tests: add testing for command line output

Cargo.toml

@@ -36,4 +36,6 @@ uuid = { version = "1.1", features = ["serde", "v4"] }
 
 
 [dev-dependencies]
+assert_cmd = "2.0"
 paste = "1.0"
+predicates = "2.1"

tests/clo.rs

@@ -0,0 +1,64 @@
+use std::path::Path;
+use assert_cmd::prelude::*; // Add methods on commands
+use predicates::prelude::*; // Used for writing assertions
+use std::process::Command; // Run programs
+
+#[test]
+fn search_jq_simple_string() -> Result<(), Box<dyn std::error::Error>> {
+    let root = env!("CARGO_MANIFEST_DIR");
+    let sample_path = Path::new(root).join("tests/evtx").join("security_sample.evtx");
+    let sample_expected_output_path = Path::new(root).join("tests/evtx").join("clo_search_qj_simple_string.txt");
+    let mut cmd = Command::cargo_bin("chainsaw")?;
+
+    cmd.arg("search").arg("4624").arg(sample_path).arg("-jq");
+    cmd.assert()
+        .success()
+        .stdout( predicate::path::eq_file(sample_expected_output_path).utf8().unwrap());
+
+    Ok(())
+}
+
+#[test]
+fn search_q_jsonl_simple_string()-> Result<(), Box<dyn std::error::Error>> {
+    let root = env!("CARGO_MANIFEST_DIR");
+    let sample_path = Path::new(root).join("tests/evtx").join("security_sample.evtx");
+    let sample_expected_output_path = Path::new(root).join("tests/evtx").join("clo_search_q_jsonl_simple_string.txt");
+    let mut cmd = Command::cargo_bin("chainsaw")?;
+
+    cmd.arg("search").arg("4624").arg(sample_path).arg("-q").arg("--jsonl");
+    cmd.assert()
+        .success()
+        .stdout( predicate::path::eq_file(sample_expected_output_path).utf8().unwrap());
+
+    Ok(())
+}
+#[test]
+fn search_q_simple_string()-> Result<(), Box<dyn std::error::Error>> {
+    let root = env!("CARGO_MANIFEST_DIR");
+    let sample_path = Path::new(root).join("tests/evtx").join("security_sample.evtx");
+    let sample_expected_output_path = Path::new(root).join("tests/evtx").join("clo_search_q_simple_string.txt");
+    let mut cmd = Command::cargo_bin("chainsaw")?;
+
+    cmd.arg("search").arg("4624").arg(sample_path).arg("-q");
+    cmd.assert()
+        .success()
+        .stdout( predicate::path::eq_file(sample_expected_output_path).utf8().unwrap());
+
+    Ok(())
+}
+
+#[test]
+fn hunt_r_any_logon()-> Result<(), Box<dyn std::error::Error>> {
+    let root = env!("CARGO_MANIFEST_DIR");
+    let sample_path = Path::new(root).join("tests/evtx").join("security_sample.evtx");
+    let sample_expected_output_path = Path::new(root).join("tests/evtx").join("clo_hunt_r_any_logon.txt");
+    let rule_path = Path::new(root).join("tests/evtx").join("rule-any-logon.yml");
+    let mut cmd = Command::cargo_bin("chainsaw")?;
+
+    cmd.arg("hunt").arg(sample_path).arg("-r").arg(rule_path);
+    cmd.assert()
+        .success()
+        .stdout( predicate::path::eq_file(sample_expected_output_path).utf8().unwrap());
+
+    Ok(())
+}

