Skip to content

Commit

Permalink
poetry and validate fixes
Browse files Browse the repository at this point in the history
  • Loading branch information
@MHaggis
MHaggis authored Aug 4, 2024
1 parent f869615 commit 20f78ef
Show file tree
Hide file tree
Showing 14 changed files with 352 additions and 108 deletions.
152 changes: 152 additions & 0 deletions bin/spec/lolrmm.spec.json
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,152 @@
{
"$schema": "http://json-schema.org/draft-07/schema#",
"type": "object",
"properties": {
"Name": { "type": "string" },
"Category": { "type": ["string", "null"] },
"Description": { "type": "string" },
"Author": { "type": ["string", "null"] },
"Created": { "type": ["string", "null"] },
"LastModified": { "type": ["string", "null"] },
"Details": {
"type": "object",
"properties": {
"Website": { "type": ["string", "null"] },
"PEMetadata": {
"oneOf": [
{
"type": "object",
"properties": {
"Filename": { "type": ["string", "null"] },
"OriginalFileName": { "type": ["string", "null"] },
"Description": { "type": ["string", "null"] }
}
},
{
"type": "array",
"items": {
"type": "object",
"properties": {
"Filename": { "type": ["string", "null"] },
"OriginalFileName": { "type": ["string", "null"] },
"Description": { "type": ["string", "null"] }
}
}
}
]
},
"Privileges": { "type": ["string", "null"] },
"Free": { "type": ["boolean", "string", "null"] },
"Verification": { "type": ["boolean", "string", "null"] },
"SupportedOS": {
"type": ["array", "null"],
"items": { "type": "string" }
},
"Capabilities": {
"type": ["array", "null"],
"items": { "type": "string" }
},
"Vulnerabilities": {
"type": ["array", "null"],
"items": { "type": "string" }
},
"InstallationPaths": {
"type": ["array", "null"],
"items": { "type": "string" }
}
}
},
"Artifacts": {
"type": "object",
"properties": {
"Disk": {
"type": ["array", "null"],
"items": {
"type": "object",
"properties": {
"File": { "type": "string" },
"Description": { "type": ["string", "null"] },
"OS": { "type": ["string", "null"] },
"Example": { "type": ["array", "null"], "items": { "type": "string" } }
}
}
},
"EventLog": {
"type": ["array", "null"],
"items": {
"type": "object",
"properties": {
"EventID": { "type": ["integer", "null"] },
"ProviderName": { "type": ["string", "null"] },
"LogFile": { "type": ["string", "null"] },
"ServiceName": { "type": ["string", "null"] },
"ImagePath": { "type": ["string", "null"] },
"Description": { "type": ["string", "null"] }
}
}
},
"Registry": {
"type": ["array", "null"],
"items": {
"type": "object",
"properties": {
"Path": { "type": "string" },
"Description": { "type": ["string", "null"] }
}
}
},
"Network": {
"type": ["array", "null"],
"items": {
"type": "object",
"properties": {
"Description": { "type": ["string", "null"] },
"Domain": {
"oneOf": [
{ "type": ["string", "null"] },
{
"type": "array",
"items": { "type": ["string", "null"] }
}
]
},
"Port": { "type": ["string", "number", "null"] }
}
}
},
"Other": {
"type": ["array", "null"],
"items": {
"type": "object",
"properties": {
"Type": { "type": ["string", "null"] },
"Value": { "type": ["string", "null"] }
}
}
}
}
},
"Detections": {
"type": ["array", "null"],
"items": {
"type": "object",
"properties": {
"Sigma": { "type": ["string", "null"] },
"Description": { "type": ["string", "null"] }
}
}
},
"References": { "type": ["array", "null"], "items": { "type": ["string", "null"] } },
"Acknowledgement": {
"type": ["array", "null"],
"items": {
"type": "object",
"properties": {
"Person": { "type": ["string", "null"] },
"Handle": { "type": ["string", "null"] }
}
}
}
},
"required": ["Name", "Description"]
}
4 changes: 2 additions & 2 deletions bin/validate.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -75,7 +75,7 @@ def validate_schema(yaml_dir, schema_file, verbose):
error = True

# Additional YAML checks
check_errors = [
check_errors = [
check_md5_length(yaml_data),
check_sha1_length(yaml_data),
check_sha256_length(yaml_data),
Expand Down Expand Up @@ -106,7 +106,7 @@ def main(yaml_dir, schema_file, verbose):
# grab arguments
parser = argparse.ArgumentParser(description="Validates YAML files in a directory against a JSON schema")
parser.add_argument("-y", "--yaml_dir", default='yaml/', help="path to the directory containing YAML files")
parser.add_argument("-s", "--schema_file", default='bin/spec/bootloaders.spec.json', help="path to the JSON schema file")
parser.add_argument("-s", "--schema_file", default='bin/spec/lolrmm.spec.json', help="path to the JSON schema file")
parser.add_argument("-v", "--verbose", required=False, action='store_true', help="prints verbose output")
# parse them
args = parser.parse_args()
Expand Down
63 changes: 61 additions & 2 deletions poetry.lock
View file

