fox-it
Create plugin category system for target-query
The category system is created to serve two adjacent goals:
- Define a “killchain” category with a number of sub-categories (defined in the questionaire spreadsheet).
- Have the user define their own categories specific for their investigation (e.g. plugins that output artifacts that hold clues to persistency)
Note that the words tags/categories can be used interchangeably: plugins are given a tag, while categories are sets of plugins. The difference is in the technical implementation.
In this case we go for the category implementation. A category is a list of strings of plugin (wildcard) names, which can be selected using a commandline parameter like --category <category_name>. This is then fed into the default plugin selection and execution mechanism. It should except wildcards (using the fnmatch()functionality), to be able to do sub-categories. E.g. when a user has defined some tags but only wants to run the plugins related to the build-in killchain categories, it can do: killchain.*.
The default categories should be defined somewhere in query.py or a related file. The user defined categories can go into .targetcfg.py as variables. These variables must be prefixed with a well known prefix, like plugin_category_<category_name>.
