diff --git a/.github/coverage/coverage.txt b/.github/coverage/coverage.txt index 20d9aac..09d9332 100644 --- a/.github/coverage/coverage.txt +++ b/.github/coverage/coverage.txt @@ -19,7 +19,7 @@ github.com/0xrawsec/whids/api/api_client.go:414: IsFileAboveUploadLimit 0.0% github.com/0xrawsec/whids/api/api_client.go:425: PostDump 65.0% github.com/0xrawsec/whids/api/api_client.go:461: PostLogs 68.8% github.com/0xrawsec/whids/api/api_client.go:493: PostCommand 76.5% -github.com/0xrawsec/whids/api/api_client.go:527: FetchCommand 68.4% +github.com/0xrawsec/whids/api/api_client.go:527: FetchCommand 73.7% github.com/0xrawsec/whids/api/api_client.go:566: PostSystemInfo 61.5% github.com/0xrawsec/whids/api/api_client.go:591: GetSysmonConfigSha256 82.4% github.com/0xrawsec/whids/api/api_client.go:623: GetSysmonConfig 83.3% @@ -132,7 +132,7 @@ github.com/0xrawsec/whids/api/manager_admin_api.go:1443: admAPIStreamEvents 71. github.com/0xrawsec/whids/api/manager_admin_api.go:1466: admAPIStreamDetections 0.0% github.com/0xrawsec/whids/api/manager_admin_api.go:1491: runAdminAPI 87.5% github.com/0xrawsec/whids/api/manager_endpoint_api.go:31: eptAPIMutEndpointFromRequest 75.0% -github.com/0xrawsec/whids/api/manager_endpoint_api.go:41: endpointAuthorizationMiddleware 82.6% +github.com/0xrawsec/whids/api/manager_endpoint_api.go:41: endpointAuthorizationMiddleware 73.9% github.com/0xrawsec/whids/api/manager_endpoint_api.go:84: isVerboseURL 100.0% github.com/0xrawsec/whids/api/manager_endpoint_api.go:93: endptLogHTTPMiddleware 0.0% github.com/0xrawsec/whids/api/manager_endpoint_api.go:101: endptQuietLogHTTPMiddleware 100.0% diff --git a/api/openapi_def.go b/api/openapi_def.go index 0305f04..d329bc9 100644 --- a/api/openapi_def.go +++ b/api/openapi_def.go @@ -74,10 +74,10 @@ var OpenAPIDefinition = ` "group": "", "hostname": "OpenHappy", "ip": "127.0.0.1", - "key": "BW9XE8d1IIUDE9E13yz5Bq5nNw3xuo4k0VYYE0mVu12UnnQS7EnsQlfa9wdrmpdv", - "last-connection": "2022-06-02T10:00:03.071536486Z", - "last-detection": "2022-06-02T12:00:02.020455738+02:00", - "last-event": "2022-06-02T12:00:02.020455738+02:00", + "key": "jdMGINLfFFbIirpNP8fuJ6nWPgt1ilmixyURpTbCjL827L4C1Ic6ypeBnRBu96Ic", + "last-connection": "2022-06-03T09:45:47.797766967Z", + "last-detection": "2022-06-03T11:45:46.746166548+02:00", + "last-event": "2022-06-03T11:45:46.746166548+02:00", "score": 0, "status": "", "system-info": { @@ -153,13 +153,13 @@ var OpenAPIDefinition = ` "group": "", "hostname": "", "ip": "", - "key": "SeErw5tCsgu5xbRLUPr1bRMeH9rwhgKhrbNtTki3EPK1vSMalU2asDEfrIFpM8qR", + "key": "5k8ifrCU7h2ek6qgBvJzbFMwxJ3Bxe5WKiDOj1auWcsXQGlTplfEp1iWjXaaMdMK", "last-connection": "0001-01-01T00:00:00Z", "last-detection": "0001-01-01T00:00:00Z", "last-event": "0001-01-01T00:00:00Z", "score": 