tests/evtx/clo_hunt_r_any_logon.txt

@@ -0,0 +1,9 @@
+
+[+] Group: Lateral Movement
+┌─────────────────────┬─────────────┬──────────┬───────────┬─────────────────┬────────┬────────────┬────────────┐
+│      timestamp      │ detections  │ Event ID │ Record ID │    Computer     │  User  │ Logon Type │ IP Address │
+├─────────────────────┼─────────────┼──────────┼───────────┼─────────────────┼────────┼────────────┼────────────┤
+│ 2022-10-11 19:26:52 │ ‣ Any Logon │ 4624     │ 31794     │ DESKTOP-JK4Q86I │ SYSTEM │ 5          │ -          │
+├─────────────────────┼─────────────┼──────────┼───────────┼─────────────────┼────────┼────────────┼────────────┤
+│ 2022-10-11 19:26:56 │ ‣ Any Logon │ 4624     │ 31799     │ DESKTOP-JK4Q86I │ SYSTEM │ 5          │ -          │
+└─────────────────────┴─────────────┴──────────┴───────────┴─────────────────┴────────┴────────────┴────────────┘

tests/evtx/clo_search_q_jsonl_simple_string.txt

@@ -0,0 +1,2 @@
+{"Event":{"EventData":{"AuthenticationPackageName":"Negotiate","ElevatedToken":"%%1842","ImpersonationLevel":"%%1833","IpAddress":"-","IpPort":"-","KeyLength":0,"LmPackageName":"-","LogonGuid":"00000000-0000-0000-0000-000000000000","LogonProcessName":"Advapi  ","LogonType":5,"ProcessId":"0x29c","ProcessName":"C:\\Windows\\System32\\services.exe","RestrictedAdminMode":"-","SubjectDomainName":"WORKGROUP","SubjectLogonId":"0x3e7","SubjectUserName":"DESKTOP-JK4Q86I$","SubjectUserSid":"S-1-5-18","TargetDomainName":"NT AUTHORITY","TargetLinkedLogonId":"0x0","TargetLogonId":"0x3e7","TargetOutboundDomainName":"-","TargetOutboundUserName":"-","TargetUserName":"SYSTEM","TargetUserSid":"S-1-5-18","TransmittedServices":"-","VirtualAccount":"%%1843","WorkstationName":"-"},"System":{"Channel":"Security","Computer":"DESKTOP-JK4Q86I","Correlation_attributes":{"ActivityID":"5965E1C0-DDA7-0003-D8E1-6559A7DDD801"},"EventID":4624,"EventRecordID":31794,"Execution_attributes":{"ProcessID":688,"ThreadID":736},"Keywords":"0x8020000000000000","Level":0,"Opcode":0,"Provider_attributes":{"Guid":"54849625-5478-4994-A5BA-3E3B0328C30D","Name":"Microsoft-Windows-Security-Auditing"},"Security":null,"Task":12544,"TimeCreated_attributes":{"SystemTime":"2022-10-11T19:26:52.154080Z"},"Version":2}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}
+{"Event":{"EventData":{"AuthenticationPackageName":"Negotiate","ElevatedToken":"%%1842","ImpersonationLevel":"%%1833","IpAddress":"-","IpPort":"-","KeyLength":0,"LmPackageName":"-","LogonGuid":"00000000-0000-0000-0000-000000000000","LogonProcessName":"Advapi  ","LogonType":5,"ProcessId":"0x29c","ProcessName":"C:\\Windows\\System32\\services.exe","RestrictedAdminMode":"-","SubjectDomainName":"WORKGROUP","SubjectLogonId":"0x3e7","SubjectUserName":"DESKTOP-JK4Q86I$","SubjectUserSid":"S-1-5-18","TargetDomainName":"NT AUTHORITY","TargetLinkedLogonId":"0x0","TargetLogonId":"0x3e7","TargetOutboundDomainName":"-","TargetOutboundUserName":"-","TargetUserName":"SYSTEM","TargetUserSid":"S-1-5-18","TransmittedServices":"-","VirtualAccount":"%%1843","WorkstationName":"-"},"System":{"Channel":"Security","Computer":"DESKTOP-JK4Q86I","Correlation_attributes":{"ActivityID":"5965E1C0-DDA7-0003-D8E1-6559A7DDD801"},"EventID":4624,"EventRecordID":31799,"Execution_attributes":{"ProcessID":688,"ThreadID":8108},"Keywords":"0x8020000000000000","Level":0,"Opcode":0,"Provider_attributes":{"Guid":"54849625-5478-4994-A5BA-3E3B0328C30D","Name":"Microsoft-Windows-Security-Auditing"},"Security":null,"Task":12544,"TimeCreated_attributes":{"SystemTime":"2022-10-11T19:26:56.066967Z"},"Version":2}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}

