public void TestEventCollectorWindows()
{
var FirstRunId = "TestEventCollector-1";
var SecondRunId = "TestEventCollector-2";
var fsc = new EventLogCollector(FirstRunId);
fsc.Execute();
using (EventLog eventLog = new EventLog("Application"))
{
eventLog.Source = "Attack Surface Analyzer Tests";
eventLog.WriteEntry("This Log Entry was created for testing the Attack Surface Analyzer library.", EventLogEntryType.Warning, 101, 1);
}
fsc = new EventLogCollector(SecondRunId);
fsc.Execute();
BaseCompare bc = new BaseCompare();
if (!bc.TryCompare(FirstRunId, SecondRunId))
{
Assert.Fail();
}
var results = bc.Results;
Assert.IsTrue(results["LOG_CREATED"].Where(x => ((EventLogObject)x.Compare).Level == "Warning" && ((EventLogObject)x.Compare).Source == "Attack Surface Analyzer Tests").Count() == 1);
}
public void TestServiceCollectorWindows()
{
if (RuntimeInformation.IsOSPlatform(OSPlatform.Windows))
{
var FirstRunId = "TestServiceCollector-1";
var SecondRunId = "TestServiceCollector-2";
var fwc = new ServiceCollector(FirstRunId);
fwc.Execute();
// Create a service - This won't throw an exception, but it won't work if you are not an Admin.
var serviceName = "AsaDemoService";
var exeName = "AsaDemoService.exe";
var cmd = string.Format("create {0} binPath=\"{1}\"", serviceName, exeName);
ExternalCommandRunner.RunExternalCommand("sc.exe", cmd);
fwc = new ServiceCollector(SecondRunId);
fwc.Execute();
// Clean up
cmd = string.Format("delete {0}", serviceName);
ExternalCommandRunner.RunExternalCommand("sc.exe", cmd);
BaseCompare bc = new BaseCompare();
if (!bc.TryCompare(FirstRunId, SecondRunId))
{
Assert.Fail();
}
var results = bc.Results;
Assert.IsTrue(results.ContainsKey("SERVICE_CREATED"));
Assert.IsTrue(results["SERVICE_CREATED"].Where(x => x.Identity.Contains("AsaDemoService")).Count() > 0);
}
}
public void TestFirewallCollectorLinux()
{
if (RuntimeInformation.IsOSPlatform(OSPlatform.Linux))
{
var FirstRunId = "TestFirewallCollector-1";
var SecondRunId = "TestFirewallCollector-2";
var fwc = new FirewallCollector(FirstRunId);
fwc.Execute();
var result = ExternalCommandRunner.RunExternalCommand("iptables", "-A INPUT -p tcp --dport 19999 -j DROP");
fwc = new FirewallCollector(SecondRunId);
fwc.Execute();
result = ExternalCommandRunner.RunExternalCommand("iptables", "-D INPUT -p tcp --dport 19999 -j DROP");
BaseCompare bc = new BaseCompare();
if (!bc.TryCompare(FirstRunId, SecondRunId))
{
Assert.Fail();
}
var results = bc.Results;
Assert.IsTrue(results.ContainsKey("FIREWALL_CREATED"));
Assert.IsTrue(results["FIREWALL_CREATED"].Where(x => x.Identity.Contains("9999")).Count() > 0);
}
}
public void TestFirewallCollectorOSX()
{
if (RuntimeInformation.IsOSPlatform(OSPlatform.OSX))
{
var FirstRunId = "TestFirewallCollector-1";
var SecondRunId = "TestFirewallCollector-2";
