AggregateException in asa export-collect in Ubuntu Linux

[masty1982]

Describe the bug Updated asa version to 2.3.146-beta. I collected two baselines and run export-collect in Ubuntu Linux. Export-collect is aborted due to AggregateException (System.Security.Cryptography.CryptographicException: Error occurred during a cryptographic operation.), see Screenshots section below.

To Reproduce Steps to reproduce the behavior:

1. Collect two baselines
2. Run export-collect
3. See AggregateException in the output

Screenshots **user@user-VirtualBox:~$ sudo ~/.dotnet/tools/asa collect -a --runid product2** [12:00:43 INF] AttackSurfaceAnalyzer v.2.3.146-beta+1de0eafc6d [12:00:44 INF] Begin product2. [12:00:44 INF] Starting 11 Collectors. [12:00:47 INF] Starting FileSystemCollector. [12:00:47 INF] Scanning root /lost+found [12:00:47 INF] Scanning root /bin [12:00:47 INF] Scanning root /boot [12:00:48 INF] Scanning root /etc [12:00:48 INF] Scanning root /root [12:00:48 INF] Scanning root /tmp [12:00:48 INF] Scanning root /sbin [12:00:48 INF] Scanning root /cdrom [12:00:48 INF] Scanning root /lib64 [12:00:48 INF] Scanning root /srv [12:00:48 INF] Scanning root /usr [12:02:21 INF] Scanning root /media [12:02:21 INF] Scanning root /dev [12:02:22 INF] Scanning root /home [12:02:23 INF] Scanning root /snap [12:05:09 INF] Scanning root /lib [12:05:24 INF] Scanning root /run [12:05:24 INF] Scanning root /opt [12:05:41 INF] Scanning root /var [12:05:44 INF] Scanning root /mnt [12:05:44 INF] Completed FileSystemCollector in 00h:04m:56s:779ms. [12:05:44 INF] Starting OpenPortCollector. [12:05:44 INF] Completed OpenPortCollector in 00h:00m:00s:026ms. [12:05:44 INF] Starting ServiceCollector. [12:05:44 INF] Completed ServiceCollector in 00h:00m:00s:034ms. [12:05:44 INF] Starting UserAccountCollector. [12:05:45 INF] Completed UserAccountCollector in 00h:00m:00s:105ms. [12:05:45 INF] Starting CertificateCollector. [12:05:45 INF] Completed CertificateCollector in 00h:00m:00s:080ms. [12:05:45 INF] Starting FirewallCollector. [12:05:45 INF] Completed FirewallCollector in 00h:00m:00s:015ms. [12:05:45 INF] Starting EventLogCollector. [12:05:45 INF] Completed EventLogCollector in 00h:00m:00s:071ms. [12:05:45 INF] Starting TpmCollector. Exception while loading tpm2-abrmd: System.DllNotFoundException: Unable to load shared library 'libtss2-tcti-tabrmd.so' or one of its dependencies. In order to help diagnose loading problems, consider setting the LD_DEBUG environment variable: liblibtss2-tcti-tabrmd.so: cannot open shared object file: No such file or directory at Tpm2Lib.AbrmdWrapper.NativeMethods.Tss2_Tcti_Info() at Tpm2Lib.AbrmdWrapper.Load(IntPtr& tctiCtxPtr) at Tpm2Lib.LinuxTpmDevice..ctor(String tpmDevicePath) [12:05:45 INF] Completed TpmCollector in 00h:00m:00s:038ms. [12:05:45 INF] Starting ProcessCollector. [12:06:16 INF] Completed ProcessCollector in 00h:00m:30s:758ms. [12:06:16 INF] Starting DriverCollector. [12:06:18 INF] Completed DriverCollector in 00h:00m:01s:546ms. [12:06:18 INF] Starting WifiCollector. [12:06:18 WRN] Microsoft.CST.AttackSurfaceAnalyzer.Collectors.WifiCollector isn't compatible with this platform and has been skipped. [12:06:18 INF] Completed WifiCollector in 00h:00m:00s:000ms. **user@user-VirtualBox:~$ sudo ~/.dotnet/tools/asa export-collect** [12:06:27 INF] AttackSurfaceAnalyzer v.2.3.146-beta+1de0eafc6d [12:06:28 INF] Provided null run Ids using latest two runs. [12:06:28 INF] Comparing baseline2 vs product2. [12:06:45 INF] Completed Comparing in 00h:00m:17s:641ms. Unhandled exception. System.AggregateException: One or more errors occurred. (Error occurred during a cryptographic operation.) (Error occurred during a cryptographic operation.) (Error occurred during a cryptographic operation.) (Error occurred during a cryptographic operation.) ---> System.Security.Cryptography.CryptographicException: Error occurred during a cryptographic operation. at Internal.Cryptography.HashProviderDispenser.EvpHashProvider.FinalizeHashAndReset(Span1 destination) at Internal.Cryptography.HashProvider.FinalizeHashAndReset() at System.Security.Cryptography.HashAlgorithm.CaptureHashCodeAndReinitialize() at Microsoft.CST.AttackSurfaceAnalyzer.Utils.CryptoHelpers.CreateHash(String input) in D:\a\1\s\Lib\Utils\CryptoHelpers.cs:line 14 at Microsoft.CST.AttackSurfaceAnalyzer.Cli.AttackSurfaceAnalyzerClient.<>cDisplayClass29_0.b0(CompareResult res) at System.Linq.Parallel.ForAllOperator1.ForAllEnumerator1.MoveNext(TInput& currentElement, Int32& currentKey) at System.Linq.Parallel.ForAllSpoolingTask`2.SpoolingWork() at System.Linq.Parallel.SpoolingTaskBase.Work() at System.Linq.Parallel.QueryTask.BaseWork(Object unused) at System.Linq.Parallel.QueryTask.<>c.<.cctor>b10_0(Object o) at System.Threading.ExecutionContext.RunFromThreadPoolDispatchLoop(Thread threadPoolThread, ExecutionContext executionContext, ContextCallback callback, Object state) --- End of stack trace from previous location --- at System.Threading.Tasks.Task.ExecuteWithThreadLocal(Task& currentTaskSlot, Thread threadPoolThread) --- End of inner exception stack trace --- at System.Linq.Parallel.QueryTaskGroupState.QueryEnd(Boolean userInitiatedDispose) at System.Linq.Parallel.SpoolingTask.SpoolForAll[TInputOutput,TIgnoreKey](QueryTaskGroupState groupState, PartitionedStream2 partitions, TaskScheduler taskScheduler) at System.Linq.Parallel.DefaultMergeHelper2.System.Linq.Parallel.IMergeHelper.Execute() at System.Linq.Parallel.MergeExecutor1.Execute() at System.Linq.Parallel.MergeExecutor1.Execute[TKey](PartitionedStream2 partitions, Boolean ignoreOutput, ParallelMergeOptions options, TaskScheduler taskScheduler, Boolean isOrdered, CancellationState cancellationState, Int32 queryId) at System.Linq.Parallel.PartitionedStreamMerger1.Receive[TKey](PartitionedStream2 partitionedStream) at System.Linq.Parallel.ForAllOperator1.WrapPartitionedStream[TKey](PartitionedStream2 inputStream, IPartitionedStreamRecipient1 recipient, Boolean preferStriping, QuerySettings settings) at System.Linq.Parallel.UnaryQueryOperator2.UnaryQueryOperatorResults.ChildResultsRecipient.Receive[TKey](PartitionedStream2 inputStream) at System.Linq.Parallel.ListQueryResults1.GivePartitionedStream(IPartitionedStreamRecipient1 recipient) at System.Linq.Parallel.UnaryQueryOperator2.UnaryQueryOperatorResults.GivePartitionedStream(IPartitionedStreamRecipient1 recipient) at System.Linq.Parallel.QueryOperator1.GetOpenedEnumerator(Nullable1 mergeOptions, Boolean suppressOrder, Boolean forEffect, QuerySettings querySettings) at System.Linq.Parallel.ForAllOperator1.RunSynchronously() at System.Linq.ParallelEnumerable.ForAll[TSource](ParallelQuery1 source, Action`1 action) at Microsoft.CST.AttackSurfaceAnalyzer.Cli.AttackSurfaceAnalyzerClient.CompareRuns(CompareCommandOptions opts) in D:\a\1\s\Cli\AttackSurfaceAnalyzerClient.cs:line 846 at Microsoft.CST.AttackSurfaceAnalyzer.Cli.AttackSurfaceAnalyzerClient.RunExportCollectCommand(ExportCollectCommandOptions opts) in D:\a\1\s\Cli\AttackSurfaceAnalyzerClient.cs:line 464 at Microsoft.CST.AttackSurfaceAnalyzer.Cli.AttackSurfaceAnalyzerClient.<>c.

b9_2(ExportCollectCommandOptions opts) in D:\a\1\s\Cli\AttackSurfaceAnalyzerClient.cs:line 91 at CommandLine.ParserResultExtensions.MapResult[T1,T2,T3,T4,T5,T6,T7,T8,TResult](ParserResult1 result, Func2 parsedFunc1, Func2 parsedFunc2, Func2 parsedFunc3, Func2 parsedFunc4, Func2 parsedFunc5, Func2 parsedFunc6, Func2 parsedFunc7, Func2 parsedFunc8, Func2 notParsedFunc) at Microsoft.CST.AttackSurfaceAnalyzer.Cli.AttackSurfaceAnalyzerClient.Main(String[] args) in D:\a\1\s\Cli\AttackSurfaceAnalyzerClient.cs:line 73 ---> (Inner Exception #1) System.Security.Cryptography.CryptographicException: Error occurred during a cryptographic operation. at Internal.Cryptography.HashProviderDispenser.EvpHashProvider.FinalizeHashAndReset(Span1 destination) at Internal.Cryptography.HashProvider.FinalizeHashAndReset() at System.Security.Cryptography.HashAlgorithm.CaptureHashCodeAndReinitialize() at Microsoft.CST.AttackSurfaceAnalyzer.Utils.CryptoHelpers.CreateHash(String input) in D:\a\1\s\Lib\Utils\CryptoHelpers.cs:line 14 at Microsoft.CST.AttackSurfaceAnalyzer.Cli.AttackSurfaceAnalyzerClient.<>c__DisplayClass29_0.<CompareRuns>b__0(CompareResult res) at System.Linq.Parallel.ForAllOperator1.ForAllEnumerator1.MoveNext(TInput& currentElement, Int32& currentKey) at System.Linq.Parallel.ForAllSpoolingTask2.SpoolingWork() at System.Linq.Parallel.SpoolingTaskBase.Work() at System.Linq.Parallel.QueryTask.BaseWork(Object unused) at System.Linq.Parallel.QueryTask.<>c.<.cctor>b__10_0(Object o) at System.Threading.ExecutionContext.RunFromThreadPoolDispatchLoop(Thread threadPoolThread, ExecutionContext executionContext, ContextCallback callback, Object state) --- End of stack trace from previous location --- at System.Threading.Tasks.Task.ExecuteWithThreadLocal(Task& currentTaskSlot, Thread threadPoolThread)<---

---> (Inner Exception #2) System.Security.Cryptography.CryptographicException: Error occurred during a cryptographic operation. at Internal.Cryptography.HashProviderDispenser.EvpHashProvider.FinalizeHashAndReset(Span1 destination) at Internal.Cryptography.HashProvider.FinalizeHashAndReset() at System.Security.Cryptography.HashAlgorithm.CaptureHashCodeAndReinitialize() at Microsoft.CST.AttackSurfaceAnalyzer.Utils.CryptoHelpers.CreateHash(String input) in D:\a\1\s\Lib\Utils\CryptoHelpers.cs:line 14 at Microsoft.CST.AttackSurfaceAnalyzer.Cli.AttackSurfaceAnalyzerClient.<>c__DisplayClass29_0.<CompareRuns>b__0(CompareResult res) at System.Linq.Parallel.ForAllOperator1.ForAllEnumerator1.MoveNext(TInput& currentElement, Int32& currentKey) at System.Linq.Parallel.ForAllSpoolingTask2.SpoolingWork() at System.Linq.Parallel.SpoolingTaskBase.Work() at System.Linq.Parallel.QueryTask.BaseWork(Object unused) at System.Linq.Parallel.QueryTask.<>c.<.cctor>b__10_0(Object o) at System.Threading.ExecutionContext.RunFromThreadPoolDispatchLoop(Thread threadPoolThread, ExecutionContext executionContext, ContextCallback callback, Object state) --- End of stack trace from previous location --- at System.Threading.Tasks.Task.ExecuteWithThreadLocal(Task& currentTaskSlot, Thread threadPoolThread)<---

---> (Inner Exception #3) System.Security.Cryptography.CryptographicException: Error occurred during a cryptographic operation. at Internal.Cryptography.HashProviderDispenser.EvpHashProvider.FinalizeHashAndReset(Span1 destination) at Internal.Cryptography.HashProvider.FinalizeHashAndReset() at System.Security.Cryptography.HashAlgorithm.CaptureHashCodeAndReinitialize() at Microsoft.CST.AttackSurfaceAnalyzer.Utils.CryptoHelpers.CreateHash(String input) in D:\a\1\s\Lib\Utils\CryptoHelpers.cs:line 14 at Microsoft.CST.AttackSurfaceAnalyzer.Cli.AttackSurfaceAnalyzerClient.<>c__DisplayClass29_0.<CompareRuns>b__0(CompareResult res) at System.Linq.Parallel.ForAllOperator1.ForAllEnumerator1.MoveNext(TInput& currentElement, Int32& currentKey) at System.Linq.Parallel.ForAllSpoolingTask2.SpoolingWork() at System.Linq.Parallel.SpoolingTaskBase.Work() at System.Linq.Parallel.QueryTask.BaseWork(Object unused) at System.Linq.Parallel.QueryTask.RunTaskSynchronously(Object o) at System.Threading.ExecutionContext.RunInternal(ExecutionContext executionContext, ContextCallback callback, Object state) --- End of stack trace from previous location --- at System.Threading.Tasks.Task.ExecuteWithThreadLocal(Task& currentTaskSlot, Thread threadPoolThread)<---

Aborted user@user-VirtualBox:~$ `

System Configuration (please complete the following information): ASA was successfully updated to beta version: dotnet tool update -g --version 2.3.146-beta Microsoft.CST.AttackSurfaceAnalyzer.CLI

Ubuntu 20.04 user@user-VirtualBox:~$ uname -a Linux user-VirtualBox 5.4.0-73-generic #82~18.04.1-Ubuntu SMP Fri Apr 16 15:10:02 UTC 2021 x86_64 x86_64 x86_64 GNU/Linux

[masty1982]

Tested with 2.3.260-beta version and we noticed following:

1. With command "export-collect" CryptographicExceptions occur but json.txt file is produced
2. With command "export-collect --savetodatabase" CryptographicExceptions occur but also AggregateException/NullReferenceException occur and "Aborted" message comes in, see output below

So we are not able to view results in asa gui without database.