0, "status": "", - "uuid": "1f36293a-658e-8ce5-3c87-e6be45e6c8ef" + "uuid": "25645909-a661-aef5-0aec-26151d1e0ee4" }, "error": "", "message": "OK" @@ -199,21 +199,21 @@ var OpenAPIDefinition = ` "5a92baeb-9384-47d3-92b4-a0db6f9b8c6d": [ { "base-url": "/endpoints/5a92baeb-9384-47d3-92b4-a0db6f9b8c6d/artifacts/5a92baeb-9384-47d3-92b4-a0db6f9b8c6d/3d8441643c204ba9b9dcb5c414b25a3129f66f6c/", - "creation": "2022-06-02T10:00:06.439403368Z", + "creation": "2022-06-03T09:45:51.192861163Z", "event-hash": "3d8441643c204ba9b9dcb5c414b25a3129f66f6c", "files": [ { "name": "bar.txt", "size": 4, - "timestamp": "2022-06-02T10:00:06.4494034Z" + "timestamp": "2022-06-03T09:45:51.206194539Z" }, { "name": "foo.txt", "size": 4, - "timestamp": "2022-06-02T10:00:06.439403368Z" + "timestamp": "2022-06-03T09:45:51.192861163Z" } ], - "modification": "2022-06-02T10:00:06.4494034Z", + "modification": "2022-06-03T09:45:51.206194539Z", "process-guid": "5a92baeb-9384-47d3-92b4-a0db6f9b8c6d" } ] @@ -247,30 +247,30 @@ var OpenAPIDefinition = ` "avg-signature-criticality": 0, "bounded-score": 0, "count-by-signature": { - "DefenderConfigChanged": 8, - "NewAutorun": 13, - "SuspiciousService": 6, - "UnknownServices": 11, - "UntrustedDriverLoaded": 12 + "DefenderConfigChanged": 3, + "NewAutorun": 14, + "SuspiciousService": 7, + "UnknownServices": 10, + "UntrustedDriverLoaded": 16 }, "count-uniq-signatures": 5, "identifier": "5a92baeb-9384-47d3-92b4-a0db6f9b8c6d", - "median-time": "2022-06-02T12:00:04.258557576+02:00", + "median-time": "2022-06-03T11:45:48.964335026+02:00", "score": 0, "signature-count": 50, "signature-criticality-metric": 0, "signature-diversity": 100, "signatures": [ - "SuspiciousService", - "NewAutorun", + "UntrustedDriverLoaded", "DefenderConfigChanged", - "UnknownServices", - "UntrustedDriverLoaded" + "NewAutorun", + "SuspiciousService", + "UnknownServices" ], - "start-time": "2022-06-02T12:00:04.256839129+02:00", + "start-time": "2022-06-03T11:45:48.962756586+02:00", "std-dev-alert-criticality": 0, "std-dev-signature-criticality": -92233720368547760, - "stop-time": "2022-06-02T12:00:04.260276024+02:00", + "stop-time": "2022-06-03T11:45:48.965913467+02:00", "sum-alert-criticality": 0, "sum-rule-criticality": 0, "tactics": null, @@ -331,7 +331,7 @@ var OpenAPIDefinition = ` }, "name": "osqueryi", "os": "windows", - "uuid": "e7ea5d93-d389-2798-2413-c4ed7f60f25e" + "uuid": "97b2fc1b-08c7-09ac-7b88-00e5153c4b14" }, "error": "", "message": "OK" @@ -398,7 +398,7 @@ var OpenAPIDefinition = ` }, "name": "osqueryi", "os": "windows", - "uuid": "e7ea5d93-d389-2798-2413-c4ed7f60f25e" + "uuid": "97b2fc1b-08c7-09ac-7b88-00e5153c4b14" }, "error": "", "message": "OK" @@ -452,7 +452,7 @@ var OpenAPIDefinition = ` }, "name": "osqueryi", "os": "windows", - "uuid": "e7ea5d93-d389-2798-2413-c4ed7f60f25e" + "uuid": "97b2fc1b-08c7-09ac-7b88-00e5153c4b14" }, "error": "", "message": "OK" @@ -508,7 +508,7 @@ var OpenAPIDefinition = ` }, "name": "sysmon", "os": "windows", - "uuid": "c337adc2-2b6d-3519-3897-68723788e82a" + "uuid": "e52e39fe-a5cb-336e-c5a2-a22dd8b46fe2" }, "error": "", "message": "OK" @@ -575,7 +575,7 @@ var OpenAPIDefinition = ` }, "name": "sysmon", "os": "windows", - "uuid": "c337adc2-2b6d-3519-3897-68723788e82a" + "uuid": "e52e39fe-a5cb-336e-c5a2-a22dd8b46fe2" }, "error": "", "message": "OK" @@ -629,7 +629,7 @@ var OpenAPIDefinition = ` }, "name": "sysmon", "os": "windows", - "uuid": "c337adc2-2b6d-3519-3897-68723788e82a" + "uuid": "e52e39fe-a5cb-336e-c5a2-a22dd8b46fe2" }, "error": "", "message": "OK" @@ -1913,9 +1913,9 @@ var OpenAPIDefinition = ` "group": "", "hostname": "OpenHappy", "ip": "127.0.0.1", - "last-connection": "2022-06-02T10:00:03.082320817Z", - "last-detection": "2022-06-02T12:00:02.020455738+02:00", - "last-event": "2022-06-02T12:00:02.020455738+02:00", + "last-connection": "2022-06-03T09:45:47.797766967Z", + "last-detection": "2022-06-03T11:45:46.746166548+02:00", + "last-event": "2022-06-03T11:45:46.746166548+02:00", "score": 0, "status": "", "system-info": { @@ -2331,9 +2331,9 @@ var OpenAPIDefinition = ` "group": "New Group", "hostname": "OpenHappy", "ip": "127.0.0.1", - "last-connection": "2022-06-02T10:00:03.082320817Z", - "last-detection": "2022-06-02T12:00:02.020455738+02:00", - "last-event": "2022-06-02T12:00:02.020455738+02:00", + "last-connection": "2022-06-03T09:45:47.797766967Z", + "last-detection": "2022-06-03T11:45:46.746166548+02:00", + "last-event": "2022-06-03T11:45:46.746166548+02:00", "score": 0, "status": "New Status", "system-info": { @@ -2437,9 +2437,9 @@ var OpenAPIDefinition = ` "group": "New Group", "hostname": "OpenHappy", "ip": "127.0.0.1", - "last-connection": "2022-06-02T10:00:03.082320817Z", - "last-detection": "2022-06-02T12:00:02.020455738+02:00", - "last-event": "2022-06-02T12:00:02.020455738+02:00", + "last-connection": "2022-06-03T09:45:47.797766967Z", + "last-detection": "2022-06-03T11:45:46.746166548+02:00", + "last-event": "2022-06-03T11:45:46.746166548+02:00", "score": 0, "status": "New Status", "system-info": { @@ -2537,21 +2537,21 @@ var OpenAPIDefinition = ` "data": [ { "base-url": "/endpoints/5a92baeb-9384-47d3-92b4-a0db6f9b8c6d/artifacts/5a92baeb-9384-47d3-92b4-a0db6f9b8c6d/3d8441643c204ba9b9dcb5c414b25a3129f66f6c/", - "creation": "2022-06-02T10:00:06.439403368Z", + "creation": "2022-06-03T09:45:51.192861163Z", "event-hash": "3d8441643c204ba9b9dcb5c414b25a3129f66f6c", "files": [ { "name": "bar.txt", "size": 4, - "timestamp": "2022-06-02T10:00:06.4494034Z" + "timestamp": "2022-06-03T09:45:51.206194539Z" }, { "name": "foo.txt", "size": 