From 22b977e6f367a933d6c6ce6bf5f7913c5657af78 Mon Sep 17 00:00:00 2001 From: cccs-mog <117194682+cccs-mog@users.noreply.github.com> Date: Tue, 5 Nov 2024 11:31:37 -0500 Subject: [PATCH 1/8] Update dynamic_service_helper.py --- .../common/dynamic_service_helper.py | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/assemblyline_service_utilities/common/dynamic_service_helper.py b/assemblyline_service_utilities/common/dynamic_service_helper.py index 7f3e26a..9572d51 100644 --- a/assemblyline_service_utilities/common/dynamic_service_helper.py +++ b/assemblyline_service_utilities/common/dynamic_service_helper.py @@ -402,6 +402,8 @@ def __init__( integrity_level: Optional[str] = None, image_hash: Optional[str] = None, original_file_name: Optional[str] = None, + loaded_modules: Optional[List[str]] = None, + services_involved: Optional[List[str]] = None, ) -> None: """ This method initializes a process object @@ -448,6 +450,8 @@ def __init__( set_optional_argument(self, "image_hash", image_hash, str) set_optional_argument(self, "original_file_name", original_file_name, str) + set_optional_argument(self, "loaded_modules", loaded_modules, List[str]) + set_optional_argument(self, "services_involved", services_involved, List[str]) def as_primitives(self) -> Dict[str, Any]: """ From 9c545055170679ac24e309fddc3c24ca033d1648 Mon Sep 17 00:00:00 2001 From: cccs-mog <117194682+cccs-mog@users.noreply.github.com> Date: Tue, 5 Nov 2024 13:34:50 -0500 Subject: [PATCH 2/8] Update test_dynamic_service_helper.py --- test/test_dynamic_service_helper.py | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/test/test_dynamic_service_helper.py b/test/test_dynamic_service_helper.py index 5b457db..a1be017 100644 --- a/test/test_dynamic_service_helper.py +++ b/test/test_dynamic_service_helper.py @@ -373,9 +373,11 @@ def test_process_as_primitives(): "pid": None, "image": current_image, "command_line": None, + 'services_involved': None, "start_time": "1970-01-01 00:00:01.001", "end_time": None, "integrity_level": None, + 'loaded_modules': None, "image_hash": None, "original_file_name": None, } @@ -1636,9 +1638,11 @@ def test_add_process(): "pid": None, "image": "C:\\Windows\\System32\\cmd.exe", "command_line": None, + 'services_involved': None, "start_time": "1970-01-01 00:00:00.000", "end_time": "9999-12-31 23:59:59.999999", "integrity_level": None, + 'loaded_modules': None, "image_hash": None, "original_file_name": None, } @@ -1823,9 +1827,11 @@ def test_set_parent_details(): "pid": None, "image": "blah", "command_line": None, + 'services_involved': None, "start_time": "1970-01-01 00:00:04.000", "end_time": "9999-12-31 23:59:59.999999", "integrity_level": None, + 'loaded_modules': None, "image_hash": None, "original_file_name": None, } @@ -1869,9 +1875,11 @@ def test_set_parent_details(): "pid": None, "image": "blah", "command_line": None, + 'services_involved': None, "start_time": "1970-01-01 00:00:03.000", "end_time": "9999-12-31 23:59:59.999999", "integrity_level": None, + 'loaded_modules': None, "image_hash": None, "original_file_name": None, } @@ -1985,9 +1993,11 @@ def test_set_child_details(): "pid": 3, "image": "blah.exe", "command_line": None, + 'services_involved': None, "start_time": "1970-01-01 00:00:02.000", "end_time": "1970-01-01 00:00:03.000", "integrity_level": None, + 'loaded_modules': None, "image_hash": None, "original_file_name": None, } From 2566eee98682dd97acac451a7edcd8d104cedb69 Mon Sep 17 00:00:00 2001 From: cccs-mog <117194682+cccs-mog@users.noreply.github.com> Date: Tue, 5 Nov 2024 13:39:07 -0500 Subject: [PATCH 3/8] Update test_dynamic_service_helper.py --- test/test_dynamic_service_helper.py | 2 ++ 1 file changed, 2 insertions(+) diff --git a/test/test_dynamic_service_helper.py b/test/test_dynamic_service_helper.py