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

2 changes: 1 addition & 1 deletion pyproject.toml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -8,7 +8,7 @@ readme = "README.md"
[tool.poetry.dependencies]
python = "^3.12"
streamlit = "^1.37.0"

pyyaml = "^6.0"

[build-system]
requires = ["poetry-core"]
Expand Down
87 changes: 43 additions & 44 deletions yaml/action1.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -23,52 +23,51 @@ Details:
- action1_remote.exe
- action1_update.exe
Artifacts:
Disk:
- File: 'C:\Windows\Action1\action1_agent.exe'
Description: Action1 service binary
OS: Windows
- File: 'C:\Windows\Action1\*'
Description: Multiple files and binaries related to Action1 installation
OS: Windows
- File: 'C:\Windows\Action1\scripts\*'
Description: Multiple scripts related to Action1 installation
OS: Windows
- File: 'C:\Windows\Action1\rule_data\*'
Description: Files related to Action1 rules
OS: Windows
Disk:
- File: 'C:\Windows\Action1\action1_agent.exe'
Description: Action1 service binary
OS: Windows
- File: 'C:\Windows\Action1\*'
Description: Multiple files and binaries related to Action1 installation
OS: Windows
- File: 'C:\Windows\Action1\scripts\*'
Description: Multiple scripts related to Action1 installation
OS: Windows
- File: 'C:\Windows\Action1\rule_data\*'
Description: Files related to Action1 rules
OS: Windows
EventLog:
- EventID: 7045
ProviderName: Service Control Manager
LogFile: System.evtx
ServiceName: Action1 Agent
ImagePath: '"C:\\Windows\\Action1\\action1_agent.exe"'
Description: Service installation event as result of Action1 installation.
- EventID: 4688
ProviderName: Microsoft-Security-Auditing
LogFile: Security.evtx
CommandLine: 'C:\Windows\Action1\action1_agent.exe service'
Description: Service installation event as result of Action1 installation.
- EventID: 4688
ProviderName: Microsoft-Security-Auditing
LogFile: Security.evtx
CommandLine: 'C:\Windows\Action1\action1_agent.exe loggedonuser'
Description: Executing command to get logged on user.

- EventID: 7045
ProviderName: Service Control Manager
LogFile: System.evtx
ServiceName: Action1 Agent
ImagePath: '"C:\\Windows\\Action1\\action1_agent.exe"'
Description: Service installation event as result of Action1 installation.
- EventID: 4688
ProviderName: Microsoft-Security-Auditing
LogFile: Security.evtx
CommandLine: 'C:\Windows\Action1\action1_agent.exe service'
Description: Service installation event as result of Action1 installation.
- EventID: 4688
ProviderName: Microsoft-Security-Auditing
LogFile: Security.evtx
CommandLine: 'C:\Windows\Action1\action1_agent.exe loggedonuser'
Description: Executing command to get logged on user.
Registry:
- Path: 'HKLM\System\CurrentControlSet\Services\A1Agent'
Description: Service installation event as result of Action1 installation.
- Path: 'HKLM\SOFTWARE\WOW6432Node\Microsoft\Windows\Windows Error Reporting\LocalDumps\action1_agent.exe'
Description: Ensures that detailed crash information is available for analysis, which aids in maintaining the stability and reliability of the software.
- Path: 'HKLM\SOFTWARE\WOW6432Node\Action1'
Description: Storing its configuration settings and other relevant information
- Path: 'HKLM\System\CurrentControlSet\Services\A1Agent'
Description: Service installation event as result of Action1 installation.
- Path: 'HKLM\SOFTWARE\WOW6432Node\Microsoft\Windows\Windows Error Reporting\LocalDumps\action1_agent.exe'
Description: Ensures that detailed crash information is available for analysis, which aids in maintaining the stability and reliability of the software.
- Path: 'HKLM\SOFTWARE\WOW6432Node\Action1'
Description: Storing its configuration settings and other relevant information
Network:
- Description: Known remote domains
Domain:
- action1.com
- a1-backend-packages.s3.amazonaws.com
- '*.action1.com'
- server.action1.com
Port: '22543'
- Description: Known remote domains
Domain:
- action1.com
- a1-backend-packages.s3.amazonaws.com
- '*.action1.com'
- server.action1.com
Port: '22543'
Detections:
- Name: Arbitrary code execution and remote sessions via Action1 RMM
Description: Threat hunting rule for detecting the execution of arbitrary code and remote sessions via Action1 RMM
Expand All @@ -79,4 +78,4 @@ References:
- https://twitter.com/Kostastsale/status/1646256901506605063?s=20
Acknowledgement:
- Person: "Kostas"
Handle: "@kostastsale"
Handle: "@kostastsale"
Loading

0 comments on commit 20f78ef

Please sign in to comment.