EventID": 1}, "EventData": { @@ -72,7 +72,7 @@ class TestModule: 'time_observed': '1970-01-01 12:40:30.123', 'ontology_id': 'process_5FPZdIxfHmzxsWKUlsSNGl', 'service_name': 'CAPE'}, 'pobjectid': None, 'pimage': None, 'pcommand_line': None, 'ppid': None, 'pid': 123, 'image': 'blah', 'command_line': None, - 'integrity_level': None, 'image_hash': None, 'original_file_name': None}), + 'integrity_level': None, 'image_hash': None, 'original_file_name': None, 'loaded_modules': None, 'services_involved': None}), ([{"System": {"EventID": 1}, "EventData": { @@ -95,7 +95,7 @@ class TestModule: 'time_observed': '1970-01-01 12:40:30.123', 'ontology_id': 'process_5FPZdIxfHmzxsWKUlsSNGl', 'service_name': 'CAPE'}, 'pobjectid': None, 'pimage': None, 'pcommand_line': None, 'ppid': None, 'pid': 123, 'image': 'blah', 'command_line': None, - 'integrity_level': None, 'image_hash': None, 'original_file_name': None}), ]) + 'integrity_level': None, 'image_hash': None, 'original_file_name': None, 'services_involved': None, 'loaded_modules': None}), ]) def test_convert_sysmon_processes(sysmon, expected_process, mocker): so = OntologyResults(service_name="CAPE") mocker.patch.object(so, "sandboxes", return_value="blah")