---

... [11:12:26 WRN] Cryptographic Exception: Failed to get hash of string. System.Security.Cryptography.CryptographicException: Error occurred during a cryptographic operation. at Internal.Cryptography.HashProviderDispenser.EvpHashProvider.FinalizeHashAndReset(Span1 destination) at Internal.Cryptography.HashProvider.FinalizeHashAndReset() at System.Security.Cryptography.HashAlgorithm.CaptureHashCodeAndReinitialize() at Microsoft.CST.AttackSurfaceAnalyzer.Utils.CryptoHelpers.CreateHash(String input) in D:\a\1\s\Lib\Utils\CryptoHelpers.cs:line 25 **Unhandled exception. System.AggregateException: One or more errors occurred. (Object reference not set to an instance of an object.) ---> System.NullReferenceException: Object reference not set to an instance of an object. at Microsoft.CST.AttackSurfaceAnalyzer.Cli.AttackSurfaceAnalyzerClient.<>c__DisplayClass29_0.<CompareRuns>b__0(CompareResult res)** at System.Linq.Parallel.ForAllOperator1.ForAllEnumerator1.MoveNext(TInput& currentElement, Int32& currentKey) at System.Linq.Parallel.ForAllSpoolingTask2.SpoolingWork() at System.Linq.Parallel.SpoolingTaskBase.Work() at System.Linq.Parallel.QueryTask.BaseWork(Object unused) at System.Linq.Parallel.QueryTask.<>c.<.cctor>b__10_0(Object o) at System.Threading.ExecutionContext.RunFromThreadPoolDispatchLoop(Thread threadPoolThread, ExecutionContext executionContext, ContextCallback callback, Object state) --- End of stack trace from previous location --- at System.Threading.Tasks.Task.ExecuteWithThreadLocal(Task& currentTaskSlot, Thread threadPoolThread) --- End of inner exception stack trace --- at System.Linq.Parallel.QueryTaskGroupState.QueryEnd(Boolean userInitiatedDispose) at System.Linq.Parallel.SpoolingTask.SpoolForAll[TInputOutput,TIgnoreKey](QueryTaskGroupState groupState, PartitionedStream2 partitions, TaskScheduler taskScheduler) at System.Linq.Parallel.DefaultMergeHelper2.System.Linq.Parallel.IMergeHelper.Execute() at System.Linq.Parallel.MergeExecutor1.Execute() at System.Linq.Parallel.MergeExecutor1.Execute[TKey](PartitionedStream2 partitions, Boolean ignoreOutput, ParallelMergeOptions options, TaskScheduler taskScheduler, Boolean isOrdered, CancellationState cancellationState, Int32 queryId) at System.Linq.Parallel.PartitionedStreamMerger1.Receive[TKey](PartitionedStream2 partitionedStream) at System.Linq.Parallel.ForAllOperator1.WrapPartitionedStream[TKey](PartitionedStream2 inputStream, IPartitionedStreamRecipient1 recipient, Boolean preferStriping, QuerySettings settings) at System.Linq.Parallel.UnaryQueryOperator2.UnaryQueryOperatorResults.ChildResultsRecipient.Receive[TKey](PartitionedStream2 inputStream) at System.Linq.Parallel.ListQueryResults1.GivePartitionedStream(IPartitionedStreamRecipient1 recipient) at System.Linq.Parallel.UnaryQueryOperator2.UnaryQueryOperatorResults.GivePartitionedStream(IPartitionedStreamRecipient1 recipient) at System.Linq.Parallel.QueryOperator1.GetOpenedEnumerator(Nullable1 mergeOptions, Boolean suppressOrder, Boolean forEffect, QuerySettings querySettings) at System.Linq.Parallel.ForAllOperator1.RunSynchronously() at System.Linq.ParallelEnumerable.ForAll[TSource](ParallelQuery1 source, Action1 action) at Microsoft.CST.AttackSurfaceAnalyzer.Cli.AttackSurfaceAnalyzerClient.CompareRuns(CompareCommandOptions opts) in D:\a\1\s\Cli\AttackSurfaceAnalyzerClient.cs:line 886 at Microsoft.CST.AttackSurfaceAnalyzer.Cli.AttackSurfaceAnalyzerClient.RunExportCollectCommand(ExportCollectCommandOptions opts) in D:\a\1\s\Cli\AttackSurfaceAnalyzerClient.cs:line 483 at Microsoft.CST.AttackSurfaceAnalyzer.Cli.AttackSurfaceAnalyzerClient.<>c.<Main>b__9_2(ExportCollectCommandOptions opts) in D:\a\1\s\Cli\AttackSurfaceAnalyzerClient.cs:line 91 at CommandLine.ParserResultExtensions.MapResult[T1,T2,T3,T4,T5,T6,T7,T8,TResult](ParserResult1 result, Func2 parsedFunc1, Func2 parsedFunc2, Func2 parsedFunc3, Func2 parsedFunc4, Func2 parsedFunc5, Func2 parsedFunc6, Func2 parsedFunc7, Func2 parsedFunc8, Func`2 notParsedFunc) at Microsoft.CST.AttackSurfaceAnalyzer.Cli.AttackSurfaceAnalyzerClient.Main(String[] args) in D:\a\1\s\Cli\AttackSurfaceAnalyzerClient.cs:line 73 Aborted user@user-VirtualBox:~$

[gfs]

Thanks for the report. I was unable to reproduce this on windows and hoped the previous fix would resolve it.

I will try to resolve this on Linux today or tomorrow.

On Mon, Aug 2, 2021 at 1:20 AM, masty1982 @.***> wrote:

Tested with 2.3.260-beta version and we noticed following:

• With command "export-collect" CryptographicExceptions occur but json.txt file is produced
• With command "export-collect --savetodatabase" CryptographicExceptions occur but also AggregateException/NullReferenceException occur and "Aborted" message comes in, see output below

So we are not able to view results in asa gui without database.

---

... [11:12:26 WRN] Cryptographic Exception: Failed to get hash of string. System.Security.Cryptography.CryptographicException: Error occurred during a cryptographic operation. at Internal.Cryptography.HashProviderDispenser.EvpHashProvider.FinalizeHashAndReset(Span1 destination) at Internal.Cryptography.HashProvider.FinalizeHashAndReset() at System.Security.Cryptography.HashAlgorithm.CaptureHashCodeAndReinitialize() at Microsoft.CST.AttackSurfaceAnalyzer.Utils.CryptoHelpers.CreateHash(String input) in D:\a\1\s\Lib\Utils\CryptoHelpers.cs:line 25 Unhandled exception. System.AggregateException: One or more errors occurred. (Object reference not set to an instance of an object.) ---> System.NullReferenceException: Object reference not set to an instance of an object. at Microsoft.CST.AttackSurfaceAnalyzer.Cli.AttackSurfaceAnalyzerClient.<>c__DisplayClass29_0.b__0(CompareResult res) at System.Linq.Parallel.ForAllOperator1.ForAllEnumerator1.MoveNext(TInput& currentElement, Int32& currentKey) at System.Linq.Parallel.ForAllSpoolingTask2.SpoolingWork() at System.Linq.Parallel.SpoolingTaskBase.Work() at System.Linq.Parallel.QueryTask.BaseWork(Object unused) at System.Linq.Parallel.QueryTask.<>c.<.cctor>b__10_0(Object o) at System.Threading.ExecutionContext.RunFromThreadPoolDispatchLoop(Thread threadPoolThread, ExecutionContext executionContext, ContextCallback callback, Object state) --- End of stack trace from previous location --- at System.Threading.Tasks.Task.ExecuteWithThreadLocal(Task& currentTaskSlot, Thread threadPoolThread) --- End of inner exception stack trace --- at System.Linq.Parallel.QueryTaskGroupState.QueryEnd(Boolean userInitiatedDispose) at System.Linq.Parallel.SpoolingTask.SpoolForAll[TInputOutput,TIgnoreKey](QueryTaskGroupState groupState, PartitionedStream2 partitions, TaskScheduler taskScheduler) at System.Linq.Parallel.DefaultMergeHelper2.System.Linq.Parallel.IMergeHelper.Execute() at System.Linq.Parallel.MergeExecutor1.Execute() at System.Linq.Parallel.MergeExecutor1.Execute[TKey](PartitionedStream2 partitions, Boolean ignoreOutput, ParallelMergeOptions options, TaskScheduler taskScheduler, Boolean isOrdered, CancellationState cancellationState, Int32 queryId) at System.Linq.Parallel.PartitionedStreamMerger1.Receive[TKey](PartitionedStream2 partitionedStream) at System.Linq.Parallel.ForAllOperator1.WrapPartitionedStream[TKey](PartitionedStream2 inputStream, IPartitionedStreamRecipient1 recipient, Boolean preferStriping, QuerySettings settings) at System.Linq.Parallel.UnaryQueryOperator2.UnaryQueryOperatorResults.ChildResultsRecipient.Receive[TKey](PartitionedStream2 inputStream) at System.Linq.Parallel.ListQueryResults1.GivePartitionedStream(IPartitionedStreamRecipient1 recipient) at System.Linq.Parallel.UnaryQueryOperator2.UnaryQueryOperatorResults.GivePartitionedStream(IPartitionedStreamRecipient1 recipient) at System.Linq.Parallel.QueryOperator1.GetOpenedEnumerator(Nullable1 mergeOptions, Boolean suppressOrder, Boolean forEffect, QuerySettings querySettings) at System.Linq.Parallel.ForAllOperator1.RunSynchronously() at System.Linq.ParallelEnumerable.ForAll[TSource](ParallelQuery1 source, Action1 action) at Microsoft.CST.AttackSurfaceAnalyzer.Cli.AttackSurfaceAnalyzerClient.CompareRuns(CompareCommandOptions opts) in D:\a\1\s\Cli\AttackSurfaceAnalyzerClient.cs:line 886 at Microsoft.CST.AttackSurfaceAnalyzer.Cli.AttackSurfaceAnalyzerClient.RunExportCollectCommand(ExportCollectCommandOptions opts) in D:\a\1\s\Cli\AttackSurfaceAnalyzerClient.cs:line 483 at Microsoft.CST.AttackSurfaceAnalyzer.Cli.AttackSurfaceAnalyzerClient.<>c.

b__9_2(ExportCollectCommandOptions opts) in D:\a\1\s\Cli\AttackSurfaceAnalyzerClient.cs:line 91 at CommandLine.ParserResultExtensions.MapResult[T1,T2,T3,T4,T5,T6,T7,T8,TResult](ParserResult1 result, Func2 parsedFunc1, Func2 parsedFunc2, Func2 parsedFunc3, Func2 parsedFunc4, Func2 parsedFunc5, Func2 parsedFunc6, Func2 parsedFunc7, Func2 parsedFunc8, Func`2 notParsedFunc) at Microsoft.CST.AttackSurfaceAnalyzer.Cli.AttackSurfaceAnalyzerClient.Main(String[] args) in D:\a\1\s\Cli\AttackSurfaceAnalyzerClient.cs:line 73 Aborted @.***:~$

— You are receiving this because you were assigned. Reply to this email directly, view it on GitHub, or unsubscribe.

[gfs]

I cannot reproduce this on Windows Subsystem for Linux using Ubuntu.

[gfs]

Cannot reproduce this on a fresh VM of Ubuntu 20.04 either with the direct download from GitHub or the published .NET tool.

The exception is being thrown from a standard crypto library generating a hash, so this does not appear to be an issue in the ASA code.