4, - "timestamp": "2022-06-02T10:00:06.439403368Z" + "timestamp": "2022-06-03T09:45:51.192861163Z" } ], - "modification": "2022-06-02T10:00:06.4494034Z", + "modification": "2022-06-03T09:45:51.206194539Z", "process-guid": "5a92baeb-9384-47d3-92b4-a0db6f9b8c6d" } ], @@ -2696,11 +2696,11 @@ var OpenAPIDefinition = ` "json": null, "name": "/usr/bin/printf", "sent": true, - "sent-time": "2022-06-02T12:00:04.174485878+02:00", + "sent-time": "2022-06-03T11:45:48.892804448+02:00", "stderr": "", "stdout": "SGVsbG8gV29ybGQ=", "timeout": 0, - "uuid": "4f3750f2-f19a-8f7d-10fb-1b798c250a0f" + "uuid": "ebe4a344-1a90-f731-bc02-3ebad570a5f4" }, "error": "", "message": "OK" @@ -2788,16 +2788,16 @@ var OpenAPIDefinition = ` "stderr": null, "stdout": null, "timeout": 0, - "uuid": "4f3750f2-f19a-8f7d-10fb-1b798c250a0f" + "uuid": "ebe4a344-1a90-f731-bc02-3ebad570a5f4" }, "criticality": 0, "group": "", "hostname": "OpenHappy", "ip": "127.0.0.1", - "key": "vKmdf2qemYdLetLvHJ6Wy7lvME2IU3WL1P05tpTPB8blHHlaEE1XksQu381cPnCd", - "last-connection": "2022-06-02T10:00:04.153335053Z", - "last-detection": "2022-06-02T12:00:03.105075395+02:00", - "last-event": "2022-06-02T12:00:03.105075395+02:00", + "key": "iTkq8TSE2eGNGTEJDPpWPtUmvOdJOhnnp0jQvLVWa7qeg6UXJ4w2IHbujvalvaRY", + "last-connection": "2022-06-03T09:45:48.882860471Z", + "last-detection": "2022-06-03T11:45:47.839884007+02:00", + "last-event": "2022-06-03T11:45:47.839884007+02:00", "score": 0, "status": "", "system-info": { @@ -3029,8 +3029,8 @@ var OpenAPIDefinition = ` }, "Event": { "Detection": true, - "Hash": "a919fa557726543b80affc4e97a611121ecdab4d", - "ReceiptTime": "2022-06-02T10:00:01.96971879Z" + "Hash": "23f56e0b1d266d18ae1c09cf1cdd19ad5f18168a", + "ReceiptTime": "2022-06-03T09:45:46.696109732Z" } }, "EventData": { @@ -3082,7 +3082,7 @@ var OpenAPIDefinition = ` "Value": 0 }, "TimeCreated": { - "SystemTime": "2022-06-02T12:00:00.935291099+02:00" + "SystemTime": "2022-06-03T11:45:45.66806389+02:00" } } } @@ -3093,7 +3093,7 @@ var OpenAPIDefinition = ` "Actions": [], "Criticality": 10, "Signature": [ - "UnknownServices" + "UntrustedDriverLoaded" ] }, "EdrData": { @@ -3105,47 +3105,27 @@ var OpenAPIDefinition = ` }, "Event": { "Detection": true, - "Hash": "c32ebb63b6092556911d304020c71438207b424c", - "ReceiptTime": "2022-06-02T10:00:01.970153162Z" + "Hash": "db9f9b0c2dea57cf1ef07ff57ce1018b9d1a4ee9", + "ReceiptTime": "2022-06-03T09:45:46.696497019Z" } }, "EventData": { - "Ancestors": "System|C:\\Windows\\System32\\smss.exe|C:\\Windows\\System32\\smss.exe|C:\\Windows\\System32\\wininit.exe|C:\\Windows\\System32\\services.exe", - "CommandLine": "\"C:\\Program Files\\osquery\\osqueryd\\osqueryd.exe\" --flagfile=\"C:\\Program Files\\osquery\\osquery.flags\"", - "Company": "Facebook", - "CurrentDirectory": "C:\\Windows\\system32\\", - "Description": "osquery