diff --git a/pyproject.toml b/pyproject.toml index 6ce5d92..a149614 100644 --- a/pyproject.toml +++ b/pyproject.toml @@ -11,5 +11,5 @@ max-line-length = 120 disable = "C0114, R1705, C0103" [tool.pytest.ini_options] -addopts = "-n auto -v --cov=. --cov-report term-missing --cov-fail-under 98" +addopts = "-n auto -vv --cov=. --cov-report term-missing --cov-fail-under 98" python_files = "tests/test_*.py" diff --git a/tests/find_iocs_cases/domains.py b/tests/find_iocs_cases/domains.py index ab50c26..a1852c4 100644 --- a/tests/find_iocs_cases/domains.py +++ b/tests/find_iocs_cases/domains.py @@ -7,11 +7,9 @@ param( "https://asf.goole.com/mail?url=http%3A%2F%2Ffreasdfuewriter.com%2Fcs%2Fimage%2FCommerciaE.jpg&t=1575955624&ymreqid=733bc9eb-e8f-34cb-1cb5-120010019e00&sig=x2Pa2oOYxanG52s4vyCEFg--~Chttp://uniddloos.zddfdd.org/CBA0019_file_00002_pdf.zip", { - "domains": ["google.com", "freasdfuewriter.com", "uniddloos.zddfdd.org"], + "domains": ["asf.goole.com", "cba0019_file_00002_pdf.zip", "freasdfuewriter.com", "uniddloos.zddfdd.org"], "urls": [ "https://asf.goole.com/mail?url=http%3A%2F%2Ffreasdfuewriter.com%2Fcs%2Fimage%2FCommerciaE.jpg&t=1575955624&ymreqid=733bc9eb-e8f-34cb-1cb5-120010019e00&sig=x2Pa2oOYxanG52s4vyCEFg--~Chttp://uniddloos.zddfdd.org/CBA0019_file_00002_pdf.zip", - "http://freasdfuewriter.com%2Fcs%2Fimage%2FCommerciaE.jpg&t=1575955624&ymreqid=733bc9eb-e8f-34cb-1cb5-120010019e00&sig=x2Pa2oOYxanG52s4vyCEFg--~Chttp://uniddloos.zddfdd.org/CBA0019_file_00002_pdf.zip", - "http://uniddloos.zddfdd.org/CBA0019_file_00002_pdf.zip", ], }, {}, @@ -22,9 +20,8 @@ { "urls": [ "https://asf.goole.com/mail?url=http%3A%2F%2Ffreasdfuewriter.com%2Fcs%2Fimage%2FCommerciaE.jpg&t=1575955624&ymreqid=733bc9eb-e8f-34cb-1cb5-120010019e00&sig=x2Pa2oOYxanG52s4vyCEFg--~Chttp://uniddloos.zddfdd.org/CBA0019_file_00002_pdf.zip", - "http://freasdfuewriter.com%2Fcs%2Fimage%2FCommerciaE.jpg&t=1575955624&ymreqid=733bc9eb-e8f-34cb-1cb5-120010019e00&sig=x2Pa2oOYxanG52s4vyCEFg--~Chttp://uniddloos.zddfdd.org/CBA0019_file_00002_pdf.zip", - "http://uniddloos.zddfdd.org/CBA0019_file_00002_pdf.zip", - ] + ], + "domains": ['cba0019_file_00002_pdf.zip', 'freasdfuewriter.com', 'uniddloos.zddfdd.org'] }, {'parse_domain_from_url': False}, id="domain-issue_104__domains_read_from_percent_encoded_url_query_params__with_options_false", @@ -32,11 +29,9 @@ param( "https://asf.goole.com/mail?url=http%3A%2F%2Ffreasdfuewriter.com%2Fcs%2Fimage%2FCommerciaE.jpg&t=1575955624&ymreqid=733bc9eb-e8f-34cb-1cb5-120010019e00&sig=x2Pa2oOYxanG52s4vyCEFg--~Chttp://uniddloos.zddfdd.org/CBA0019_file_00002_pdf.zip", { - "domains": ["google.com", "freasdfuewriter.com", "uniddloos.zddfdd.org"], + "domains": ["asf.goole.com", "cba0019_file_00002_pdf.zip", "freasdfuewriter.com", "uniddloos.zddfdd.org"], "urls": [ "https://asf.goole.com/mail?url=http%3A%2F%2Ffreasdfuewriter.com%2Fcs%2Fimage%2FCommerciaE.jpg&t=1575955624&ymreqid=733bc9eb-e8f-34cb-1cb5-120010019e00&sig=x2Pa2oOYxanG52s4vyCEFg--~Chttp://uniddloos.zddfdd.org/CBA0019_file_00002_pdf.zip", - "http://freasdfuewriter.com%2Fcs%2Fimage%2FCommerciaE.jpg&t=1575955624&ymreqid=733bc9eb-e8f-34cb-1cb5-120010019e00&sig=x2Pa2oOYxanG52s4vyCEFg--~Chttp://uniddloos.zddfdd.org/CBA0019_file_00002_pdf.zip", - "http://uniddloos.zddfdd.org/CBA0019_file_00002_pdf.zip", ], }, {'parse_from_url_path': False}, diff --git a/tests/find_iocs_cases/file_paths.py b/tests/find_iocs_cases/file_paths.py index ff4c6e8..3023b0d 100644 --- a/tests/find_iocs_cases/file_paths.py +++ b/tests/find_iocs_cases/file_paths.py @@ -47,7 +47,12 @@ {}, id="file_path_2", ), - param("and this is a file ~/foo/bar/abc.py", {'file_paths': ["~/foo/bar/abc.py"]}, {}, id="file_path_3"), + param( + "and this is a file ~/foo/bar/abc.py", + {'file_paths': ["~/foo/bar/abc.py"], 'domains': ['abc.py']}, + {}, + id="file_path_3", + ), param( "test /Library/Storage/File System/HFS/25cf5d02-e50b-4288-870a-528d56c3cf6e/pivtoken.appex file", {'file_paths': ["/Library/Storage/File System/HFS/25cf5d02-e50b-4288-870a-528d56c3cf6e/pivtoken.appex"]}, @@ -56,7 +61,7 @@ ), param( "another home directory ~/Desktop/test.py python file", - {'file_paths': ["~/Desktop/test.py"]}, + {'file_paths': ["~/Desktop/test.py"], 'domains': ['test.py']}, {}, id="file_path_5", ), diff --git a/tests/find_iocs_cases/hashes.py b/tests/find_iocs_cases/hashes.py index e3478a3..cfdcb76 100644 --- a/tests/find_iocs_cases/hashes.py +++ b/tests/find_iocs_cases/hashes.py @@ -71,40 +71,18 @@ imphash\t18ddf28a71089acdbab5038f58044c0a imphash\n18ddf28a71089acdbab5038f58044c0a imphash - 18ddf28a71089acdbab5038f58044c0a""", - {"imphashes": ["18ddf28a71089acdbab5038f58044c0a"], "ipv4s": ["210.209.127.8"]}, - {}, - id="imphash_1", - ), - param( - """SHA-256 093e394933c4545ba7019f511961b9a5ab91156cf791f45de074acad03d1a44a - Dropper imphash: 18ddf28a71089acdbab5038f58044c0a - C2 IP: 210.209.127.8:443 - imphash: 18ddf28a71089acdbab5038f58044c0a - imphash 18ddf28a71089acdbab5038f58044c0a - imphash 18ddf28a71089acdbab5038f58044c0a - imphash: 18ddf28a71089acdbab5038f58044c0a - imphash\t18ddf28a71089acdbab5038f58044c0a - imphash\n18ddf28a71089acdbab5038f58044c0a - imphash - 18ddf28a71089acdbab5038f58044c0a""", - {"imphashes": ["18ddf28a71089acdbab5038f58044c0a"], "ipv4s": ["210.209.127.8"]}, + { + "imphashes": [ + "18ddf28a71089acdbab5038f58044c0a", + "18ddf28a71089acdbab5038f58044c0a", + "18ddf28a71089acdbab5038f58044c0a", + ], + "ipv4s": ["210.209.127.8"], + "sha256s": ["093e394933c4545ba7019f511961b9a5ab91156cf791f45de074acad03d1a44a"], + }, {}, id="imphash_1", ), - param( - """SHA-256 093e394933c4545ba7019f511961b9a5ab91156cf791f45de074acad03d1a44a - Dropper IMPHASH: 18ddf28a71089acdbab5038f58044c0a - C2 IP: 210.209.127.8:443 - IMPHASH: 18ddf28a71089acdbab5038f58044c0a - IMPHASH 18ddf28a71089acdbab5038f58044c0a - IMPHASH 18ddf28a71089acdbab5038f58044c0a - IMPHASH: 18ddf28a71089acdbab5038f58044c0a - IMPHASH\t18ddf28a71089acdbab5038f58044c0a - IMPHASH\n18ddf28a71089acdbab5038f58044c0a - IMPHASH - 18ddf28a71089acdbab5038f58044c0a""", - {"imphashes": ["18ddf28a71089acdbab5038f58044c0a"], "ipv4s": ["210.209.127.8"]}, - {}, - id="imphash_2", - ), param( """SHA-256 093e394933c4545ba7019f511961b9a5ab91156cf791f45de074acad03d1a44a Dropper import hash: 18ddf28a71089acdbab5038f58044c0a @@ -116,7 +94,15 @@ import hash\t18ddf28a71089acdbab5038f58044c0a import hash\n18ddf28a71089acdbab5038f58044c0a import hash - 18ddf28a71089acdbab5038f58044c0a""", - {"imphashes": ["18ddf28a71089acdbab5038f58044c0a"], "ipv4s": ["210.209.127.8"]}, + { + "imphashes": [ + "18ddf28a71089acdbab5038f58044c0a", + "18ddf28a71089acdbab5038f58044c0a", + "18ddf28a71089acdbab5038f58044c0a", + ], + "ipv4s": ["210.209.127.8"], + "sha256s": ["093e394933c4545ba7019f511961b9a5ab91156cf791f45de074acad03d1a44a"], + }, {}, id="imphash_3", ), @@ -131,7 +117,15 @@ IMPORT HASH\t18ddf28a71089acdbab5038f58044c0a IMPORT HASH\n18ddf28a71089acdbab5038f58044c0a IMPORT HASH - 18ddf28a71089acdbab5038f58044c0a""", - {"imphashes": ["18ddf28a71089acdbab5038f58044c0a"], "ipv4s": ["210.209.127.8"]}, + { + "imphashes": [ + "18ddf28a71089acdbab5038f58044c0a", + "18ddf28a71089acdbab5038f58044c0a", + "18ddf28a71089acdbab5038f58044c0a", + ], + "ipv4s": ["210.209.127.8"], + "sha256s": ["093e394933c4545ba7019f511961b9a5ab91156cf791f45de074acad03d1a44a"], + }, {}, id="imphash_4", ), @@ -146,7 +140,13 @@ authentihash\t3f1b149d07e7e8636636b8b7f7043c40ed64a10b28986181fb046c498432c2d4', authentihash\n3f1b149d07e7e8636636b8b7f7043c40ed64a10b28986181fb046c498432c2d4', """, - {"authentihashes": ["3f1b149d07e7e8636636b8b7f7043c40ed64a10b28986181fb046c498432c2d4"]}, + { + "authentihashes": [ + "3f1b149d07e7e8636636b8b7f7043c40ed64a10b28986181fb046c498432c2d4", + "3f1b149d07e7e8636636b8b7f7043c40ed64a10b28986181fb046c498432c2d4", + "3f1b149d07e7e8636636b8b7f7043c40ed64a10b28986181fb046c498432c2d4", + ] + }, {}, id="authentihash_1", ), @@ -161,7 +161,13 @@ AUTHENTIHASH\t3f1b149d07e7e8636636b8b7f7043c40ed64a10b28986181fb046c498432c2d4', AUTHENTIHASH\n3f1b149d07e7e8636636b8b7f7043c40ed64a10b28986181fb046c498432c2d4', """, - {"authentihashes": ["3f1b149d07e7e8636636b8b7f7043c40ed64a10b28986181fb046c498432c2d4"]}, + { + "authentihashes": [ + "3f1b149d07e7e8636636b8b7f7043c40ed64a10b28986181fb046c498432c2d4", + "3f1b149d07e7e8636636b8b7f7043c40ed64a10b28986181fb046c498432c2d4", + "3f1b149d07e7e8636636b8b7f7043c40ed64a10b28986181fb046c498432c2d4", + ] + }, {}, id="authentihash_2", ), diff --git a/tests/find_iocs_cases/ip_addr.py b/tests/find_iocs_cases/ip_addr.py index add8ddb..9d904cf 100644 --- a/tests/find_iocs_cases/ip_addr.py +++ b/tests/find_iocs_cases/ip_addr.py @@ -15,7 +15,8 @@ "2001:db8:0:0:0:ff00:42:8329", "2001:db8::ff00:42:8329", "::1", - ] + ], + "ssdeeps": ['0000:0000:ff00', '2001:0db8:0000'], }, {}, id="ipv6_1", diff --git a/tests/find_iocs_cases/registry_keys.py b/tests/find_iocs_cases/registry_keys.py index 95b1c7f..96c3995 100644 --- a/tests/find_iocs_cases/registry_keys.py +++ b/tests/find_iocs_cases/registry_keys.py @@ -268,6 +268,7 @@ { 'registry_key_paths': [ "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Shell", + "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Shell", ], 'domains': [ "citizenlab.ca", @@ -295,10 +296,10 @@ 'urls': [ "https://citizenlab.ca/2016/05/stealth-falcon-appendices", "https://citizenlab.ca/2016/05/stealth-falcon/", - "https://citizenlab.ca/about/", + "https://citizenlab.ca/about/),", "https://docs.microsoft.com/en-us/windows/win32/bits/background-intelligent-transfer-service-portal", "https://www.reuters.com/investigates/special-report/usa-spying-raven/", - "https://www.secureworks.com/blog/malware-lingers-with-bits", + "https://www.secureworks.com/blog/malware-lingers-with-bits).", ], 'attack_techniques': { 'enterprise': [