[masty1982]

Seems odd... I tested with yesterday's v2.3.262-beta version and the same problem exists. No problems with v2.2.78 version when I downgraded the system to that. I checked asa.log.txt after running export-collect with v2.3.262-beta version. 153MB file was generated and it contained about 20k lines. It looks like that CreateHash function gets json as an input several times (quick calculation: 20000/11=about 1800 times). Is that on purpose? Each time CryptographicException is thrown. Below are the first 12 lines of 20k lines of asa.log.txt.

I located places where CreateHash is called: https://github.com/microsoft/AttackSurfaceAnalyzer/search?q=createhash

CryptographicExceptions in asa.log.txt are coming from Lib/Objects/RuleFile.cs, line 80, which is calling CreateHash(string). However, Lib/Collectors/FileSystemUtils.cs, line 108, does not produce CryptographicException and in json.txt (I used parameters -a -h in the scan) I can see that content was hashed successfully. So, from that we can see that SHA512 function works correctly but not with json file content.

According to this there should not be any problems with hash functions: https://docs.microsoft.com/en-us/dotnet/standard/security/cross-platform-cryptography

The article mentions Managed class such as this. I do not see SHA512Managed class in ASA but probably it does not change the end result.

Hope you can get some ideas of this comment and data.

---

File content hash in json.txt file { "Analysis": "DEBUG", "Base": { "ContentHash": "GkdLftyyxa8Aaj/xggn2/Uy9Ejf/k/hdSZQd0Rp+HM2FtYQE7r97vRY5Rbo2ppcceAg4fcucS/nyoXN8TOgtDQ==", "Created": "2021-08-02T20:17:36.6238747Z", "FileType": "RegularFile", "Group": "postgres", "Identity": "/dev/shm/PostgreSQL.1919132657", "IsDirectory": false, "LastModified": "2021-08-02T20:17:36.6238747Z", "Owner": "postgres", "Path": "/dev/shm/PostgreSQL.1919132657", "Permissions": { "User": "Write,Read" }, "SetGid": false, "SetUid": false, "Size": 16192, "ResultType": "FILE" }, "BaseRunId": "p262f", "ChangeType": "DELETED", "CompareRunId": "p262g", "Identity": "/dev/shm/PostgreSQL.1919132657", "ResultType": "FILE" }, { "Analysis": "DEBUG", "Base": { "ContentHash": "tBxPcYs3oKHznO/sPbS6Zfm6W4nYmhlDR/SHmwHDzNiXec2vgcuj0J8fDfrempXUK6VH1JjfgZii7GViWPQ7VA==", "Created": "2021-08-03T07:11:18.4174285Z", "FileType": "RegularFile", "Group": "root", "Identity": "/run/systemd/journal/streams/8:1725237", "IsDirectory": false, "LastModified": "2021-08-03T07:11:18.4174285Z", "Owner": "root", "Path": "/run/systemd/journal/streams/8:1725237", "Permissions": { "User": "Write,Read" }, "SetGid": false, "SetUid": false, "Size": 191, "ResultType": "FILE" }, "BaseRunId": "p262f", "ChangeType": "DELETED", "CompareRunId": "p262g", "Identity": "/run/systemd/journal/streams/8:1725237", "ResultType": "FILE" },