var fwc = new FirewallCollector(FirstRunId);
fwc.Execute();
_ = ExternalCommandRunner.RunExternalCommand("/usr/libexec/ApplicationFirewall/socketfilterfw", "--add /bin/bash");
fwc = new FirewallCollector(SecondRunId);
fwc.Execute();
_ = ExternalCommandRunner.RunExternalCommand("/usr/libexec/ApplicationFirewall/socketfilterfw", "--remove /bin/bash");
BaseCompare bc = new BaseCompare();
if (!bc.TryCompare(FirstRunId, SecondRunId))
{
Assert.Fail();
}
var results = bc.Results;
Assert.IsTrue(results.ContainsKey("FIREWALL_CREATED"));
Assert.IsTrue(results["FIREWALL_CREATED"].Where(x => x.Identity.Contains("/bin/bash")).Count() > 0);
}
}
public void TestFileCollector()
{
Setup();
var FirstRunId = "TestFileCollector-1";
var SecondRunId = "TestFileCollector-2";
var testFolder = AsaHelpers.GetTempFolder();
Directory.CreateDirectory(testFolder);
var opts = new CollectCommandOptions()
{
RunId = FirstRunId,
EnableFileSystemCollector = true,
GatherHashes = true,
SelectedDirectories = testFolder,
DownloadCloud = false,
CertificatesFromFiles = false
};
var fsc = new FileSystemCollector(opts);
fsc.Execute();
using (var file = File.Open(Path.Combine(testFolder, "AsaLibTesterMZ"), FileMode.OpenOrCreate))
{
file.Write(FileSystemUtils.WindowsMagicNumber, 0, 2);
file.Write(FileSystemUtils.WindowsMagicNumber, 0, 2);
file.Close();
}
using (var file = File.Open(Path.Combine(testFolder, "AsaLibTesterJavaClass"), FileMode.OpenOrCreate))
{
file.Write(FileSystemUtils.JavaMagicNumber, 0, 4);
file.Close();
}
opts.RunId = SecondRunId;
fsc = new FileSystemCollector(opts);
fsc.Execute();
BaseCompare bc = new BaseCompare();
if (!bc.TryCompare(FirstRunId, SecondRunId))
{
Assert.Fail();
}
var results = bc.Results;
Assert.IsTrue(results.ContainsKey("FILE_CREATED"));
Assert.IsTrue(results["FILE_CREATED"].Where(x => x.Identity.Contains("AsaLibTesterMZ") && ((FileSystemObject)x.Compare).IsExecutable == true).Any());
Assert.IsTrue(results["FILE_CREATED"].Where(x => x.Identity.Contains("AsaLibTesterJavaClass") && ((FileSystemObject)x.Compare).IsExecutable == true).Any());
TearDown();
}
public void TestFirewallCollectorWindows()
{
if (RuntimeInformation.IsOSPlatform(OSPlatform.Windows))
{
Assert.IsTrue(AsaHelpers.IsAdmin());
Setup();
var FirstRunId = "TestFirewallCollector-1";
var SecondRunId = "TestFirewallCollector-2";
var fwc = new FirewallCollector(FirstRunId);
fwc.Execute();
var rule = FirewallManager.Instance.CreatePortRule(
@"TestFirewallPortRule",
FirewallAction.Allow,
9999,
FirewallProtocol.TCP
);
FirewallManager.Instance.Rules.Add(rule);
rule = FirewallManager.Instance.CreateApplicationRule(
@"TestFirewallAppRule",
FirewallAction.Allow,
@"C:\MyApp.exe"
);
rule.Direction = FirewallDirection.Outbound;
FirewallManager.Instance.Rules.Add(rule);
fwc = new FirewallCollector(SecondRunId);