tests/evtx/clo_search_q_simple_string.txt

@@ -0,0 +1,106 @@
+Event:
+  EventData:
+    AuthenticationPackageName: Negotiate
+    ElevatedToken: '%%1842'
+    ImpersonationLevel: '%%1833'
+    IpAddress: '-'
+    IpPort: '-'
+    KeyLength: 0
+    LmPackageName: '-'
+    LogonGuid: 00000000-0000-0000-0000-000000000000
+    LogonProcessName: 'Advapi  '
+    LogonType: 5
+    ProcessId: '0x29c'
+    ProcessName: C:\Windows\System32\services.exe
+    RestrictedAdminMode: '-'
+    SubjectDomainName: WORKGROUP
+    SubjectLogonId: '0x3e7'
+    SubjectUserName: DESKTOP-JK4Q86I$
+    SubjectUserSid: S-1-5-18
+    TargetDomainName: NT AUTHORITY
+    TargetLinkedLogonId: '0x0'
+    TargetLogonId: '0x3e7'
+    TargetOutboundDomainName: '-'
+    TargetOutboundUserName: '-'
+    TargetUserName: SYSTEM
+    TargetUserSid: S-1-5-18
+    TransmittedServices: '-'
+    VirtualAccount: '%%1843'
+    WorkstationName: '-'
+  System:
+    Channel: Security
+    Computer: DESKTOP-JK4Q86I
+    Correlation_attributes:
+      ActivityID: 5965E1C0-DDA7-0003-D8E1-6559A7DDD801
+    EventID: 4624
+    EventRecordID: 31794
+    Execution_attributes:
+      ProcessID: 688
+      ThreadID: 736
+    Keywords: '0x8020000000000000'
+    Level: 0
+    Opcode: 0
+    Provider_attributes:
+      Guid: 54849625-5478-4994-A5BA-3E3B0328C30D
+      Name: Microsoft-Windows-Security-Auditing
+    Security: null
+    Task: 12544
+    TimeCreated_attributes:
+      SystemTime: 2022-10-11T19:26:52.154080Z
+    Version: 2
+Event_attributes:
+  xmlns: http://schemas.microsoft.com/win/2004/08/events/event
+
+Event:
+  EventData:
+    AuthenticationPackageName: Negotiate
+    ElevatedToken: '%%1842'
+    ImpersonationLevel: '%%1833'
+    IpAddress: '-'
+    IpPort: '-'
+    KeyLength: 0
+    LmPackageName: '-'
+    LogonGuid: 00000000-0000-0000-0000-000000000000
+    LogonProcessName: 'Advapi  '
+    LogonType: 5
+    ProcessId: '0x29c'
+    ProcessName: C:\Windows\System32\services.exe
+    RestrictedAdminMode: '-'
+    SubjectDomainName: WORKGROUP
+    SubjectLogonId: '0x3e7'
+    SubjectUserName: DESKTOP-JK4Q86I$
+    SubjectUserSid: S-1-5-18
+    TargetDomainName: NT AUTHORITY
+    TargetLinkedLogonId: '0x0'
+    TargetLogonId: '0x3e7'
+    TargetOutboundDomainName: '-'
+    TargetOutboundUserName: '-'
+    TargetUserName: SYSTEM
+    TargetUserSid: S-1-5-18
+    TransmittedServices: '-'
+    VirtualAccount: '%%1843'
+    WorkstationName: '-'
+  System:
+    Channel: Security
+    Computer: DESKTOP-JK4Q86I
+    Correlation_attributes:
+      ActivityID: 5965E1C0-DDA7-0003-D8E1-6559A7DDD801
+    EventID: 4624
+    EventRecordID: 31799
+    Execution_attributes:
+      ProcessID: 688
+      ThreadID: 8108
+    Keywords: '0x8020000000000000'
+    Level: 0
+    Opcode: 0
+    Provider_attributes:
+      Guid: 54849625-5478-4994-A5BA-3E3B0328C30D
+      Name: Microsoft-Windows-Security-Auditing
+    Security: null
+    Task: 12544
+    TimeCreated_attributes:
+      SystemTime: 2022-10-11T19:26:56.066967Z
+    Version: 2
+Event_attributes:
+  xmlns: http://schemas.microsoft.com/win/2004/08/events/event
+