---

asa.log.txt after running export-collect with 2.3.262-beta 2021-08-03 09:24:41.055 +03:00 [INF] Provided null run Ids using latest two runs. 2021-08-03 09:24:41.062 +03:00 [INF] Comparing b262e vs p262e. 2021-08-03 09:25:22.747 +03:00 [INF] Completed Comparing in 00h:00m:41s:573ms. 2021-08-03 09:25:22.914 +03:00 [WRN] Cryptographic Exception: Failed to get hash of '{"Source":"Embedded Rules","Rules":[{"ChangeTypes":[1,2,3],"Flag":4,"Platforms":[1,2,0],"ResultType":2,"Clauses":[{"Data":["1024"],"DictData":[],"Field":"port","Label":null,"Operation":4,"CustomOperation":null,"Script":null,"Invert":false,"Capture":false,"Arguments":[]}],"Description":"Flag when privileged ports are opened.","Expression":null,"Name":"Privileged ports","Target":"OpenPortObject","Severity":4,"Tags":[]},{"ChangeTypes":[1,2,3],"Flag":4,"Platforms":[1,2,0],"ResultType":6,"Clauses":[{"Data":[],"DictData":[],"Field":"Privileged","Label":null,"Operation":12,"CustomOperation":null,"Script":null,"Invert":false,"Capture":false,"Arguments":[]}],"Description":"Flag when privileged users are modified.","Expression":null,"Name":"Privileged users","Target":"UserAccountObject","Severity":4,"Tags":[]},{"ChangeTypes":[1,2,3],"Flag":4,"Platforms":[1,2,0],"ResultType":6,"Clauses":[{"Data":[],"DictData":[],"Field":"Hidden","Label":null,"Operation":12,"CustomOperation":null,"Script":null,"Invert":false,"Capture":false,"Arguments":[]}],"Description":"Flag when hidden user accounts are modified.","Expression":null,"Name":"Hidden users","Target":"UserAccountObject","Severity":4,"Tags":[]},{"ChangeTypes":[1,3],"Flag":4,"Platforms":[1,2,0],"ResultType":1,"Clauses":[{"Data":[],"DictData":[],"Field":"IsExecutable","Label":"is_exe","Operation":12,"CustomOperation":null,"Script":null,"Invert":false,"Capture":false,"Arguments":[]},{"Data":[],"DictData":[],"Field":"SignatureStatus.IsAuthenticodeValid","Label":"valid_windows_signature","Operation":12,"CustomOperation":null,"Script":null,"Invert":false,"Capture":false,"Arguments":[]},{"Data":[],"DictData":[],"Field":"MacSignatureStatus","Label":"null_mac_signature","Operation":11,"CustomOperation":null,"Script":null,"Invert":false,"Capture":false,"Arguments":[]}],"Description":"Flag when unsigned/incorrectly signed binaries are added.","Expression":"is_exe AND NOT valid_windows_signature AND null_mac_signature","Name":"Unsigned binaries","Target":"FileSystemObject","Severity":4,"Tags":[]},{"ChangeTypes":[1,3],"Flag":4,"Platforms":[1,2,0],"ResultType":11,"Clauses":[{"Data":[],"DictData":[],"Field":"FileSystemObject.IsExecutable","Label":"is_exe","Operation":12,"CustomOperation":null,"Script":null,"Invert":false,"Capture":false,"Arguments":[]},{"Data":[],"DictData":[],"Field":"FileSystemObject.SignatureStatus.IsAuthenticodeValid","Label":"valid_windows_signature","Operation":12,"CustomOperation":null,"Script":null,"Invert":false,"Capture":false,"Arguments":[]},{"Data":[],"DictData":[],"Field":"FileSystemObject.MacSignatureStatus","Label":"null_mac_signature","Operation":11,"CustomOperation":null,"Script":null,"Invert":false,"Capture":false,"Arguments":[]}],"Description":"Flag when unsigned/incorrectly signed binaries are added.","Expression":"is_exe AND NOT valid_windows_signature AND null_mac_signature","Name":"Unsigned binaries","Target":"FileMonitorObject","Severity":4,"Tags":[]},{"ChangeTypes":[1,3],"Flag":4,"Platforms":[1,2],"ResultType":1,"Clauses":[{"Data":[],"DictData":[],"Field":"SetUid","Label":null,"Operation":12,"CustomOperation":null,"Script":null,"Invert":false,"Capture":false,"Arguments":[]}],"Description":"Flag UID is set on a file.","Expression":null,"Name":"SetUid","Target":"FileSystemObject","Severity":4,"Tags":[]},{"ChangeTypes":[1,3],"Flag":4,"Platforms":[1,2],"ResultType":1,"Clauses":[{"Data":[],"DictData":[],"Field":"SetGid","Label":null,"Operation":12,"CustomOperation":null,"Script":null,"Invert":false,"Capture":false,"Arguments":[]}],"Description":"Flag GID is set on a file.","Expression":null,"Name":"SetGid","Target":"FileSystemObject","Severity":4,"Tags":[]},{"ChangeTypes":[1,3],"Flag":4,"Platforms":[1,2],"ResultType":11,"Clauses":[{"Data":[],"DictData":[],"Field":"FileSystemObject.SetGid","Label":null,"Operation":12,"CustomOperation":null,"Script":null,"Invert":false,"Capture":false,"Arguments":[]}],"Description":"Flag GID is set on a file.","Expression":null,"Name":"SetGid","Target":"FileMonitorObject","Severity":4,"Tags":[]},{"ChangeTypes":[1,3],"Flag":4,"Platforms":[1,2],"ResultType":11,"Clauses":[{"Data":[],"DictData":[],"Field":"FileSystemObject.SetUid","Label":null,"Operation":12,"CustomOperation":null,"Script":null,"Invert":false,"Capture":false,"Arguments":[]}],"Description":"Flag UID is set on a file.","Expression":null,"Name":"SetUid","Target":"FileMonitorObject","Severity":4,"Tags":[]},{"ChangeTypes":[1,3],"Flag":4,"Platforms":[1,2],"ResultType":1,"Clauses":[{"Data":[],"DictData":[],"Field":"SetGid","Label":null,"Operation":12,"CustomOperation":null,"Script":null,"Invert":false,"Capture":false,"Arguments":[]}],"Description":"Flag GID is set on a file.","Expression":null,"Name":"SetGid","Target":"FileSystemObject","Severity":4,"Tags":[]},{"ChangeTypes":[1,3],"Flag":4,"Platforms":[0],"ResultType":1,"Clauses":[{"Data":[],"DictData":[],"Field":"IsExecutable","Label":"EXE","Operation":12,"CustomOperation":null,"Script":null,"Invert":false,"Capture":false,"Arguments":[]},{"Data":["IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE","IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA"],"DictData":[],"Field":"Characteristics","Label":"ASLR","Operation":6,"CustomOperation":null,"Script":null,"Invert":false,"Capture":false,"Arguments":[]}],"Description":"Flag when executables are created without ASLR.","Expression":"EXE AND NOT ASLR","Name":"Missing ASLR","Target":"FileSystemObject","Severity":4,"Tags":[]},{"ChangeTypes":[1,3],"Flag":4,"Platforms":[0],"ResultType":11,"Clauses":[{"Data":[],"DictData":[],"Field":"FileSystemObject.IsExecutable","Label":"EXE","Operation":12,"CustomOperation":null,"Script":null,"Invert":false,"Capture":false,"Arguments":[]},{"Data":["IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE","IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA"],"DictData":[],"Field":"FileSystemObject.Characteristics","Label":"ASLR","Operation":6,"CustomOperation":null,"Script":null,"Invert":false,"Capture":false,"Arguments":[]}],"Description":"Flag when executables are created without ASLR.","Expression":"EXE AND NOT ASLR","Name":"Missing ASLR","Target":"FileMonitorObject","Severity":4,"Tags":[]},{"ChangeTypes":[1,3],"Flag":4,"Platforms":[0],"ResultType":1,"Clauses":[{"Data":[],"DictData":[],"Field":"IsExecutable","Label":"EXE","Operation":12,"CustomOperation":null,"Script":null,"Invert":false,"Capture":false,"Arguments":[]},{"Data":["IMAGE_DLLCHARACTERISTICS_NX_COMPAT"],"DictData":[],"Field":"Characteristics","Label":"DEP","Operation":6,"CustomOperation":null,"Script":null,"Invert":false,"Capture":false,"Arguments":[]}],"Description":"Flag when executables are created without DEP.","Expression":"EXE AND NOT DEP","Name":"Missing DEP","Target":"FileSystemObject","Severity":4,"Tags":[]},{"ChangeTypes":[1,3],"Flag":4,"Platforms":[0],"ResultType":11,"Clauses":[{"Data":[],"DictData":[],"Field":"FileSystemObject.IsExecutable","Label":"EXE","Operation":12,"CustomOperation":null,"Script":null,"Invert":false,"Capture":false,"Arguments":[]},{"Data":["IMAGE_DLLCHARACTERISTICS_NX_COMPAT"],"DictData":[],"Field":"FileSystemObject.Characteristics","Label":"DEP","Operation":6,"CustomOperation":null,"Script":null,"Invert":false,"Capture":false,"Arguments":[]}],"Description":"Flag when executables are created without DEP.","Expression":"EXE AND NOT DEP","Name":"Missing DEP","Target":"FileMonitorObject","Severity":4,"Tags":[]},{"ChangeTypes":[1,3],"Flag":3,"Platforms":[0],"ResultType":1,"Clauses":[{"Data":[],"DictData":[],"Field":"IsExecutable","Label":"EXE","Operation":12,"CustomOperation":null,"Script":null,"Invert":false,"Capture":false,"Arguments":[]},{"Data":[],"DictData":[],"Field":"SignatureStatus","Label":"SIGNED","Operation":12,"CustomOperation":null,"Script":null,"Invert":false,"Capture":false,"Arguments":[]},{"Data":["IMAGE_DLLCHARACTERISTICS_FORCE_INTEGRITY"],"DictData":[],"Field":"Characteristics","Label":"INTEGRITYFLAG","Operation":6,"CustomOperation":null,"Script":null,"Invert":false,"Capture":false,"Arguments":[]}],"Description":"Flag when executables are signed binaries are created without Force Integrity Flag.","Expression":"EXE AND SIGNED AND NOT INTEGRITYFLAG","Name":"Missing Signed Enforcement","Target":"FileSystemObject","Severity":3,"Tags":[]},{"ChangeTypes":[1,3],"Flag":3,"Platforms":[0],"ResultType":11,"Clauses":[{"Data":[],"DictData":[],"Field":"FileSystemObject.IsExecutable","Label":"EXE","Operation":12,"CustomOperation":null,"Script":null,"Invert":false,"Capture":false,"Arguments":[]},{"Data":[],"DictData":[],"Field":"FileSystemObject.SignatureStatus","Label":"SIGNED","Operation":12,"CustomOperation":null,"Script":null,"Invert":false,"Capture":false,"Arguments":[]},{"Data":["IMAGE_DLLCHARACTERISTICS_FORCE_INTEGRITY"],"DictData":[],"Field":"FileSystemObject.Characteristics","Label":"INTEGRITYFLAG","Operation":6,"CustomOperation":null,"Script":null,"Invert":false,"Capture":false,"Arguments":[]}],"Description":"Flag when executables are signed binaries are created without Force Integrity Flag.","Expression":"EXE AND SIGNED AND NOT INTEGRITYFLAG","Name":"Missing Signed Enforcement","Target":"FileMonitorObject","Severity":3,"Tags":[]},{"ChangeTypes":[1,2,3],"Flag":3,"Platforms":[1,2,0],"ResultType":1,"Clauses":[{"Data":[".cer",".der",".crt"],"DictData":[],"Field":"Path","Label":null,"Operation":8,"CustomOperation":null,"Script":null,"Invert":false,"Capture":false,"Arguments":[]}],"Description":"Flag when certificates are placed on disk.","Expression":null,"Name":"Certificates","Target":"FileSystemObject","Severity":3,"Tags":[]},{"ChangeTypes":[1,2,3],"Flag":3,"Platforms":[1,2,0],"ResultType":11,"Clauses":[{"Data":[".cer",".der",".crt"],"DictData":[],"Field":"Path","Label":null,"Operation":8,"CustomOperation":null,"Script":null,"Invert":false,"Capture":false,"Arguments":[]}],"Description":"Flag when certificates are placed on disk.","Expression":null,"Name":"Certificates","Target":"FileMonitorObject","Severity":3,"Tags":[]},{"ChangeTypes":[1,2,3],"Flag":3,"Platforms":[1,2,0],"ResultType":2,"Clauses":[{"Data":["1900"],"DictData":[],"Field":"port","Label":null,"Operation":3,"CustomOperation":null,"Script":null,"Invert":false,"Capture":false,"Arguments":[]}],"Description":"Universal Plug n' Play.","Expression":null,"Name":"UPNP Ports","Target":"OpenPortObject","Severity":3,"Tags":[]},{"ChangeTypes":[1,2,3],"Flag":3,"Platforms":[1,2,0],"ResultType":1,"Clauses":[{"Data":[".keystore"],"DictData":[],"Field":"Path","Label":null,"Operation":8,"CustomOperation":null,"Script":null,"Invert":false,"Capture":false,"Arguments":[]}],"Description":"Java keystore files contain encryption keys and certificates.","Expression":null,"Name":"Keystore Files","Target":"FileSystemObject","Severity":3,"Tags":[]},{"ChangeTypes":[1,2,3],"Flag":3,"Platforms":[1,2,0],"ResultType":11,"Clauses":[{"Data":[".keystore"],"DictData":[],"Field":"Path","Label":null,"Operation":8,"CustomOperation":null,"Script":null,"Invert":false,"Capture":false,"Arguments":[]}],"Description":"Java keystore files contain encryption keys and certificates.","Expression":null,"Name":"Keystore Files","Target":"FileMonitorObject","Severity":3,"Tags":[]},{"ChangeTypes":[1,2,3],"Flag":3,"Platforms":[2],"ResultType":1,"Clauses":[{"Data":["/Library/Preferences/com.apple.alf.plist"],"DictData":[],"Field":"Path","Label":null,"Operation":3,"CustomOperation":null,"Script":null,"Invert":false,"Capture":false,"Arguments":[]}],"Description":"Flag when OS X firewall settings are modified.","Expression":null,"Name":"Firewall Settings Modified","Target":"FileSystemObject","Severity":3,"Tags":[]},{"ChangeTypes":[1,2,3],"Flag":3,"Platforms":[2],"ResultType":11,"Clauses":[{"Data":["/Library/Preferences/com.apple.alf.plist"],"DictData":[],"Field":"Path","Label":null,"Operation":3,"CustomOperation":null,"Script":null,"Invert":false,"Capture":false,"Arguments":[]}],"Description":"Flag when OS X firewall settings are modified.","Expression":null,"Name":"Firewall Settings Modified","Target":"FileMonitorObject","Severity":3,"Tags":[]},{"ChangeTypes":[1,2,3],"Flag":3,"Platforms":[0],"ResultType":3,"Clauses":[{"Data":["HKEY_LOCAL_MACHINE\\SOFTWARE\Classes\CLSID"],"DictData":[],"Field":"KEY","Label":null,"Operation":6,"CustomOperation":null,"Script":null,"Invert":false,"Capture":false,"Arguments":[]}],"Description":"Flags