fwc.Execute();
var rules = FirewallManager.Instance.Rules.Where(r => r.Name == "TestFirewallPortRule");
foreach (var ruleIn in rules)
{
FirewallManager.Instance.Rules.Remove(ruleIn);
}
rules = FirewallManager.Instance.Rules.Where(r => r.Name == "TestFirewallAppRule");
foreach (var ruleIn in rules)
{
FirewallManager.Instance.Rules.Remove(ruleIn);
}
BaseCompare bc = new BaseCompare();
if (!bc.TryCompare(FirstRunId, SecondRunId))
{
Assert.Fail();
}
var results = bc.Results;
Assert.IsTrue(results.ContainsKey("FIREWALL_CREATED"));
Assert.IsTrue(results["FIREWALL_CREATED"].Where(x => ((FirewallObject)x.Compare).LocalPorts.Contains("9999")).Count() > 0);
Assert.IsTrue(results["FIREWALL_CREATED"].Where(x => x.Identity.Contains("MyApp.exe")).Count() > 0);
TearDown();
}
}
public void TestFirewallCollectorWindows()
{
if (RuntimeInformation.IsOSPlatform(OSPlatform.Windows))
{
Setup();
var FirstRunId = "TestFirewallCollector-1";
var SecondRunId = "TestFirewallCollector-2";
var fwc = new FirewallCollector(FirstRunId);
fwc.Execute();
var rule = FirewallManager.Instance.CreatePortRule(
@"TestFirewallPortRule",
FirewallAction.Allow,
9999,
FirewallProtocol.TCP
);
FirewallManager.Instance.Rules.Add(rule);
rule = FirewallManager.Instance.CreateApplicationRule(
@"TestFirewallAppRule",
FirewallAction.Allow,
@"C:\MyApp.exe"
);
rule.Direction = FirewallDirection.Outbound;
FirewallManager.Instance.Rules.Add(rule);
fwc = new FirewallCollector(SecondRunId);
fwc.Execute();
rule = FirewallManager.Instance.Rules.SingleOrDefault(r => r.Name == "TestFirewallPortRule");
if (rule != null)
{
FirewallManager.Instance.Rules.Remove(rule);
}
rule = FirewallManager.Instance.Rules.SingleOrDefault(r => r.Name == "TestFirewallAppRule");
if (rule != null)
{
FirewallManager.Instance.Rules.Remove(rule);
}
BaseCompare bc = new BaseCompare();
var watch = System.Diagnostics.Stopwatch.StartNew();
if (!bc.TryCompare(FirstRunId, SecondRunId))
{
Assert.Fail();
}
Dictionary <string, List <CompareResult> > results = bc.Results;
Assert.IsTrue(results.ContainsKey("FIREWALL_CREATED"));
Assert.IsTrue(results["FIREWALL_CREATED"].Where(x => ((FirewallObject)x.Compare).LocalPorts.Contains("9999")).Count() > 0);
Assert.IsTrue(results["FIREWALL_CREATED"].Where(x => x.Identity.Contains("MyApp.exe")).Count() > 0);
TearDown();
}
}
public void TestPortCollectorWindows()
{
Setup();
var FirstRunId = "TestPortCollector-1";
var SecondRunId = "TestPortCollector-2";
var fsc = new OpenPortCollector(FirstRunId);
fsc.Execute();
TcpListener server = null;
try
{
// Set the TcpListener on port 13000.
Int32 port = 13000;
IPAddress localAddr = IPAddress.Parse("127.0.0.1");
// TcpListener server = new TcpListener(port);
server = new TcpListener(localAddr, port);
// Start listening for client requests.
