Merge branch 'tkt_315_crear_plugin_para_windows_defender' into 'dev'

Resolve "crear plugin para Windows Defender" Closes #315 See merge request faradaysec/faraday-plugins!235
infobyte · Sep 5, 2023 · 5a58a5d · 5a58a5d
2 parents 6800c59 + aeb2c60
commit 5a58a5d
Show file tree

Hide file tree

Showing 3 changed files with 65 additions and 0 deletions.
diff --git a/CHANGELOG/1.13.0/315.md b/CHANGELOG/1.13.0/315.md
@@ -0,0 +1 @@
+[ADD] Create Plugin for windows defender #315
diff --git a/faraday_plugins/plugins/repo/windows_defender/__init__.py b/faraday_plugins/plugins/repo/windows_defender/__init__.py
@@ -0,0 +1,7 @@
+"""
+Faraday Penetration Test IDE
+Copyright (C) 2013  Infobyte LLC (http://www.infobytesec.com/)
+See the file 'doc/LICENSE' for the license information
+
+"""
+
diff --git a/faraday_plugins/plugins/repo/windows_defender/plugin.py b/faraday_plugins/plugins/repo/windows_defender/plugin.py
@@ -0,0 +1,57 @@
+""" Create plugin for windows defender"""
+import json
+from faraday_plugins.plugins.plugin import PluginMultiLineJsonFormat
+
+
+class WindowsDefenderPlugin(PluginMultiLineJsonFormat):
+
+    def __init__(self, *args, **kwargs):
+        super().__init__(*args, **kwargs)
+        self.id = "WindowsDefender_JSONL"
+        self.name = "Windows Defender Jsonl"
+        self.plugin_version = "1.0"
+        self.version = "1.0"
+        self.json_keys = {'LastSeenTimestamp' , 'SecurityUpdateAvailable'}
+
+
+    def parseOutputString(self, output):
+        for json_str in filter(lambda x: x != '', output.split("\n")):
+            data = json.loads(json_str)
+
+            device_name = data.pop('DeviceName', 'Unknown')
+            if device_name == "Unknown":
+                device_name = data.pop('DeviceId', 'Unknown')
+            os_platform = data.pop('OSPlatform', 'Unknown')
+            cve_id = data.pop('CveId', 'Unknown')
+            severity = data.pop('VulnerabilitySeverityLevel', 'Unknown')
+            device_id = data.pop('DeviceId', 'Unknown')
+            software_name = data.pop('SoftwareName', 'Unknown')
+            software_vendor = data.pop('SoftwareVendor', 'Unknown')
+            data.pop('CvssScore')
+
+            # Build the vulnerability description including all fields
+            # purposely injecte CVE in desc to bypass the cache
+            description = f"Device Name: {device_name}\n "\
+                          f"Device ID: {device_id}\n "\
+                          f"OS Platform: {os_platform}\n" \
+                          f"CVE: {cve_id}"
+            data_info = "\n".join([f"{key}: {value}" for key, value in data.items()])
+
+
+            host_id = self.createAndAddHost(
+                name=device_name,
+                os=os_platform,
+                hostnames=[device_name]
+            )
+
+            self.createAndAddVulnToHost(
+                host_id,
+                name= f"{software_name}  {software_vendor} Vulnerable",
+                cve=cve_id,
+                severity=severity,
+                desc=description,
+                data=data_info
+            )
+
+def createPlugin(*args, **kwargs):
+    return WindowsDefenderPlugin(*args, **kwargs)