when a COM Object has been Added, Removed or Modified.","Expression":null,"Name":"COM Objects Modified","Target":"RegistryObject","Severity":3,"Tags":[]},{"ChangeTypes":[1,2,3],"Flag":4,"Platforms":[1,2],"ResultType":1,"Clauses":[{"Data":[],"DictData":[],"Field":"IsExecutable","Label":null,"Operation":12,"CustomOperation":null,"Script":null,"Invert":false,"Capture":false,"Arguments":[]},{"Data":[],"DictData":[],"Field":"SetUid","Label":null,"Operation":12,"CustomOperation":null,"Script":null,"Invert":false,"Capture":false,"Arguments":[]},{"Data":[],"DictData":[{"Key":"Other","Value":"Execute"}],"Field":"Permissions","Label":null,"Operation":6,"CustomOperation":null,"Script":null,"Invert":false,"Capture":false,"Arguments":[]}],"Description":"Flags if a binary is Executable by everyone but has SETUID.","Expression":null,"Name":"Weak Permissions on UID Binaries","Target":"FileSystemObject","Severity":4,"Tags":[]},{"ChangeTypes":[1,2,3],"Flag":4,"Platforms":[1,2],"ResultType":11,"Clauses":[{"Data":[],"DictData":[],"Field":"FileSystemObject.IsExecutable","Label":null,"Operation":12,"CustomOperation":null,"Script":null,"Invert":false,"Capture":false,"Arguments":[]},{"Data":[],"DictData":[],"Field":"FileSystemObject.SetUid","Label":null,"Operation":12,"CustomOperation":null,"Script":null,"Invert":false,"Capture":false,"Arguments":[]},{"Data":[],"DictData":[{"Key":"Other","Value":"Execute"}],"Field":"FileSystemObject.Permissions","Label":null,"Operation":6,"CustomOperation":null,"Script":null,"Invert":false,"Capture":false,"Arguments":[]}],"Description":"Flags if a binary is Executable by everyone but has SETUID.","Expression":null,"Name":"Weak Permissions on UID Binaries","Target":"FileMonitorObject","Severity":4,"Tags":[]},{"ChangeTypes":[1,2,3],"Flag":4,"Platforms":[1,2],"ResultType":1,"Clauses":[{"Data":[],"DictData":[],"Field":"IsExecutable","Label":null,"Operation":12,"CustomOperation":null,"Script":null,"Invert":false,"Capture":false,"Arguments":[]},{"Data":[],"DictData":[],"Field":"SetGid","Label":null,"Operation":12,"CustomOperation":null,"Script":null,"Invert":false,"Capture":false,"Arguments":[]},{"Data":[],"DictData":[{"Key":"Other","Value":"Execute"}],"Field":"Permissions","Label":null,"Operation":6,"CustomOperation":null,"Script":null,"Invert":false,"Capture":false,"Arguments":[]}],"Description":"Flags if a binary is Executable by everyone but has SETGID.","Expression":null,"Name":"Weak Permissions on GID Binaries","Target":"FileSystemObject","Severity":4,"Tags":[]},{"ChangeTypes":[1,2,3],"Flag":4,"Platforms":[1,2],"ResultType":11,"Clauses":[{"Data":[],"DictData":[],"Field":"FileSystemObject.IsExecutable","Label":null,"Operation":12,"CustomOperation":null,"Script":null,"Invert":false,"Capture":false,"Arguments":[]},{"Data":[],"DictData":[],"Field":"FileSystemObject.SetGid","Label":null,"Operation":12,"CustomOperation":null,"Script":null,"Invert":false,"Capture":false,"Arguments":[]},{"Data":[],"DictData":[{"Key":"Other","Value":"Execute"}],"Field":"FileSystemObject.Permissions","Label":null,"Operation":6,"CustomOperation":null,"Script":null,"Invert":false,"Capture":false,"Arguments":[]}],"Description":"Flags if a binary is Executable by everyone but has SETGID.","Expression":null,"Name":"Weak Permissions on GID Binaries","Target":"FileMonitorObject","Severity":4,"Tags":[]},{"ChangeTypes":[1,2,3],"Flag":4,"Platforms":[2],"ResultType":10,"Clauses":[{"Data":["sandbox"],"DictData":[],"Field":"Summary","Label":null,"Operation":6,"CustomOperation":null,"Script":null,"Invert":false,"Capture":false,"Arguments":[]}],"Description":"Flags if System Integrity Protection prevented an action.","Expression":null,"Name":"SIP Violation","Target":"EventLogObject","Severity":4,"Tags":[]},{"ChangeTypes":[3],"Flag":4,"Platforms":[0],"ResultType":1,"Clauses":[{"Data":[],"DictData":[],"Field":"SignatureStatus.SigningCertificate.Issuer","Label":null,"Operation":7,"CustomOperation":null,"Script":null,"Invert":false,"Capture":false,"Arguments":[]}],"Description":"Flag when the signatory of an executable changes.","Expression":null,"Name":"Signatory Change","Target":"FileSystemObject","Severity":4,"Tags":[]},{"ChangeTypes":[3],"Flag":4,"Platforms":[0],"ResultType":11,"Clauses":[{"Data":[],"DictData":[],"Field":"FileSystemObject.SignatureStatus.SigningCertificate.Issuer","Label":null,"Operation":7,"CustomOperation":null,"Script":null,"Invert":false,"Capture":false,"Arguments":[]}],"Description":"Flag when the signatory of an executable changes.","Expression":null,"Name":"Signatory Change","Target":"FileMonitorObject","Severity":4,"Tags":[]},{"ChangeTypes":[3],"Flag":3,"Platforms":[0],"ResultType":1,"Clauses":[{"Data":["[A-Z]:\\Program Files\\","[A-Z]:\\Program Files \(x86\)\\"],"DictData":[],"Field":"Path","Label":null,"Operation":2,"CustomOperation":null,"Script":null,"Invert":false,"Capture":false,"Arguments":[]}],"Description":"Flag when the a file is modified in Program files.","Expression":null,"Name":"Modified Items in Program Files","Target":"FileSystemObject","Severity":3,"Tags":[]},{"ChangeTypes":[3],"Flag":3,"Platforms":[0],"ResultType":11,"Clauses":[{"Data":["[A-Z]:\\Program Files\\","[A-Z]:\\Program Files \(x86\)\\"],"DictData":[],"Field":"Path","Label":null,"Operation":2,"CustomOperation":null,"Script":null,"Invert":false,"Capture":false,"Arguments":[]}],"Description":"Flag when the a file is modified in Program files.","Expression":null,"Name":"Modified Items in Program Files","Target":"FileMonitorObject","Severity":3,"Tags":[]},{"ChangeTypes":[3],"Flag":4,"Platforms":[0],"ResultType":1,"Clauses":[{"Data":["[A-Z]:\\Windows\\"],"DictData":[],"Field":"Path","Label":"0","Operation":2,"CustomOperation":null,"Script":null,"Invert":false,"Capture":false,"Arguments":[]},{"Data":["[A-Z]:\+Windows\+appcompat\+Programs\+.","[A-Z]:\+Windows\+AppReadiness\+.","[A-Z]:\+Windows\+Logs\+waasmedia\+.","[A-Z]:\+Windows\+ServiceProfiles\+LocalService\+.","[A-Z]:\+Windows\+ServiceProfiles\+NetworkService\+.","[A-Z]:\+Windows\+System32\+catroot2\+.","[A-Z]:\+Windows\+System32\+config\+.","[A-Z]:\+Windows\+System32\+LogFiles\+.","[A-Z]:\+Windows\+System32\+SleepStudy\+.","[A-Z]:\+Windows\+System32\+sru\+.","[A-Z]:\+Windows\+System32\+winevt\+.","[A-Z]:\+Windows\+(SysWOW64|System32)\+Windows\.Security\.Authentication\.Identity\.Provider\.dll"],"DictData":[],"Field":"PATH","Label":"1","Operation":2,"CustomOperation":null,"Script":null,"Invert":false,"Capture":false,"Arguments":[]}],"Description":"Flag when the a file is modified in System files.","Expression":"0 AND NOT 1","Name":"Modified Items in System Files","Target":"FileSystemObject","Severity":4,"Tags":[]},{"ChangeTypes":[3],"Flag":4,"Platforms":[0],"ResultType":11,"Clauses":[{"Data":["[A-Z]:\\Windows\\"],"DictData":[],"Field":"Path","Label":"0","Operation":2,"CustomOperation":null,"Script":null,"Invert":false,"Capture":false,"Arguments":[]},{"Data":["[A-Z]:\+Windows\+appcompat\+Programs\+.","[A-Z]:\+Windows\+AppReadiness\+.","[A-Z]:\+Windows\+Logs\+waasmedia\+.","[A-Z]:\+Windows\+ServiceProfiles\+LocalService\+.","[A-Z]:\+Windows\+ServiceProfiles\+NetworkService\+.","[A-Z]:\+Windows\+System32\+catroot2\+.","[A-Z]:\+Windows\+System32\+config\+.","[A-Z]:\+Windows\+System32\+LogFiles\+.","[A-Z]:\+Windows\+System32\+SleepStudy\+.","[A-Z]:\+Windows\+System32\+sru\+.","[A-Z]:\+Windows\+System32\+winevt\+.","[A-Z]:\+Windows\+(SysWOW64|System32)\+Windows\.Security\.Authentication\.Identity\.Provider\.dll"],"DictData":[],"Field":"PATH","Label":"1","Operation":2,"CustomOperation":null,"Script":null,"Invert":false,"Capture":false,"Arguments":[]}],"Description":"Flag when the a file is modified in System files.","Expression":"0 AND NOT 1","Name":"Modified Items in System Files","Target":"FileMonitorObject","Severity":4,"Tags":[]},{"ChangeTypes":[1,2,3],"Flag":4,"Platforms":[1,2],"ResultType":1,"Clauses":[{"Data":["/apt-get^","/apt^","/aria2c^","/arp^","/ash^","/awk^","/base32^","/base64^","/bash^","/bpftrace^","/bundler^","/busctl^","/busybox^","/byebug^","/cancel^","/cat^","/chmod^","/chown^","/chroot^","/cobc^","/cp^","/cpan^","/cpulimit^","/crash^","/crontab^","/crash^","/curl^","/cut^","/dash^","/date^","/dd^","/dialog^","/diff^","/dmesg^","/dmsetup^","/dnf^","/docker^","/dpkg^","/easy_install^","/eb^","/ed^","/emacs^","/env^","/Equalsn^","/expand^","/expect^","/facter^","/file^","/find^","/finger^","/flock^","/fmt^","/fold^","/ftp^","/gawk^","/gcc^","/gdb^","/gem^","/genisoimage^","/gimp^","/git^","/grep^","/gtester^","/hd^","/head^","/hexdump^","/gighlight^","/iconv^","/iftop^","/ionice^","/iftopirb^","/jjs^","/journalctl^","/jq^","/jrunscript^","/ksh^","/ksshell^","/ld.so^","/ldconfig^","/less^","/logsave^","/look^","/LessThanrace^","/lua^","/lwp-download^","/lwp-rEqualsuest^","/mail^","/make^","/man^","/mawk^","/more^","/mount^","/mtr^","/mv^","/mysql^","/nano^","/nawk^","/nc^","/nice^","/nl^","/nmap^","/node^","/nohup^","/nroff^","/nsenter^","/od^","/openssl^","/pdb^","/perl^","/pg^","/php^","/pic^","/pico^","/pip^","/pry^","/puppet^","/python^","/rake^","/readelf^","/red^","/redcarpet^","/rlogin^","/rlwrap^","/rpm^","/rpmquery^","/rsync^","/ruby^","/run-mailcap^","/run-parts^","/rvim^","/scp^","/screen^","/script^","/sed^","/service^","/setarch^","/sftp^","/shuf^","/smbclient^","/socat^","/soelim^","/sort^","/sqlite3^","/ssh^","/start-stop-daemon^","/stdbuf^","/strace^","/strings^","/systemctl^","/tac^","/tail^","/tar^","/taskset^","/tclsh^","/tcpdump^","/tee^","/telnet^","/tftp^","/time^","/timeout^","/tmux^","/top^","/ul^","/unexpand^","/uniq^","/unshare^","/uudecode^","/uuencode^","/valgrind^","/vi^","/vim^","/watch^","/wget^","/whois^","/wish^","/xargs^","/xxd^","/yelp^","/yum^","/zip^","/zsh^","/zsoelim^","/zypper^"],"DictData":[],"Field":"Path","Label":"0","Operation":2,"CustomOperation":null,"Script":null,"Invert":false,"Capture":false,"Arguments":[]},{"Data":[],"DictData":[],"Field":"IsExecutable","Label":"1","Operation":12,"CustomOperation":null,"Script":null,"Invert":false,"Capture":false,"Arguments":[]}],"Description":"List from GTFOBINS.","Expression":"0 AND 1","Name":"Frequently attacked binaries","Target":"FileSystemObject","Severity":4,"Tags":[]},{"ChangeTypes":[1,2,3],"Flag":4,"Platforms":[1,2],"ResultType":11,"Clauses":[{"Data":["/apt-get^","/apt^","/aria2c^","/arp^","/ash^","/awk^","/base32^","/base64^","/bash^","/bpftrace^","/bundler^","/busctl^","/busybox^","/byebug^","/cancel^","/cat^","/chmod^","/chown^","/chroot^","/cobc^","/cp^","/cpan^","/cpulimit^","/crash^","/crontab^","/crash^","/curl^","/cut^","/dash^","/date^","/dd^","/dialog^","/diff^","/dmesg^","/dmsetup^","/dnf^","/docker^","/dpkg^","/easy_install^","/eb^","/ed^","/emacs^","/env^","/Equalsn^","/expand^","/expect^","/facter^","/file^","/find^","/finger^","/flock^","/fmt^","/fold^","/ftp^","/gawk^","/gcc^","/gdb^","/gem^","/genisoimage^","/gimp^","/git^","/grep^","/gtester^","/hd^","/head^","/hexdump^","/gighlight^","/iconv^","/iftop^","/ionice^","/iftopirb^","/jjs^","/journalctl^","/jq^","/jrunscript^","/ksh^","/ksshell^","/ld.so^","/ldconfig^","/less^","/logsave^","/look^","/LessThanrace^","/lua^","/lwp-download^","/lwp-rEqualsuest^","/mail^","/make^","/man^","/mawk^","/more^","/mount^","/mtr^","/mv^","/mysql^","/nano^","/nawk^","/nc^","/nice^","/nl^","/nmap^","/node^","/nohup^","/nroff^","/nsenter^","/od^","/openssl^","/pdb^","/perl^","/pg^","/php^","/pic^","/pico^","/pip^","/pry^","/puppet^","/python^","/rake^","/readelf^","/red^","/redcarpet^","/rlogin^","/rlwrap^","/rpm^","/rpmquery^","/rsync^","/ruby^","/run-mailcap^","/run-parts^","/rvim^","/scp^","/screen^","/script^","/sed^","/service^","/setarch^","/sftp^","/shuf^","/smbclient^","/socat^","/soelim^","/sort^","/sqlite3^","/ssh^","/start-stop-daemon^","/stdbuf^","/strace^","/strings^","/systemctl^","/tac^","/tail^","/tar^","/taskset^","/tclsh^","/tcpdump^","/tee^","/telnet^","/tftp^","/time^","/timeout^","/tmux^","/top^","/ul^","/unexpand^","/uniq^","/unshare^","/uudecode^","/uuencode^","/valgrind^","/vi^","/vim^","/watch^","/wget^","/whois^","/wish^","/xargs^","/xxd^","/yelp^","/yum^","/zip^","/zsh^","/zsoelim^","/zypper^"],"DictData":[],"Field":"Path","Label":"0","Operation":2,"CustomOperation":null,"Script":null,"Invert":false,"Capture":false,"Arguments":[]},{"Data":[],"DictData":[],"Field":"FileSystemObject.IsExecutable","Label":"1","Operation":12,"CustomOperation":null,"Script":null,"Invert":false,"Capture":false,"Arguments":[]}],"Description":"List from GTFOBINS.","Expression":"0 AND 1","Name":"Frequently attacked binaries","Target":"FileMonitorObject","Severity":4,"Tags":[]},{"ChangeTypes":[3],"Flag":4,"Platforms":[1,2,0],"ResultType":5,"Clauses":[],"Description":"Flag when a startup item is