server.Start();
}
catch (Exception)
{
Console.WriteLine("Failed to open port.");
}
fsc = new OpenPortCollector(SecondRunId);
fsc.Execute();
server.Stop();
BaseCompare bc = new BaseCompare();
var watch = System.Diagnostics.Stopwatch.StartNew();
if (!bc.TryCompare(FirstRunId, SecondRunId))
{
Assert.Fail();
}
Dictionary <string, List <CompareResult> > results = bc.Results;
Assert.IsTrue(results.ContainsKey("PORT_CREATED"));
Assert.IsTrue(results["PORT_CREATED"].Where(x => x.Identity.Contains("13000")).Count() > 0);
TearDown();
}
public void TestRegistryCollectorWindows()
{
if (RuntimeInformation.IsOSPlatform(OSPlatform.Windows))
{
Setup();
var FirstRunId = "TestRegistryCollector-1";
var SecondRunId = "TestRegistryCollector-2";
var rc = new RegistryCollector(FirstRunId, new List <RegistryHive>()
{
RegistryHive.CurrentUser
}, true);
rc.Execute();
// Create a registry key
var name = System.Guid.NewGuid().ToString().Substring(0, 10);
var value = System.Guid.NewGuid().ToString().Substring(0, 10);
var value2 = System.Guid.NewGuid().ToString().Substring(0, 10);
RegistryKey key;
key = Microsoft.Win32.Registry.CurrentUser.CreateSubKey(name);
key.SetValue(value, value2);
key.Close();
rc = new RegistryCollector(SecondRunId, new List <RegistryHive>()
{
RegistryHive.CurrentUser
}, true);
rc.Execute();
// Clean up
Microsoft.Win32.Registry.CurrentUser.DeleteSubKey(name);
BaseCompare bc = new BaseCompare();
if (!bc.TryCompare(FirstRunId, SecondRunId))
{
Assert.Fail();
}
var results = bc.Results;
Assert.IsTrue(results.ContainsKey("REGISTRY_CREATED"));
Assert.IsTrue(results["REGISTRY_CREATED"].Where(x => x.Identity.Contains(name)).Count() > 0);
TearDown();
}
}
public void TestUserCollectorWindows()
{
if (RuntimeInformation.IsOSPlatform(OSPlatform.Windows))
{
Assert.IsTrue(AsaHelpers.IsAdmin());
Setup();
var FirstRunId = "TestUserCollector-1";
var SecondRunId = "TestUserCollector-2";
var fwc = new UserAccountCollector(FirstRunId);
fwc.Execute();
var user = System.Guid.NewGuid().ToString().Substring(0, 10);
var password = System.Guid.NewGuid().ToString().Substring(0, 10);
var cmd = string.Format("user /add {0} {1}", user, password);
ExternalCommandRunner.RunExternalCommand("net", cmd);
var serviceName = System.Guid.NewGuid();
fwc = new UserAccountCollector(SecondRunId);
fwc.Execute();
cmd = string.Format("user /delete {0}", user);
ExternalCommandRunner.RunExternalCommand("net", cmd);
BaseCompare bc = new BaseCompare();
if (!bc.TryCompare(FirstRunId, SecondRunId))
{
Assert.Fail();
}
var results = bc.Results;
Assert.IsTrue(results.ContainsKey("USER_CREATED"));
Assert.IsTrue(results["USER_CREATED"].Where(x => x.Identity.Contains(user)).Count() > 0);
TearDown();
}
}
public static ConcurrentDictionary <(RESULT_TYPE, CHANGE_TYPE), ConcurrentQueue <CompareResult> > CompareRuns(CompareCommandOptions opts)
{
if (opts is null)
{
throw new ArgumentNullException(nameof(opts));
}
if (opts.SaveToDatabase)
{
DatabaseManager.InsertCompareRun(opts.FirstRunId, opts.SecondRunId, RUN_STATUS.RUNNING);
}
comparators = new List <BaseCompare>();
Dictionary <string, string> EndEvent = new Dictionary <string, string>();
BaseCompare c = new BaseCompare();
var watch = System.Diagnostics.Stopwatch.StartNew();