daemon and shell", - "FileVersion": "4.8.0.0", - "Hashes": "SHA1=ED57ADE89F017B9020D727749EC32EA6646DE163,MD5=50D99BE393641C95354D00DD9DB11F72,SHA256=4FE020D36C4031FC7E4D0AED28A1C1AABD157CAF49B2C9D16DBDDD4AAB19FA86,IMPHASH=27E96EFBAE3B96032D450234A10EDE3B", - "Image": "C:\\Program Files\\osquery\\osqueryd\\osqueryd.exe", - "ImageSize": "21713568", - "IntegrityLevel": "System", - "LogonGuid": "{515cd0d1-7667-6123-e703-000000000000}", - "LogonId": "0x3E7", - "OriginalFileName": "osqueryd.exe", - "ParentCommandLine": "C:\\Windows\\system32\\services.exe", - "ParentImage": "C:\\Windows\\System32\\services.exe", - "ParentIntegrityLevel": "System", - "ParentProcessGuid": "{515cd0d1-7666-6123-0b00-000000007300}", - "ParentProcessId": "692", - "ParentServices": "N/A", - "ParentUser": "NT AUTHORITY\\SYSTEM", - "ProcessGuid": "{515cd0d1-7669-6123-4800-000000007300}", - "ProcessId": "3184", - "Product": "osquery", + "Hashes": "SHA1=11F6CFF4F8BAD13D982ABF21BC0E33F95A97DE82,MD5=4CD8560661E3695EEF104A280D4AB656,SHA256=77DA29156BC9536400CB7ADB742A5C331D7EACC93EA806D1C03E9D0FC8DAFA54,IMPHASH=1C4067E1C451E614D2A5000171502DD1", + "ImageLoaded": "C:\\Windows\\System32\\drivers\\VBoxSF.sys", + "ImageLoadedSize": "348104", "RuleName": "-", - "Services": "osqueryd", - "TerminalSessionId": "0", - "User": "NT AUTHORITY\\SYSTEM", - "UtcTime": "2021-08-23 10:20:25.415" + "Signature": "Oracle Corporation", + "SignatureStatus": "Valid", + "Signed": "true", + "UtcTime": "2021-08-23 10:20:18.704" }, "System": { "Channel": "Microsoft-Windows-Sysmon/Operational", "Computer": "DESKTOP-LJRVE06", - "EventID": 1, + "EventID": 6, "Execution": { "ProcessID": 3220, - "ThreadID": 3848 + "ThreadID": 3584 }, "Keywords": { "Name": "", @@ -3168,7 +3148,7 @@ var OpenAPIDefinition = ` "Value": 0 }, "TimeCreated": { - "SystemTime": "2022-06-02T12:00:00.935321905+02:00" + "SystemTime": "2022-06-03T11:45:45.668109687+02:00" } } } @@ -3294,29 +3274,20 @@ var OpenAPIDefinition = ` }, "Event": { "Detection": false, - "Hash": "ea5e3b9c258fa467dfd9fc3dd805d102e50f9e78", - "ReceiptTime": "2022-06-02T10:00:01.964923877Z" + "Hash": "68995d92f7fe6d2898a68d7514f85ec8a10d2d1c", + "ReceiptTime": "2022-06-03T09:45:46.691891025Z" } }, "EventData": { - "CommandLine": "C:\\Windows\\system32\\svchost.exe -k appmodel -p -s StateRepository", - "CurrentDirectory": "C:\\Windows\\system32\\", "Details": "Binary