modified.","Expression":null,"Name":"Modified Services","Target":"ServiceObject","Severity":4,"Tags":[]},{"ChangeTypes":[3],"Flag":4,"Platforms":[1,2,0],"ResultType":1,"Clauses":[{"Data":["[A-Z]:\\Windows\\System32\\drivers\\etc\\hosts"],"DictData":[],"Field":"Path","Label":"WINDOWS","Operation":2,"CustomOperation":null,"Script":null,"Invert":false,"Capture":false,"Arguments":[]},{"Data":["/etc/hosts"],"DictData":[],"Field":"Path","Label":"NIX","Operation":3,"CustomOperation":null,"Script":null,"Invert":false,"Capture":false,"Arguments":[]}],"Description":"Flag when the hosts file is modified.","Expression":"WINDOWS OR NIX","Name":"Modified Hosts File","Target":"FileSystemObject","Severity":4,"Tags":[]},{"ChangeTypes":[3],"Flag":4,"Platforms":[1,2,0],"ResultType":11,"Clauses":[{"Data":["[A-Z]:\\Windows\\System32\\drivers\\etc\\hosts"],"DictData":[],"Field":"Path","Label":"WINDOWS","Operation":2,"CustomOperation":null,"Script":null,"Invert":false,"Capture":false,"Arguments":[]},{"Data":["/etc/hosts"],"DictData":[],"Field":"Path","Label":"NIX","Operation":3,"CustomOperation":null,"Script":null,"Invert":false,"Capture":false,"Arguments":[]}],"Description":"Flag when the hosts file is modified.","Expression":"WINDOWS OR NIX","Name":"Modified Hosts File","Target":"FileMonitorObject","Severity":4,"Tags":[]},{"ChangeTypes":[3],"Flag":4,"Platforms":[1,2,0],"ResultType":1,"Clauses":[{"Data":[],"DictData":[],"Field":"IsExecutable","Label":"is_exe","Operation":12,"CustomOperation":null,"Script":null,"Invert":false,"Capture":false,"Arguments":[]},{"Data":["Valid"],"DictData":[],"Field":"SignatureStatus","Label":"windows","Operation":3,"CustomOperation":null,"Script":null,"Invert":false,"Capture":false,"Arguments":[]},{"Data":[],"DictData":[],"Field":"MacSignatureStatus","Label":"macos_null","Operation":11,"CustomOperation":null,"Script":null,"Invert":false,"Capture":false,"Arguments":[]}],"Description":"A signed file was modified.","Expression":"is_exe AND (windows OR NOT macos_null)","Name":"Signed File was modified","Target":"FileSystemObject","Severity":4,"Tags":[]},{"ChangeTypes":[3],"Flag":4,"Platforms":[1,2,0],"ResultType":11,"Clauses":[{"Data":[],"DictData":[],"Field":"FileSystemObject.IsExecutable","Label":"is_exe","Operation":12,"CustomOperation":null,"Script":null,"Invert":false,"Capture":false,"Arguments":[]},{"Data":["Valid"],"DictData":[],"Field":"FileSystemObject.SignatureStatus","Label":"windows","Operation":3,"CustomOperation":null,"Script":null,"Invert":false,"Capture":false,"Arguments":[]},{"Data":[],"DictData":[],"Field":"FileSystemObject.MacSignatureStatus","Label":"macos_null","Operation":11,"CustomOperation":null,"Script":null,"Invert":false,"Capture":false,"Arguments":[]}],"Description":"A signed file was modified.","Expression":"is_exe AND (windows OR NOT macosnull)","Name":"Signed File was modified","Target":"FileMonitorObject","Severity":4,"Tags":[]},{"ChangeTypes":[1,2,3],"Flag":1,"Platforms":[0],"ResultType":1,"Clauses":[{"Data":["[A-Z]:\+ProgramData\+Microsoft\+DiagnosticLogCSP\+.","[A-Z]:\+ProgramData\+Microsoft\+SmsRouter\+MessageStore\+.","[A-Z]:\+ProgramData\+Microsoft\+Windows\+AppRepository\+.","[A-Z]:\+ProgramData\+USOShared\+Logs\+System\+.","[A-Z]:\+Windows\+appcompat\+Programs\+.","[A-Z]:\+Windows\+AppReadiness\+.","[A-Z]:\+Windows\+Logs\+waasmedia\+.","[A-Z]:\+Windows\+ServiceProfiles\+LocalService\+.","[A-Z]:\+Windows\+ServiceProfiles\+NetworkService\+.","[A-Z]:\+Windows\+System32\+catroot2\+.","[A-Z]:\+Windows\+System32\+config\+.","[A-Z]:\+Windows\+System32\+LogFiles\+.","[A-Z]:\+Windows\+System32\+SleepStudy\+.","[A-Z]:\+Windows\+System32\+sru\+.","[A-Z]:\+Windows\+System32\+winevt\+.","[A-Z]:\+Windows\+(SysWOW64|System32)\+Windows\.Security\.Authentication\.Identity\.Provider\.dll","[A-Z]:\+Users\+[^\[:;|=,+?<>\"\\]+\+AppData\+Local\+ConnectedDevicesPlatform\+.","[A-Z]:\+Users\+[^\[:;|=,+?<>\"\\]+\+AppData\+Local\+Packages\+Microsoft.Windows.Search.","[A-Z]:\+Users\+[^\[:;|=,+?<>\"\\]+\+AppData\+Local\+Temp\+StructuredQuery\.log","[A-Z]:\+Users\+[^\[:;|=,+?<>\"\\]+\+AppData\+Roaming\+Microsoft\+Windows\+Recent\+.","[A-Z]:\+Users\+[^\[:;|=,+?<>\"\\]+\+ntuser\.dat\..","^[A-Z]:\\pagefile.sys$","^[A-Z]:\\hiberfil.sys$","^[A-Z]:\\swapfile.sys$"],"DictData":[],"Field":"Path","Label":null,"Operation":2,"CustomOperation":null,"Script":null,"Invert":false,"Capture":false,"Arguments":[]}],"Description":"These files are frequently modified by the system itself.","Expression":null,"Name":"Files Frequently Modified by Windows","Target":"FileSystemObject","Severity":1,"Tags":[]},{"ChangeTypes":[1,2,3],"Flag":1,"Platforms":[0],"ResultType":11,"Clauses":[{"Data":["[A-Z]:\+ProgramData\+Microsoft\+DiagnosticLogCSP\+.","[A-Z]:\+ProgramData\+Microsoft\+SmsRouter\+MessageStore\+.","[A-Z]:\+ProgramData\+Microsoft\+Windows\+AppRepository\+.","[A-Z]:\+ProgramData\+USOShared\+Logs\+System\+.","[A-Z]:\+Windows\+appcompat\+Programs\+.","[A-Z]:\+Windows\+AppReadiness\+.","[A-Z]:\+Windows\+Logs\+waasmedia\+.","[A-Z]:\+Windows\+ServiceProfiles\+LocalService\+.","[A-Z]:\+Windows\+ServiceProfiles\+NetworkService\+.","[A-Z]:\+Windows\+System32\+catroot2\+.","[A-Z]:\+Windows\+System32\+config\+.","[A-Z]:\+Windows\+System32\+LogFiles\+.","[A-Z]:\+Windows\+System32\+SleepStudy\+.","[A-Z]:\+Windows\+System32\+sru\+.","[A-Z]:\+Windows\+System32\+winevt\+.","[A-Z]:\+Windows\+(SysWOW64|System32)\+Windows\.Security\.Authentication\.Identity\.Provider\.dll","[A-Z]:\+Users\+[^\[:;|=,+?<>\"\\]+\+AppData\+Local\+ConnectedDevicesPlatform\+.","[A-Z]:\+Users\+[^\[:;|=,+?<>\"\\]+\+AppData\+Local\+Packages\+Microsoft.Windows.Search_.","[A-Z]:\+Users\+[^\[:;|=,+?<>\"\\]+\+AppData\+Local\+Temp\+StructuredQuery\.log","[A-Z]:\+Users\+[^\[:;|=,+?<>\"\\]+\+AppData\+Roaming\+Microsoft\+Windows\+Recent\+.","[A-Z]:\+Users\+[^\[:;|=,+?<>\"\\]+\+ntuser\.dat\..","^[A-Z]:\\pagefile.sys$","^[A-Z]:\\hiberfil.sys$","^[A-Z]:\\swapfile.sys$"],"DictData":[],"Field":"Path","Label":null,"Operation":2,"CustomOperation":null,"Script":null,"Invert":false,"Capture":false,"Arguments":[]}],"Description":"These files are frequently modified by the system itself.","Expression":null,"Name":"Files Frequently Modified by Windows","Target":"FileMonitorObject","Severity":1,"Tags":[]},{"ChangeTypes":[1,2,3],"Flag":1,"Platforms":[0],"ResultType":3,"Clauses":[{"Data":["MrtCache"],"DictData":[],"Field":"Key","Label":null,"Operation":2,"CustomOperation":null,"Script":null,"Invert":false,"Capture":false,"Arguments":[]}],"Description":"These registry keys are Frequently modified by the system itself.","Expression":null,"Name":"Registry Keys Frequently Modified by Windows","Target":"RegistryObject","Severity":1,"Tags":[]},{"ChangeTypes":[1,2,3],"Flag":1,"Platforms":[2],"ResultType":1,"Clauses":[{"Data":["^/.Spotlight-V100"],"DictData":[],"Field":"Key","Label":null,"Operation":2,"CustomOperation":null,"Script":null,"Invert":false,"Capture":false,"Arguments":[]}],"Description":"These files are Frequently modified by the system itself.","Expression":null,"Name":"Files Frequently Modified by Macos","Target":"FileSystemObject","Severity":1,"Tags":[]},{"ChangeTypes":[1,2,3],"Flag":1,"Platforms":[2],"ResultType":11,"Clauses":[{"Data":["^/.Spotlight-V100"],"DictData":[],"Field":"Key","Label":null,"Operation":2,"CustomOperation":null,"Script":null,"Invert":false,"Capture":false,"Arguments":[]}],"Description":"These files are Frequently modified by the system itself.","Expression":null,"Name":"Files Frequently Modified by Macos","Target":"FileMonitorObject","Severity":1,"Tags":[]},{"ChangeTypes":[1,2,3],"Flag":4,"Platforms":[0],"ResultType":1,"Clauses":[{"Data":[],"DictData":[],"Field":"IsExecutable","Label":null,"Operation":12,"CustomOperation":null,"Script":null,"Invert":false,"Capture":false,"Arguments":[]},{"Data":["\Bginfo.exe","\dnx.exe","\msxsl.exe","\rcsi.exe","\Microsoft\Teams\current\Squirrel.exe","\te.exe","\Tracker.exe","\Microsoft\Teams\update.exe"],"DictData":[],"Field":"Path","Label":null,"Operation":8,"CustomOperation":null,"Script":null,"Invert":false,"Capture":false,"Arguments":[]}],"Description":"This is the LOLBAS items which are not included in the other system file rules.","Expression":null,"Name":"LOLBAS List","Target":"FileSystemObject","Severity":4,"Tags":[]},{"ChangeTypes":[1,2,3],"Flag":4,"Platforms":[0],"ResultType":11,"Clauses":[{"Data":[],"DictData":[],"Field":"FileSystemObject.IsExecutable","Label":null,"Operation":12,"CustomOperation":null,"Script":null,"Invert":false,"Capture":false,"Arguments":[]},{"Data":["\Bginfo.exe","\dnx.exe","\msxsl.exe","\rcsi.exe","\Microsoft\Teams\current\Squirrel.exe","\te.exe","\Tracker.exe","\Microsoft\Teams\update.exe"],"DictData":[],"Field":"Path","Label":null,"Operation":8,"CustomOperation":null,"Script":null,"Invert":false,"Capture":false,"Arguments":[]}],"Description":"This is the LOLBAS items which are not included in the other system file rules.","Expression":null,"Name":"LOLBAS List","Target":"FileMonitorObject","Severity":4,"Tags":[]},{"ChangeTypes":[3,1],"Flag":4,"Platforms":[1,2,0],"ResultType":4,"Clauses":[{"Data":[],"DictData":[],"Field":"Certificate.NotAfter","Label":null,"Operation":15,"CustomOperation":null,"Script":null,"Invert":false,"Capture":false,"Arguments":[]}],"Description":"These Certificates are expired.","Expression":null,"Name":"Expired Certificates","Target":"CertificateObject","Severity":4,"Tags":[]},{"ChangeTypes":[3,1],"Flag":4,"Platforms":[1,2,0],"ResultType":1,"Clauses":[{"Data":[],"DictData":[],"Field":"SignatureStatus.SigningCertificate.NotAfter","Label":null,"Operation":15,"CustomOperation":null,"Script":null,"Invert":false,"Capture":false,"Arguments":[]}],"Description":"These binaries have expired signatures.","Expression":null,"Name":"Binaries with expired signatures","Target":"FileSystemObject","Severity":4,"Tags":[]},{"ChangeTypes":[3,1],"Flag":4,"Platforms":[1,2,0],"ResultType":11,"Clauses":[{"Data":[],"DictData":[],"Field":"FileSystemObject.SignatureStatus.SigningCertificate.NotAfter","Label":null,"Operation":15,"CustomOperation":null,"Script":null,"Invert":false,"Capture":false,"Arguments":[]}],"Description":"These binaries have expired signatures.","Expression":null,"Name":"Binaries with expired signatures","Target":"FileMonitorObject","Severity":4,"Tags":[]},{"ChangeTypes":[1,2,3],"Flag":4,"Platforms":[0],"ResultType":1,"Clauses":[{"Data":[".PCPKEY"],"DictData":[],"Field":"Path","Label":null,"Operation":8,"CustomOperation":null,"Script":null,"Invert":false,"Capture":false,"Arguments":[]}],"Description":"These TPM Keys have been changed.","Expression":null,"Name":"TPM Keys","Target":"FileSystemObject","Severity":4,"Tags":[]},{"ChangeTypes":[1,2,3],"Flag":4,"Platforms":[0],"ResultType":3,"Clauses":[{"Data":["\System\CurrentControlSet\Services\TPM\WMI\Admin"],"DictData":[],"Field":"Path","Label":"PATH","Operation":8,"CustomOperation":null,"Script":null,"Invert":false,"Capture":false,"Arguments":[]},{"Data":[],"DictData":[],"Field":"Values.OwnerAuthFull","Label":"OWNER_FULL","Operation":7,"CustomOperation":null,"Script":null,"Invert":false,"Capture":false,"Arguments":[]},{"Data":[],"DictData":[],"Field":"Values.OwnerAuthNew","Label":"OWNER_NEW","Operation":7,"CustomOperation":null,"Script":null,"Invert":false,"Capture":false,"Arguments":[]},{"Data":[],"DictData":[],"Field":"Values.OwnerAuthStatus","Label":"OWNER_STATUS","Operation":7,"CustomOperation":null,"Script":null,"Invert":false,"Capture":false,"Arguments":[]},{"Data":[],"DictData":[],"Field":"Values.StorageOwnerAuth","Label":"STORAGE","Operation":7,"CustomOperation":null,"Script":null,"Invert":false,"Capture":false,"Arguments":[]},{"Data":[],"DictData":[],"Field":"Values.LockoutHash","Label":"LOCKOUT","Operation":7,"CustomOperation":null,"Script":null,"Invert":false,"Capture":false,"Arguments":[]}],"Description":"These TPM Auth Values have been changed in the registry.","Expression":"PATH AND (OWNER_FULL OR OWNER_NEW OR OWNER_STATUS OR STORAGE OR LOCKOUT)","Name":"TPM Auth Values Changed","Target":"RegistryObject","Severity":4,"Tags":[]},{"ChangeTypes":[1,2,3],"Flag":4,"Platforms":[0],"ResultType":3,"Clauses":[{"Data":["\System\CurrentControlSet\Services\TPM\WMI\Endorsement"],"DictData":[],"Field":"Path","Label":null,"Operation":8,"CustomOperation":null,"Script":null,"Invert":false,"Capture":false,"Arguments":[]},{"Data":[],"DictData":[],"Field":"Values.EndorsementAuth","Label":null,"Operation":7,"CustomOperation":null,"Script":null,"Invert":false,"Capture":false,"Arguments":[]}],"Description":"The TPM Endorsement Auth was changed.","Expression":null,"Name":"TPM Endorsement Auth Value","Target":"RegistryObject","Severity":4,"Tags":[]},{"ChangeTypes":[1,2,3],"Flag":4,"Platforms":[0],"ResultType":3,"Clauses":[{"Data":["\System\CurrentControlSet\Services\TPM\WMI"],"DictData":[],"Field":"Path","Label":"PATH_WMI","Operation":8,"CustomOperation":null,"Script":null,"Invert":false,"Capture":false,"Arguments":[]},{"Data":["\Software\Policies\Microsoft\TPM"],"DictData":[],"Field":"Path","Label":"PATH_POLICIES","Operation":8,"CustomOperation":null,"Script":null,"Invert":false,"Capture":false,"Arguments":[]},{"Data":[],"DictData":[],"Field":"Values.UseNullDerivedOwnerAuth","Label":"UNDOA","Operation":7,"CustomOperation":null,"Script":null,"Invert":false,"Capture":false,"Arguments":[]}],"Description":"The UseNullDerivedOwnerAuth setting was changed.","Expression":"UNDOA AND (PATH_WMI OR PATH_POLICIES)","Name":"Use Null Derived Owner Auth Changed","Target":"RegistryObject","Severity":4,"Tags":[]},{"ChangeTypes":[1,2,3],"Flag":4,"Platforms":[0],"ResultType":3,"Clauses":[{"Data":["\Software\Policies\Microsoft\TPM"],"DictData":[],"Field":"Path","Label":null,"Operation":8,"CustomOperation":null,"Script":null,"Invert":false,"Capture":false,"Arguments":[]},{"Data":[],"DictData":[],"Field":"Values.OSManagedAuthLevel","Label":null,"Operation":7,"CustomOperation":null,"Script":null,"Invert":false,"Capture":false,"Arguments":[]}],"Description":"The TPM OS Managed Auth Level was Changed.","Expression":null,"Name":"OS Managed Auth Level Changed","Target":"RegistryObject","Severity":4,"Tags":[]},{"ChangeTypes":[1,2,3],"Flag":4,"Platforms":[0,1],"ResultType":12,"Clauses":[{"Data":["(Sha, 0)"],"DictData":[],"Field":"PCRs","Label":"ANY_SHA","Operation":16,"CustomOperation":null,"Script":null,"Invert":false,"Capture":false,"Arguments":[]},{"Data":[],"DictData":[],"Field":"PCRs.