if (!c.TryCompare(opts.FirstRunId, opts.SecondRunId))
{
Log.Warning(Strings.Get("Err_Comparing") + " : {0}", c.GetType().Name);
}
watch.Stop();
TimeSpan t = TimeSpan.FromMilliseconds(watch.ElapsedMilliseconds);
string answer = string.Format(CultureInfo.InvariantCulture, "{0:D2}h:{1:D2}m:{2:D2}s:{3:D3}ms",
t.Hours,
t.Minutes,
t.Seconds,
t.Milliseconds);
Log.Information(Strings.Get("Completed"), "Comparing", answer);
if (opts.Analyze)
{
watch = Stopwatch.StartNew();
Analyzer analyzer = new Analyzer(DatabaseManager.RunIdToPlatform(opts.FirstRunId), opts.AnalysesFile);
var violations = analyzer.VerifyRules();
if (violations.Any())
{
foreach (var violation in violations)
{
Log.Warning(violation);
}
Log.Error("Encountered {0} issues with rules in {1}. Skipping analysis.", violations.Count, opts.AnalysesFile ?? "Embedded");
}
else
{
if (c.Results.Count > 0)
{
foreach (var key in c.Results.Keys)
{
if (c.Results[key] is ConcurrentQueue <CompareResult> queue)
{
Parallel.ForEach(queue, (res) =>
{
res.Rules = analyzer.Analyze(res);
res.Analysis = res.Rules.Max(x => x.Flag);
});
}
}
}
}
watch.Stop();
t = TimeSpan.FromMilliseconds(watch.ElapsedMilliseconds);
answer = string.Format(CultureInfo.InvariantCulture, "{0:D2}h:{1:D2}m:{2:D2}s:{3:D3}ms",
t.Hours,
t.Minutes,
t.Seconds,
t.Milliseconds);
Log.Information(Strings.Get("Completed"), "Analysis", answer);
}
watch = Stopwatch.StartNew();
if (opts.SaveToDatabase)
{
foreach (var key in c.Results.Keys)
{
if (c.Results.TryGetValue(key, out ConcurrentQueue <CompareResult>?obj))
{
if (obj is ConcurrentQueue <CompareResult> Queue)
{
foreach (var result in Queue)
{
DatabaseManager.InsertAnalyzed(result);
}
}
}
}
}
watch.Stop();
t = TimeSpan.FromMilliseconds(watch.ElapsedMilliseconds);
answer = string.Format(CultureInfo.InvariantCulture, "{0:D2}h:{1:D2}m:{2:D2}s:{3:D3}ms",
t.Hours,
t.Minutes,
t.Seconds,
t.Milliseconds);
Log.Information(Strings.Get("Completed"), "Flushing", answer);
if (opts.SaveToDatabase)
{
DatabaseManager.UpdateCompareRun(opts.FirstRunId, opts.SecondRunId, RUN_STATUS.COMPLETED);
}
DatabaseManager.Commit();
AsaTelemetry.TrackEvent("End Command", EndEvent);
return(c.Results);
}
public static Dictionary <string, object> CompareRuns(CompareCommandOptions opts)
{
if (opts is null)
{
throw new ArgumentNullException(nameof(opts));
}
if (opts.SaveToDatabase)
{
DatabaseManager.InsertCompareRun(opts.FirstRunId, opts.SecondRunId, RUN_STATUS.RUNNING);
}
var results = new Dictionary <string, object>();
comparators = new List <BaseCompare>();
Dictionary <string, string> EndEvent = new Dictionary <string, string>();
BaseCompare c = new BaseCompare();
var watch = System.Diagnostics.Stopwatch.StartNew();
if (!c.TryCompare(opts.FirstRunId, opts.SecondRunId))
{
Log.Warning(Strings.Get("Err_Comparing") + " : {0}", c.GetType().Name);
}
c.Results.ToList().ForEach(x => results.Add(x.Key, x.Value));
watch.Stop();
TimeSpan t = TimeSpan.FromMilliseconds(watch.ElapsedMilliseconds);
string answer = string.Format(CultureInfo.InvariantCulture, "{0:D2}h:{1:D2}m:{2:D2}s:{3:D3}ms",
t.Hours,
t.Minutes,
t.Seconds,
t.Milliseconds);
Log.Information(Strings.Get("Completed"), "Comparing", answer);