index a1be017..535d727 100644 --- a/test/test_dynamic_service_helper.py +++ b/test/test_dynamic_service_helper.py @@ -1960,9 +1960,11 @@ def test_set_child_details(): "pid": 1, "image": "blah.exe", "command_line": None, + 'services_involved': None, "start_time": "1970-01-01 00:00:02.000", "end_time": "1970-01-01 00:00:03.000", "integrity_level": None, + 'loaded_modules': None, "image_hash": None, "original_file_name": None, } From 30382aa93bf81c086aa2ea46a822a40d5254c793 Mon Sep 17 00:00:00 2001 From: cccs-mog <117194682+cccs-mog@users.noreply.github.com> Date: Tue, 5 Nov 2024 13:46:18 -0500 Subject: [PATCH 4/8] Update test_dynamic_service_helper.py --- test/test_dynamic_service_helper.py | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/test/test_dynamic_service_helper.py b/test/test_dynamic_service_helper.py index 535d727..a96dc16 100644 --- a/test/test_dynamic_service_helper.py +++ b/test/test_dynamic_service_helper.py @@ -2886,7 +2886,9 @@ def test_get_non_safelisted_processes(): "session": None, }, "ppid": 1, + 'services_involved': None, "integrity_level": None, + 'loaded_modules': None, "image_hash": None, "original_file_name": None, "command_line": "blah", @@ -2968,10 +2970,12 @@ def test_get_non_safelisted_processes(): "session": None, }, "ppid": 1, + 'services_involved': None, "command_line": "blah", "pimage": None, "pcommand_line": None, "integrity_level": None, + 'loaded_modules': None, "image_hash": None, "original_file_name": None, "children": [ @@ -3132,6 +3136,8 @@ def test_get_non_safelisted_processes(): "pimage": None, "pcommand_line": None, "integrity_level": None, + 'loaded_modules': None, + 'services_involved': None, "image_hash": None, "original_file_name": None, "children": [ @@ -3166,6 +3172,8 @@ def test_get_non_safelisted_processes(): "pimage": "blah", "pcommand_line": "blah", "integrity_level": None, + 'loaded_modules': None, + 'services_involved': None, "image_hash": None, "original_file_name": None, } @@ -3329,6 +3337,8 @@ def test_get_non_safelisted_processes(): "pimage": None, "pcommand_line": None, "integrity_level": None, + 'loaded_modules': None, + 'services_involved': None, "image_hash": None, "original_file_name": None, "children": [ @@ -3359,6 +3369,8 @@ def test_get_non_safelisted_processes(): "pimage": None, "pcommand_line": None, "integrity_level": None, + 'loaded_modules': None, + 'services_involved': None, "image_hash": None, "original_file_name": None, "objectid": { From ebf44e450ca92e3e792ed0b41b49686110b1e942 Mon Sep 17 00:00:00 2001 From: cccs-mog <117194682+cccs-mog@users.noreply.github.com> Date: Tue, 5 Nov 2024 15:32:34 -0500 Subject: [PATCH 5/8] Update test_dynamic_service_helper.py --- test/test_dynamic_service_helper.py | 2 ++ 1 file changed, 2 insertions(+) diff --git a/test/test_dynamic_service_helper.py b/test/test_dynamic_service_helper.py index a96dc16..8ff63f8 100644 --- a/test/test_dynamic_service_helper.py +++ b/test/test_dynamic_service_helper.py @@ -3010,6 +3010,8 @@ def test_get_non_safelisted_processes(): "pcommand_line": "blah", "children": [], "integrity_level": None, + 'loaded_modules': None, + 'services_involved': None, "image_hash": None, "original_file_name": None, } From c9843889aadeb194167d3113359c4db7cc2363b8 Mon Sep 17 00:00:00 2001 From: cccs-mog <117194682+cccs-mog@users.noreply.github.com> Date: Tue, 5 Nov 2024 15:38:14 -0500 Subject: [PATCH 6/8] Update test_dynamic_service_helper.py --- test/test_dynamic_service_helper.py | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/test/test_dynamic_service_helper.py b/test/test_dynamic_service_helper.py index 8ff63f8..a7af5ff 100644 --- a/test/test_dynamic_service_helper.py +++ b/test/test_dynamic_service_helper.py @@ -5849,6 +5849,8 @@ def