(Sha, 0)","Label":"SHA_PCR0","Operation":7,"CustomOperation":null,"Script":null,"Invert":false,"Capture":false,"Arguments":[]},{"Data":[],"DictData":[],"Field":"PCRs.(Sha, 1)","Label":"SHA_PCR1","Operation":7,"CustomOperation":null,"Script":null,"Invert":false,"Capture":false,"Arguments":[]},{"Data":[],"DictData":[],"Field":"PCRs.(Sha, 2)","Label":"SHA_PCR2","Operation":7,"CustomOperation":null,"Script":null,"Invert":false,"Capture":false,"Arguments":[]},{"Data":[],"DictData":[],"Field":"PCRs.(Sha, 3)","Label":"SHA_PCR3","Operation":7,"CustomOperation":null,"Script":null,"Invert":false,"Capture":false,"Arguments":[]},{"Data":[],"DictData":[],"Field":"PCRs.(Sha, 4)","Label":"SHA_PCR4","Operation":7,"CustomOperation":null,"Script":null,"Invert":false,"Capture":false,"Arguments":[]},{"Data":[],"DictData":[],"Field":"PCRs.(Sha, 5)","Label":"SHA_PCR5","Operation":7,"CustomOperation":null,"Script":null,"Invert":false,"Capture":false,"Arguments":[]},{"Data":[],"DictData":[],"Field":"PCRs.(Sha, 6)","Label":"SHA_PCR6","Operation":7,"CustomOperation":null,"Script":null,"Invert":false,"Capture":false,"Arguments":[]},{"Data":[],"DictData":[],"Field":"PCRs.(Sha, 7)","Label":"SHA_PCR7","Operation":7,"CustomOperation":null,"Script":null,"Invert":false,"Capture":false,"Arguments":[]}],"Description":"The systems root of trust has been modified.","Expression":"ANY_SHA AND (SHA_PCR0 OR SHA_PCR1 OR SHA_PCR2 OR SHA_PCR3 OR SHA_PCR4 OR SHA_PCR5 OR SHA_PCR6 OR SHA_PCR7)","Name":"SHA Root of Trust Modified","Target":"TpmObject","Severity":4,"Tags":[]},{"ChangeTypes":[1,2,3],"Flag":4,"Platforms":[0,1],"ResultType":12,"Clauses":[{"Data":["(Sha256, 0)"],"DictData":[],"Field":"PCRs","Label":"ANY_SHA256","Operation":16,"CustomOperation":null,"Script":null,"Invert":false,"Capture":false,"Arguments":[]},{"Data":[],"DictData":[],"Field":"PCRs.(Sha256, 0)","Label":"SHA256_PCR0","Operation":7,"CustomOperation":null,"Script":null,"Invert":false,"Capture":false,"Arguments":[]},{"Data":[],"DictData":[],"Field":"PCRs.(Sha256, 1)","Label":"SHA256_PCR1","Operation":7,"CustomOperation":null,"Script":null,"Invert":false,"Capture":false,"Arguments":[]},{"Data":[],"DictData":[],"Field":"PCRs.(Sha256, 2)","Label":"SHA256_PCR2","Operation":7,"CustomOperation":null,"Script":null,"Invert":false,"Capture":false,"Arguments":[]},{"Data":[],"DictData":[],"Field":"PCRs.(Sha256, 3)","Label":"SHA256_PCR3","Operation":7,"CustomOperation":null,"Script":null,"Invert":false,"Capture":false,"Arguments":[]},{"Data":[],"DictData":[],"Field":"PCRs.(Sha256, 4)","Label":"SHA256_PCR4","Operation":7,"CustomOperation":null,"Script":null,"Invert":false,"Capture":false,"Arguments":[]},{"Data":[],"DictData":[],"Field":"PCRs.(Sha256, 5)","Label":"SHA256_PCR5","Operation":7,"CustomOperation":null,"Script":null,"Invert":false,"Capture":false,"Arguments":[]},{"Data":[],"DictData":[],"Field":"PCRs.(Sha256, 6)","Label":"SHA256_PCR6","Operation":7,"CustomOperation":null,"Script":null,"Invert":false,"Capture":false,"Arguments":[]},{"Data":[],"DictData":[],"Field":"PCRs.(Sha256, 7)","Label":"SHA256_PCR7","Operation":7,"CustomOperation":null,"Script":null,"Invert":false,"Capture":false,"Arguments":[]}],"Description":"The systems root of trust has been modified.","Expression":"ANY_SHA256 AND (SHA256_PCR0 OR SHA256_PCR1 OR SHA256_PCR2 OR SHA256_PCR3 OR SHA256_PCR4 OR SHA256_PCR5 OR SHA256_PCR6 OR SHA256_PCR7)","Name":"SHA256 Root of Trust Modified","Target":"TpmObject","Severity":4,"Tags":[]},{"ChangeTypes":[1,2,3],"Flag":4,"Platforms":[0,1],"ResultType":12,"Clauses":[{"Data":["(Sha384, 0)"],"DictData":[],"Field":"PCRs","Label":"ANY_SHA384","Operation":16,"CustomOperation":null,"Script":null,"Invert":false,"Capture":false,"Arguments":[]},{"Data":[],"DictData":[],"Field":"PCRs.(Sha384, 0)","Label":"SHA384_PCR0","Operation":7,"CustomOperation":null,"Script":null,"Invert":false,"Capture":false,"Arguments":[]},{"Data":[],"DictData":[],"Field":"PCRs.(Sha384, 1)","Label":"SHA384_PCR1","Operation":7,"CustomOperation":null,"Script":null,"Invert":false,"Capture":false,"Arguments":[]},{"Data":[],"DictData":[],"Field":"PCRs.(Sha384, 2)","Label":"SHA384_PCR2","Operation":7,"CustomOperation":null,"Script":null,"Invert":false,"Capture":false,"Arguments":[]},{"Data":[],"DictData":[],"Field":"PCRs.(Sha384, 3)","Label":"SHA384_PCR3","Operation":7,"CustomOperation":null,"Script":null,"Invert":false,"Capture":false,"Arguments":[]},{"Data":[],"DictData":[],"Field":"PCRs.(Sha384, 4)","Label":"SHA384_PCR4","Operation":7,"CustomOperation":null,"Script":null,"Invert":false,"Capture":false,"Arguments":[]},{"Data":[],"DictData":[],"Field":"PCRs.(Sha384, 5)","Label":"SHA384_PCR5","Operation":7,"CustomOperation":null,"Script":null,"Invert":false,"Capture":false,"Arguments":[]},{"Data":[],"DictData":[],"Field":"PCRs.(Sha384, 6)","Label":"SHA384_PCR6","Operation":7,"CustomOperation":null,"Script":null,"Invert":false,"Capture":false,"Arguments":[]},{"Data":[],"DictData":[],"Field":"PCRs.(Sha384, 7)","Label":"SHA384_PCR7","Operation":7,"CustomOperation":null,"Script":null,"Invert":false,"Capture":false,"Arguments":[]}],"Description":"The systems root of trust has been modified.","Expression":"ANY_SHA384 AND (SHA384_PCR0 OR SHA384_PCR1 OR SHA384_PCR2 OR SHA384_PCR3 OR SHA384_PCR4 OR SHA384_PCR5 OR SHA384_PCR6 OR SHA384_PCR7)","Name":"SHA384 Root of Trust Modified","Target":"TpmObject","Severity":4,"Tags":[]},{"ChangeTypes":[1,2,3],"Flag":4,"Platforms":[0,1],"ResultType":12,"Clauses":[{"Data":["(Sha512, 0)"],"DictData":[],"Field":"PCRs","Label":"ANY_SHA512","Operation":16,"CustomOperation":null,"Script":null,"Invert":false,"Capture":false,"Arguments":[]},{"Data":[],"DictData":[],"Field":"PCRs.(Sha512, 0)","Label":"SHA512_PCR0","Operation":7,"CustomOperation":null,"Script":null,"Invert":false,"Capture":false,"Arguments":[]},{"Data":[],"DictData":[],"Field":"PCRs.(Sha512, 1)","Label":"SHA512_PCR1","Operation":7,"CustomOperation":null,"Script":null,"Invert":false,"Capture":false,"Arguments":[]},{"Data":[],"DictData":[],"Field":"PCRs.(Sha512, 2)","Label":"SHA512_PCR2","Operation":7,"CustomOperation":null,"Script":null,"Invert":false,"Capture":false,"Arguments":[]},{"Data":[],"DictData":[],"Field":"PCRs.(Sha512, 3)","Label":"SHA512_PCR3","Operation":7,"CustomOperation":null,"Script":null,"Invert":false,"Capture":false,"Arguments":[]},{"Data":[],"DictData":[],"Field":"PCRs.(Sha512, 4)","Label":"SHA512_PCR4","Operation":7,"CustomOperation":null,"Script":null,"Invert":false,"Capture":false,"Arguments":[]},{"Data":[],"DictData":[],"Field":"PCRs.(Sha512, 5)","Label":"SHA512_PCR5","Operation":7,"CustomOperation":null,"Script":null,"Invert":false,"Capture":false,"Arguments":[]},{"Data":[],"DictData":[],"Field":"PCRs.(Sha512, 6)","Label":"SHA512_PCR6","Operation":7,"CustomOperation":null,"Script":null,"Invert":false,"Capture":false,"Arguments":[]},{"Data":[],"DictData":[],"Field":"PCRs.(Sha512, 7)","Label":"SHA512_PCR7","Operation":7,"CustomOperation":null,"Script":null,"Invert":false,"Capture":false,"Arguments":[]}],"Description":"The systems root of trust has been modified.","Expression":"ANY_SHA512 AND (SHA512_PCR0 OR SHA512_PCR1 OR SHA512_PCR2 OR SHA512_PCR3 OR SHA512_PCR4 OR SHA512_PCR5 OR SHA512_PCR6 OR SHA512_PCR7)","Name":"SHA512 Root of Trust Modified","Target":"TpmObject","Severity":4,"Tags":[]},{"ChangeTypes":[1,2,3],"Flag":4,"Platforms":[0,1],"ResultType":12,"Clauses":[{"Data":["(Sm3256, 0)"],"DictData":[],"Field":"PCRs","Label":"ANY_SM3_256","Operation":16,"CustomOperation":null,"Script":null,"Invert":false,"Capture":false,"Arguments":[]},{"Data":[],"DictData":[],"Field":"PCRs.(Sm3256, 0)","Label":"SM3_256_PCR0","Operation":7,"CustomOperation":null,"Script":null,"Invert":false,"Capture":false,"Arguments":[]},{"Data":[],"DictData":[],"Field":"PCRs.(Sm3256, 1)","Label":"SM3_256_PCR1","Operation":7,"CustomOperation":null,"Script":null,"Invert":false,"Capture":false,"Arguments":[]},{"Data":[],"DictData":[],"Field":"PCRs.(Sm3256, 2)","Label":"SM3_256_PCR2","Operation":7,"CustomOperation":null,"Script":null,"Invert":false,"Capture":false,"Arguments":[]},{"Data":[],"DictData":[],"Field":"PCRs.(Sm3256, 3)","Label":"SM3_256_PCR3","Operation":7,"CustomOperation":null,"Script":null,"Invert":false,"Capture":false,"Arguments":[]},{"Data":[],"DictData":[],"Field":"PCRs.(Sm3256, 4)","Label":"SM3_256_PCR4","Operation":7,"CustomOperation":null,"Script":null,"Invert":false,"Capture":false,"Arguments":[]},{"Data":[],"DictData":[],"Field":"PCRs.(Sm3256, 5)","Label":"SM3_256_PCR5","Operation":7,"CustomOperation":null,"Script":null,"Invert":false,"Capture":false,"Arguments":[]},{"Data":[],"DictData":[],"Field":"PCRs.(Sm3256, 6)","Label":"SM3_256_PCR6","Operation":7,"CustomOperation":null,"Script":null,"Invert":false,"Capture":false,"Arguments":[]},{"Data":[],"DictData":[],"Field":"PCRs.(Sm3256, 7)","Label":"SM3_256_PCR7","Operation":7,"CustomOperation":null,"Script":null,"Invert":false,"Capture":false,"Arguments":[]}],"Description":"The systems root of trust has been modified.","Expression":"ANY_SM3_256 AND (SM3_256_PCR0 OR SM3_256_PCR1 OR SM3_256_PCR2 OR SM3_256_PCR3 OR SM3_256_PCR4 OR SM3_256_PCR5 OR SM3_256_PCR6 OR SM3_256_PCR7)","Name":"SM3_256 Root of Trust Modified","Target":"TpmObject","Severity":4,"Tags":[]},{"ChangeTypes":[1,2,3],"Flag":4,"Platforms":[0],"ResultType":3,"Clauses":[{"Data":["HKEY_LOCAL_MACHINE\\Software\Microsoft\Windows\CurrentVersion\Group Policy\History"],"DictData":[],"Field":"Key","Label":"SYSTEM_POLICY","Operation":9,"CustomOperation":null,"Script":null,"Invert":false,"Capture":false,"Arguments":[]},{"Data":["HKEY_CURRENT_USER\\Software\Microsoft\Windows\CurrentVersion\Group Policy\History"],"DictData":[],"Field":"Key","Label":"USER_POLICY","Operation":9,"CustomOperation":null,"Script":null,"Invert":false,"Capture":false,"Arguments":[]}],"Description":"These registry keys track group policy history and modification may indicate a change in group policy.","Expression":"SYSTEM_POLICY OR USER_POLICY","Name":"Group Policy Modified","Target":"RegistryObject","Severity":4,"Tags":[]}],"DefaultLevels":{"CERTIFICATE":3,"FILE":2,"PORT":3,"REGISTRY":2,"SERVICE":3,"USER":3,"UNKNOWN":3,"GROUP":3,"COM":3,"LOG":2,"KEY":3,"TPM":3,"PROCESS":3,"DRIVER":3,"FILEMONITOR":2,"FIREWALL":3,"WIFI":3}}'. System.Security.Cryptography.CryptographicException: Error occurred during a cryptographic operation. at Internal.Cryptography.HashProviderDispenser.EvpHashProvider.FinalizeHashAndReset(Span`1 destination) at Internal.Cryptography.HashProvider.FinalizeHashAndReset() at System.Security.Cryptography.SHA512.Implementation.HashFinal() at System.Security.Cryptography.HashAlgorithm.CaptureHashCodeAndReinitialize() at System.Security.Cryptography.HashAlgorithm.ComputeHash(Byte[] buffer) at Microsoft.CST.AttackSurfaceAnalyzer.Utils.CryptoHelpers.CreateHash(String input) in D:\a\1\s\Lib\Utils\CryptoHelpers.cs:line 17 2021-08-03 09:25:27.933 +03:00 [WRN] Cryptographic Exception: Failed to get hash of '{"Source":"Embedded Rules","Rules":[{"ChangeTypes":[1,2,3],"Flag":4,"Platforms":[1 ....

