wazuh / wazuh-api

Wazuh - RESTful API
https://wazuh.com
GNU General Public License v2.0
69 stars 57 forks source link

Add search parameter to /mitre endpoint (api) #465

Closed Selutario closed 4 years ago

Selutario commented 4 years ago

Description

This issue is related to #4285

This PR add a 'search' parameter to mitre endpoint. Two new mocha test have been added to test/test_mitre.js to verify both that it returns objects that contain the searched string and that it does not return any when the string is not found in any object.

Returned

# curl -u foo:bar -k -X GET "https://127.0.0.1:55000/mitre?pretty&search=points%to%explorer.exe"
{
   "error": 0,
   "data": {
      "items": [
         {
            "id": "T1004",
            "json": {
               "x_mitre_data_sources": [
                  "Windows Registry",
                  "File monitoring",
                  "Process monitoring"
               ],
               "x_mitre_permissions_required": [
                  "Administrator",
                  "SYSTEM"
               ],
               "name": "Winlogon Helper DLL",
               "description": "Winlogon.exe is a Windows component responsible for actions at logon/logoff as well as the secure attention sequence (SAS) triggered by Ctrl-Alt-Delete. Registry entries in <code>HKLM\\Software\\[Wow6432Node\\]Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\</code> and <code>HKCU\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\</code> are used to manage additional helper programs and functionalities that support Winlogon. (Citation: Cylance Reg Persistence Sept 2013) \n\nMalicious modifications to these Registry keys may cause Winlogon to load and execute malicious DLLs and/or executables. Specifically, the following subkeys have been known to be possibly vulnerable to abuse: (Citation: Cylance Reg Persistence Sept 2013)\n\n* Winlogon\\Notify - points to notification package DLLs that handle Winlogon events\n* Winlogon\\Userinit - points to userinit.exe, the user initialization program executed when a user logs on\n* Winlogon\\Shell - points to explorer.exe, the system shell executed when a user logs on\n\nAdversaries may take advantage of these features to repeatedly execute malicious code and establish Persistence.",
               "id": "attack-pattern--514ede4c-78b3-4d78-a38b-daddf6217a79",
               "x_mitre_platforms": [
                  "Windows"
               ],
               "object_marking_refs": [
                  "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
               ],
               "x_mitre_version": "1.0",
               "type": "attack-pattern",
               "x_mitre_detection": "Monitor for changes to Registry entries associated with Winlogon that do not correlate with known software, patch cycles, etc. Tools such as Sysinternals Autoruns may also be used to detect system changes that could be attempts at persistence, including listing current Winlogon helper values. (Citation: TechNet Autoruns)  New DLLs written to System32 that do not correlate with known good software or patching may also be suspicious.\n\nLook for abnormal process behavior that may be due to a process loading a malicious DLL. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as network connections made for Command and Control, learning details about the environment through Discovery, and Lateral Movement.",
               "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
               "x_mitre_contributors": [
                  "Praetorian"
               ],
               "created": "2017-05-31T21:30:20.148Z",
               "kill_chain_phases": [
                  {
                     "kill_chain_name": "mitre-attack",
                     "phase_name": "Persistence"
                  }
               ],
               "external_references": [
                  {
                     "external_id": "T1004",
                     "source_name": "mitre-attack",
                     "url": "https://attack.mitre.org/techniques/T1004"
                  },
                  {
                     "source_name": "capec",
                     "external_id": "CAPEC-579",
                     "url": "https://capec.mitre.org/data/definitions/579.html"
                  },
                  {
                     "source_name": "Cylance Reg Persistence Sept 2013",
                     "description": "Langendorf, S. (2013, September 24). Windows Registry Persistence, Part 2: The Run Keys and Search-Order. Retrieved April 11, 2018.",
                     "url": "https://blog.cylance.com/windows-registry-persistence-part-2-the-run-keys-and-search-order"
                  },
                  {
                     "source_name": "TechNet Autoruns",
                     "description": "Russinovich, M. (2016, January 4). Autoruns for Windows v13.51. Retrieved June 6, 2016.",
                     "url": "https://technet.microsoft.com/en-us/sysinternals/bb963902"
                  }
               ],
               "modified": "2019-07-17T19:16:41.584Z"
            },
            "platforms": [
               "Windows"
            ],
            "phases": [
               "Persistence"
            ]
         }
      ],
      "totalItems": 1
   }
# curl -u foo:bar -k -X GET "https://127.0.0.1:55000/mitre?pretty&search=test_test_test"
{
   "error": 0,
   "data": {
      "items": [],
      "totalItems": 0
   }
}

Tests performed

Mocha

# mocha test/test_mitre.js 

  Mitre
    GET/sca/:agent_id
      ✓ Request (512ms)
      ✓ Pagination: limit = 1 (199ms)
      ✓ Pagination: limit = 5 (194ms)
      ✓ Pagination: limit = 10 (192ms)
      ✓ Pagination: limit > 10 (202ms)
      ✓ Retrieve all elements with limit=0 (196ms)
      ✓ Sort: +id (194ms)
      ✓ Sort: -id (212ms)
      ✓ Filters: attack (189ms)
      ✓ Filters: attack (request returns 0 items) (187ms)
      ✓ Filters: phase=initial access (194ms)
      ✓ Filters: phase=persistence (205ms)
      ✓ Filters: phase (request returns 0 items) (201ms)
      ✓ Filters: platform=linux (190ms)
      ✓ Filters: platform=macos (203ms)
      ✓ Filters: platform=windows (194ms)
      ✓ Filters: platform=windows,phase=persistence (190ms)
      ✓ Filters: platform=linux,phase=execution (196ms)
      ✓ Filters: platform=macos,phase=impact (202ms)
      ✓ Filters: platform (request returns 0 items) (188ms)
      ✓ Filters: q=attack=T1015 (193ms)
      ✓ Filters: q=platform=linux (191ms)
      ✓ Filters: q=phase=execution (188ms)
      ✓ Filters: q (request returns 0 items) (188ms)
      ✓ Filters: q (wrong query 1) (188ms)
      ✓ Filters: q (wrong query 2) (190ms)
      ✓ Filters: q (wrong query 3) (191ms)
      ✓ Search (199ms)
      ✓ Search (returns 0 items) (213ms)

  29 passing (6s)