tests/evtx/clo_search_qj_simple_string.txt

@@ -0,0 +1 @@
+[{"Event":{"EventData":{"AuthenticationPackageName":"Negotiate","ElevatedToken":"%%1842","ImpersonationLevel":"%%1833","IpAddress":"-","IpPort":"-","KeyLength":0,"LmPackageName":"-","LogonGuid":"00000000-0000-0000-0000-000000000000","LogonProcessName":"Advapi  ","LogonType":5,"ProcessId":"0x29c","ProcessName":"C:\\Windows\\System32\\services.exe","RestrictedAdminMode":"-","SubjectDomainName":"WORKGROUP","SubjectLogonId":"0x3e7","SubjectUserName":"DESKTOP-JK4Q86I$","SubjectUserSid":"S-1-5-18","TargetDomainName":"NT AUTHORITY","TargetLinkedLogonId":"0x0","TargetLogonId":"0x3e7","TargetOutboundDomainName":"-","TargetOutboundUserName":"-","TargetUserName":"SYSTEM","TargetUserSid":"S-1-5-18","TransmittedServices":"-","VirtualAccount":"%%1843","WorkstationName":"-"},"System":{"Channel":"Security","Computer":"DESKTOP-JK4Q86I","Correlation_attributes":{"ActivityID":"5965E1C0-DDA7-0003-D8E1-6559A7DDD801"},"EventID":4624,"EventRecordID":31794,"Execution_attributes":{"ProcessID":688,"ThreadID":736},"Keywords":"0x8020000000000000","Level":0,"Opcode":0,"Provider_attributes":{"Guid":"54849625-5478-4994-A5BA-3E3B0328C30D","Name":"Microsoft-Windows-Security-Auditing"},"Security":null,"Task":12544,"TimeCreated_attributes":{"SystemTime":"2022-10-11T19:26:52.154080Z"},"Version":2}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}},{"Event":{"EventData":{"AuthenticationPackageName":"Negotiate","ElevatedToken":"%%1842","ImpersonationLevel":"%%1833","IpAddress":"-","IpPort":"-","KeyLength":0,"LmPackageName":"-","LogonGuid":"00000000-0000-0000-0000-000000000000","LogonProcessName":"Advapi  ","LogonType":5,"ProcessId":"0x29c","ProcessName":"C:\\Windows\\System32\\services.exe","RestrictedAdminMode":"-","SubjectDomainName":"WORKGROUP","SubjectLogonId":"0x3e7","SubjectUserName":"DESKTOP-JK4Q86I$","SubjectUserSid":"S-1-5-18","TargetDomainName":"NT AUTHORITY","TargetLinkedLogonId":"0x0","TargetLogonId":"0x3e7","TargetOutboundDomainName":"-","TargetOutboundUserName":"-","TargetUserName":"SYSTEM","TargetUserSid":"S-1-5-18","TransmittedServices":"-","VirtualAccount":"%%1843","WorkstationName":"-"},"System":{"Channel":"Security","Computer":"DESKTOP-JK4Q86I","Correlation_attributes":{"ActivityID":"5965E1C0-DDA7-0003-D8E1-6559A7DDD801"},"EventID":4624,"EventRecordID":31799,"Execution_attributes":{"ProcessID":688,"ThreadID":8108},"Keywords":"0x8020000000000000","Level":0,"Opcode":0,"Provider_attributes":{"Guid":"54849625-5478-4994-A5BA-3E3B0328C30D","Name":"Microsoft-Windows-Security-Auditing"},"Security":null,"Task":12544,"TimeCreated_attributes":{"SystemTime":"2022-10-11T19:26:56.066967Z"},"Version":2}},"Event_attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"}}]