[gfs]

Seems odd... I tested with yesterday's v2.3.262-beta version and the same problem exists. No problems with v2.2.78 version when I downgraded the system to that. I checked asa.log.txt after running export-collect with v2.3.262-beta version. 153MB file was generated and it contained about 20k lines. It looks like that CreateHash function gets json as an input several times (quick calculation: 20000/11=about 1800 times). Is that on purpose?

It is probably redundant to pass it so many times. #612 will fix that.

I located places where CreateHash is called: https://github.com/microsoft/AttackSurfaceAnalyzer/search?q=createhash

CryptographicExceptions in asa.log.txt are coming from Lib/Objects/RuleFile.cs, line 80, which is calling CreateHash(string). However, Lib/Collectors/FileSystemUtils.cs, line 108, does not produce CryptographicException and in json.txt (I used parameters -a -h in the scan) I can see that content was hashed successfully. So, from that we can see that SHA512 function works correctly but not with json file content.

From the log it looks like the JSON is coming through fine as a string so its unclear to me why the hash function would fail. I'm going to remove the print of the whole rule file on each failure.

According to this there should not be any problems with hash functions: https://docs.microsoft.com/en-us/dotnet/standard/security/cross-platform-cryptography

The article mentions Managed class such as this. I do not see SHA512Managed class in ASA but probably it does not change the end result.

I tested and didn't find any significant performance difference between the regular and managed calls so I am pushing a change in #612 to see if that resolves the issue you're having.

[gfs]

Please try 2.3.263-beta-gf2a335c228 which switches to using SHA512Managed.

[masty1982]

Please try 2.3.263-beta-gf2a335c228 which switches to using SHA512Managed.

It seems to work now since there are no CryptographicExceptions at all. Unfortunately, we found another issue during the testing that is related to adding a user to a Linux group:

1. After the initial scan docker was installed, see part of installation commands below.
2. Then the second scan was made. No problems here.
3. Export-collect command was executed but an exception was thrown, System.AggregateException: One or more errors occurred. (The given key 'GROUP' was not present in the dictionary.) See details below.

We have pinpointed the problem:

• If this command "sudo usermod -aG docker user" is not executed during the docker installation, then both collect and export-collect succeed.
• So, adding a user into Linux group before the second scan crashes export-collect.

Exception user@Xenial64:/tmp/ASA_linux_2.3.263-beta$ sudo ./Asa export-collect --shards 1 --firstrunid baseline --secondrunid secondrun --savetodatabase true [08:47:34 INF] AttackSurfaceAnalyzer v.2.3.263-beta+f2a335c228 [08:47:35 INF] Comparing baseline vs secondrun. [08:47:44 INF] Completed Comparing in 00h:00m:09s:266ms. Unhandled exception. System.AggregateException: One or more errors occurred. (The given key 'GROUP' was not present in the dictionary.) (The given key 'GROUP' was not present in the dictionary.) ---> System.Collections.Generic.KeyNotFoundException: The given key 'GROUP' was not present in the dictionary. at System.Collections.Generic.Dictionary2.get_Item(TKey key) at Microsoft.CST.AttackSurfaceAnalyzer.Cli.AttackSurfaceAnalyzerClient.<>cDisplayClass30_0.b0(CompareResult res) in /home/vsts/work/1/s/Cli/AttackSurfaceAnalyzerClient.cs:line 945 at System.Linq.Parallel.ForAllOperator1.ForAllEnumerator1.MoveNext(TInput& currentElement, Int32& currentKey) at System.Linq.Parallel.ForAllSpoolingTask`2.SpoolingWork() at System.Linq.Parallel.SpoolingTaskBase.Work() at System.Linq.Parallel.QueryTask.BaseWork(Object unused) at System.Linq.Parallel.QueryTask.<>c.<.cctor>b10_0(Object o) at System.Threading.Tasks.Task.InnerInvoke() at System.Threading.Tasks.Task.<>c.<.cctor>b277_0(Object obj) at System.Threading.ExecutionContext.RunFromThreadPoolDispatchLoop(Thread threadPoolThread, ExecutionContext executionContext, ContextCallback callback, Object state) --- End of stack trace from previous location --- at System.Threading.ExecutionContext.RunFromThreadPoolDispatchLoop(Thread threadPoolThread, ExecutionContext executionContext, ContextCallback callback, Object state) at System.Threading.Tasks.Task.ExecuteWithThreadLocal(Task& currentTaskSlot, Thread threadPoolThread) --- End of inner exception stack trace --- at System.Linq.Parallel.QueryTaskGroupState.QueryEnd(Boolean userInitiatedDispose) at System.Linq.Parallel.SpoolingTask.SpoolForAll[TInputOutput,TIgnoreKey](QueryTaskGroupState groupState, PartitionedStream2 partitions, TaskScheduler taskScheduler) at System.Linq.Parallel.DefaultMergeHelper2.System.Linq.Parallel.IMergeHelper.Execute() at System.Linq.Parallel.MergeExecutor1.Execute() at System.Linq.Parallel.MergeExecutor1.Execute[TKey](PartitionedStream2 partitions, Boolean ignoreOutput, ParallelMergeOptions options, TaskScheduler taskScheduler, Boolean isOrdered, CancellationState cancellationState, Int32 queryId) at System.Linq.Parallel.PartitionedStreamMerger1.Receive[TKey](PartitionedStream2 partitionedStream) at System.Linq.Parallel.ForAllOperator1.WrapPartitionedStream[TKey](PartitionedStream2 inputStream, IPartitionedStreamRecipient1 recipient, Boolean preferStriping, QuerySettings settings) at System.Linq.Parallel.UnaryQueryOperator2.UnaryQueryOperatorResults.ChildResultsRecipient.Receive[TKey](PartitionedStream2 inputStream) at System.Linq.Parallel.ListQueryResults1.GivePartitionedStream(IPartitionedStreamRecipient1 recipient) at System.Linq.Parallel.UnaryQueryOperator2.UnaryQueryOperatorResults.GivePartitionedStream(IPartitionedStreamRecipient1 recipient) at System.Linq.Parallel.QueryOperator1.GetOpenedEnumerator(Nullable1 mergeOptions, Boolean suppressOrder, Boolean forEffect, QuerySettings querySettings) at System.Linq.Parallel.ForAllOperator1.RunSynchronously() at System.Linq.ParallelEnumerable.ForAll[TSource](ParallelQuery1 source, Action1 action) at Microsoft.CST.AttackSurfaceAnalyzer.Cli.AttackSurfaceAnalyzerClient.CompareRuns(CompareCommandOptions opts) in /home/vsts/work/1/s/Cli/AttackSurfaceAnalyzerClient.cs:line 933 at Microsoft.CST.AttackSurfaceAnalyzer.Cli.AttackSurfaceAnalyzerClient.RunExportCollectCommand(ExportCollectCommandOptions opts) in /home/vsts/work/1/s/Cli/AttackSurfaceAnalyzerClient.cs:line 509 at Microsoft.CST.AttackSurfaceAnalyzer.Cli.AttackSurfaceAnalyzerClient.<>c.<Main>b__9_2(ExportCollectCommandOptions opts) in /home/vsts/work/1/s/Cli/AttackSurfaceAnalyzerClient.cs:line 91 at CommandLine.ParserResultExtensions.MapResult[T1,T2,T3,T4,T5,T6,T7,T8,TResult](ParserResult1 result, Func2 parsedFunc1, Func2 parsedFunc2, Func2 parsedFunc3, Func2 parsedFunc4, Func2 parsedFunc5, Func2 parsedFunc6, Func2 parsedFunc7, Func2 parsedFunc8, Func2 notParsedFunc) at Microsoft.CST.AttackSurfaceAnalyzer.Cli.AttackSurfaceAnalyzerClient.Main(String[] args) in /home/vsts/work/1/s/Cli/AttackSurfaceAnalyzerClient.cs:line 73 ---> (Inner Exception #1) System.Collections.Generic.KeyNotFoundException: The given key 'GROUP' was not present in the dictionary. at System.Collections.Generic.Dictionary2.get_Item(TKey key) at Microsoft.CST.AttackSurfaceAnalyzer.Cli.AttackSurfaceAnalyzerClient.<>c__DisplayClass30_0.b0(CompareResult res) in /home/vsts/work/1/s/Cli/AttackSurfaceAnalyzerClient.cs:line 945 at System.Linq.Parallel.ForAllOperator1.ForAllEnumerator1.MoveNext(TInput& currentElement, Int32& currentKey) at System.Linq.Parallel.ForAllSpoolingTask`2.SpoolingWork() at System.Linq.Parallel.SpoolingTaskBase.Work() at System.Linq.Parallel.QueryTask.BaseWork(Object unused) at System.Linq.Parallel.QueryTask.RunTaskSynchronously(Object o) at System.Threading.Tasks.Task.InnerInvoke() at System.Threading.Tasks.Task.<>c.<.cctor>b277_0(Object obj) at System.Threading.ExecutionContext.RunInternal(ExecutionContext executionContext, ContextCallback callback, Object state) --- End of stack trace from previous location --- at System.Threading.ExecutionContext.RunInternal(ExecutionContext executionContext, ContextCallback callback, Object state) at System.Threading.Tasks.Task.ExecuteWithThreadLocal(Task& currentTaskSlot, Thread threadPoolThread)<---

Aborted (core dumped) user@Xenial64:/tmp/ASA_linux_2.3.263-beta$`

Docker installation user@Xenial64:/tmp/ASA_linux_2.3.263-beta$ export DOCKER_REPO="deb [arch=amd64] https://download.docker.com/linux/ubuntu $(lsb_release -cs) stable" user@Xenial64:/tmp/ASA_linux_2.3.263-beta$ sudo add-apt-repository -r "$DOCKER_REPO" || true user@Xenial64:/tmp/ASA_linux_2.3.263-beta$ sudo add-apt-repository "$DOCKER_REPO" user@Xenial64:/tmp/ASA_linux_2.3.263-beta$ sudo apt-get update user@Xenial64:/tmp/ASA_linux_2.3.263-beta$ sudo apt-get install -y libltdl7=2.4.6-0.1 user@Xenial64:/tmp/ASA_linux_2.3.263-beta$ sudo apt-get install -y containerd.io=1.2.5-1 user@Xenial64:/tmp/ASA_linux_2.3.263-beta$ sudo apt-get install -y docker-ce=5:18.09.2\* user@Xenial64:/tmp/ASA_linux_2.3.263-beta$ sudo usermod -aG docker user

[gfs]

Thanks for the report. Theres a fix for the group issue in #614