if (opts.Analyze)
{
watch = System.Diagnostics.Stopwatch.StartNew();
Analyzer analyzer;
analyzer = new Analyzer(DatabaseManager.RunIdToPlatform(opts.FirstRunId), opts.AnalysesFile);
if (results.Count > 0)
{
foreach (var key in results.Keys)
{
try
{
Parallel.ForEach(results[key] as ConcurrentQueue <CompareResult>, (result) =>
{
result.Analysis = analyzer.Analyze(result);
});
}
catch (ArgumentNullException)
{
}
}
}
watch.Stop();
t = TimeSpan.FromMilliseconds(watch.ElapsedMilliseconds);
answer = string.Format(CultureInfo.InvariantCulture, "{0:D2}h:{1:D2}m:{2:D2}s:{3:D3}ms",
t.Hours,
t.Minutes,
t.Seconds,
t.Milliseconds);
Log.Information(Strings.Get("Completed"), "Analysis", answer);
}
watch = System.Diagnostics.Stopwatch.StartNew();
if (opts.SaveToDatabase)
{
foreach (var key in results.Keys)
{
try
{
foreach (var result in (results[key] as ConcurrentQueue <CompareResult>))
{
DatabaseManager.InsertAnalyzed(result);
}
}
catch (NullReferenceException)
{
Log.Debug(key);
}
}
}
watch.Stop();
t = TimeSpan.FromMilliseconds(watch.ElapsedMilliseconds);
answer = string.Format(CultureInfo.InvariantCulture, "{0:D2}h:{1:D2}m:{2:D2}s:{3:D3}ms",
t.Hours,
t.Minutes,
t.Seconds,
t.Milliseconds);
Log.Information(Strings.Get("Completed"), "Flushing", answer);
if (opts.SaveToDatabase)
{
DatabaseManager.UpdateCompareRun(opts.FirstRunId, opts.SecondRunId, RUN_STATUS.COMPLETED);
}
DatabaseManager.Commit();
AsaTelemetry.TrackEvent("End Command", EndEvent);
return(results);
}
public void TestFileCompare()
{
var FirstRunId = "TestFileCollector-1";
var SecondRunId = "TestFileCollector-2";
var testFolder = AsaHelpers.GetTempFolder();
Directory.CreateDirectory(testFolder);
var opts = new CollectCommandOptions()
{
RunId = FirstRunId,
EnableFileSystemCollector = true,
GatherHashes = true,
SelectedDirectories = testFolder,
DownloadCloud = false,
CertificatesFromFiles = false
};
var fsc = new FileSystemCollector(opts);
fsc.Execute();
fsc.Results.AsParallel().ForAll(x => DatabaseManager.Write(x, FirstRunId));
using (var file = File.Open(Path.Combine(testFolder, "AsaLibTesterMZ"), FileMode.OpenOrCreate))
{
file.Write(FileSystemUtils.WindowsMagicNumber, 0, 2);
file.Write(FileSystemUtils.WindowsMagicNumber, 0, 2);
file.Close();
}
using (var file = File.Open(Path.Combine(testFolder, "AsaLibTesterJavaClass"), FileMode.OpenOrCreate))
{
file.Write(FileSystemUtils.JavaMagicNumber, 0, 4);
file.Close();
}
opts.RunId = SecondRunId;
fsc = new FileSystemCollector(opts);
fsc.Execute();
Assert.IsTrue(fsc.Results.Any(x => x is FileSystemObject FSO && FSO.Path.EndsWith("AsaLibTesterMZ")));
Assert.IsTrue(fsc.Results.Any(x => x is FileSystemObject FSO && FSO.Path.EndsWith("AsaLibTesterJavaClass")));
fsc.Results.AsParallel().ForAll(x => DatabaseManager.Write(x, SecondRunId));
while (DatabaseManager.HasElements)
{
Thread.Sleep(1);
}
BaseCompare bc = new BaseCompare();
if (!bc.TryCompare(FirstRunId, SecondRunId))
{
Assert.Fail();
}
var results = bc.Results;
Assert.IsTrue(results.ContainsKey((RESULT_TYPE.FILE, CHANGE_TYPE.CREATED)));
Assert.IsTrue(results[(RESULT_TYPE.FILE, CHANGE_TYPE.CREATED)].Any(x => x.Identity.Contains("AsaLibTesterMZ") && ((FileSystemObject)x.Compare).IsExecutable == true));