test_sort_things_by_relationship(things_to_sort, expected_result, dummy_time "integrity_level": None, "image_hash": None, "original_file_name": None, + 'services_involved': None, + 'loaded_modules': None, } }, ), @@ -5900,6 +5902,8 @@ def test_sort_things_by_relationship(things_to_sort, expected_result, dummy_time "start_time": "1970-01-01 00:00:01.000", "end_time": None, "integrity_level": None, + 'services_involved': None, + 'loaded_modules': None, "image_hash": None, "original_file_name": None, }, @@ -5924,6 +5928,8 @@ def test_sort_things_by_relationship(things_to_sort, expected_result, dummy_time "start_time": "1970-01-01 00:00:01.000", "end_time": None, "integrity_level": None, + 'loaded_modules': None, + 'services_involved': None, "image_hash": None, "original_file_name": None, }, From af464fa04c1e0f0adc971f7cb26bca0463fa0c4b Mon Sep 17 00:00:00 2001 From: cccs-mog <117194682+cccs-mog@users.noreply.github.com> Date: Tue, 5 Nov 2024 15:47:26 -0500 Subject: [PATCH 7/8] Update test_sysmon_helper.py --- test/test_sysmon_helper.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/test/test_sysmon_helper.py b/test/test_sysmon_helper.py index 1351930..7596f82 100644 --- a/test/test_sysmon_helper.py +++ b/test/test_sysmon_helper.py @@ -95,7 +95,7 @@ class TestModule: 'time_observed': '1970-01-01 12:40:30.123', 'ontology_id': 'process_5FPZdIxfHmzxsWKUlsSNGl', 'service_name': 'CAPE'}, 'pobjectid': None, 'pimage': None, 'pcommand_line': None, 'ppid': None, 'pid': 123, 'image': 'blah', 'command_line': None, - 'integrity_level': None, 'image_hash': None, 'original_file_name': None}), ]) + 'integrity_level': None, 'image_hash': None, 'original_file_name': None, 'services_involved': None, 'loaded_modules': None}), ]) def test_convert_sysmon_processes(sysmon, expected_process, mocker): so = OntologyResults(service_name="CAPE") mocker.patch.object(so, "sandboxes", return_value="blah") From 5d3d92ae875258edd67dee0f0f8a9177a379c937 Mon Sep 17 00:00:00 2001 From: cccs-mog <117194682+cccs-mog@users.noreply.github.com> Date: Tue, 5 Nov 2024 15:52:13 -0500 Subject: [PATCH 8/8] Update test_sysmon_helper.py --- test/test_sysmon_helper.py | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/test/test_sysmon_helper.py b/test/test_sysmon_helper.py index 7596f82..c8b1518 100644 --- a/test/test_sysmon_helper.py +++ b/test/test_sysmon_helper.py @@ -36,7 +36,7 @@ class TestModule: 'processtree': None, 'service_name': 'CAPE',}, 'pobjectid': None, 'pimage': None, 'pcommand_line': None, 'ppid': 2, 'pid': 1, 'image': 'blah.exe', 'command_line': './blah', - 'integrity_level': None, 'image_hash': None, 'original_file_name': None}), + 'integrity_level': None, 'image_hash': None, 'original_file_name': None, 'services_involved': None, 'loaded_modules': None,}), ([{"System": {"EventID": 1}, "EventData": { @@ -57,7 +57,7 @@ class TestModule: 'processtree': None, 'service_name': 'CAPE'}, 'pobjectid': None, 'pimage': None, 'pcommand_line': None, 'ppid': 2, 'pid': 1, 'image': 'blah.exe', 'command_line': './blah', - 'integrity_level': None, 'image_hash': None, 'original_file_name': None}), + 'integrity_level': None, 'image_hash': None, 'original_file_name': None, 'loaded_modules': None, 'services_involved': None}), ([{"System": {"EventID": 1}, "EventData": { @@ -72,7 +72,7 @@ class TestModule: 'time_observed': '1970-01-01 12:40:30.123', 'ontology_id': 'process_5FPZdIxfHmzxsWKUlsSNGl', 'service_name': 'CAPE'}, 'pobjectid': None, 'pimage': None, 'pcommand_line': None, 'ppid': None, 'pid': 123, 'image': 'blah', 'command_line': None, - 'integrity_level': None, 'image_hash': None, 'original_file_name': None}), + 'integrity_level': None, 'image_hash': None, 'original_file_name': None, 'loaded_modules': None, 'services_involved': None}), ([{"System": {"EventID": 1}, "EventData": {