Data", "EventType": "SetValue", - "Image": "C:\\Windows\\system32\\svchost.exe", - "ImageHashes": "SHA1=75C5A97F521F760E32A4A9639A653EED862E9C61,MD5=9520A99E77D6196D0D09833146424113,SHA256=DD191A5B23DF92E12A8852291F9FB5ED594B76A28A5A464418442584AFD1E048,IMPHASH=247B9220E5D9B720A82B2C8B5069AD69", - "ImageSignature": "?", - "ImageSignatureStatus": "?", - "ImageSigned": "false", - "IntegrityLevel": "System", - "ProcessGuid": "{515cd0d1-7668-6123-3c00-000000007300}", - "ProcessId": "2556", - "ProcessThreatScore": "0", + "Image": "System", + "ProcessGuid": "{515cd0d1-7662-6123-eb03-000000000000}", + "ProcessId": "4", + "ProcessThreatScore": "-1", "RuleName": "-", - "Services": "StateRepository", - "TargetObject": "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModel\\StateRepository\\Cache\\PackageUser\\Data\\489\\_IndexKeys", - "User": "NT AUTHORITY\\SYSTEM", - "UtcTime": "2021-08-23 10:20:30.443" + "TargetObject": "HKLM\\System\\CurrentControlSet\\Enum\\PCI\\VEN_8086\u0026DEV_1E31\u0026SUBSYS_00000000\u0026REV_00\\3\u0026267a616a\u00260\u002660\\Control\\AllocConfig", + "UtcTime": "2021-08-23 10:20:18.954" }, "System": { "Channel": "Microsoft-Windows-Sysmon/Operational", @@ -3347,7 +3318,7 @@ var OpenAPIDefinition = ` "Value": 0 }, "TimeCreated": { - "SystemTime": "2022-06-02T12:00:00.934557264+02:00" + "SystemTime": "2022-06-03T11:45:45.667358349+02:00" } } } @@ -3363,29 +3334,29 @@ var OpenAPIDefinition = ` }, "Event": { "Detection": false, - "Hash": "caf36e3fe4c84263bd3a460d1eab1857a5d0fd1f", - "ReceiptTime": "2022-06-02T10:00:01.965338558Z" + "Hash": "a6484e33fd306b07374bcb129e9564b97d27fafc", + "ReceiptTime": "2022-06-03T09:45:46.692250114Z" } }, "EventData": { - "CommandLine": "C:\\Windows\\System32\\svchost.exe -k utcsvc -p", + "CommandLine": "C:\\Windows\\system32\\svchost.exe -k appmodel -p -s StateRepository", "CurrentDirectory": "C:\\Windows\\system32\\", - "Details": "DWORD (0x00000000)", + "Details": "Binary Data", "EventType": "SetValue", - "Image": "C:\\Windows\\System32\\svchost.exe", + "Image": "C:\\Windows\\system32\\svchost.exe", "ImageHashes": "SHA1=75C5A97F521F760E32A4A9639A653EED862E9C61,MD5=9520A99E77D6196D0D09833146424113,SHA256=DD191A5B23DF92E12A8852291F9FB5ED594B76A28A5A464418442584AFD1E048,IMPHASH=247B9220E5D9B720A82B2C8B5069AD69", "ImageSignature": "?", "ImageSignatureStatus": "?", "ImageSigned": "false", "IntegrityLevel": "System", - "ProcessGuid": "{515cd0d1-7669-6123-4500-000000007300}", - "ProcessId": "2364", + "ProcessGuid": "{515cd0d1-7668-6123-3c00-000000007300}", + "ProcessId": "2556", "ProcessThreatScore": "0", "RuleName": "-", - "Services": "DiagTrack", - "TargetObject": "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Diagnostics\\DiagTrack\\HeartBeats\\Default\\EventStoreLifetimeReset", + "Services": "StateRepository", + "TargetObject": "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModel\\StateRepository\\Cache\\ApplicationExtension\\Data\\530\\_IndexKeys", "User": "NT AUTHORITY\\SYSTEM", - "UtcTime": "2021-08-23 10:20:30.007" + "UtcTime": "2021-08-23 10:20:30.795" }, "System": { "Channel": "Microsoft-Windows-Sysmon/Operational", @@ -3416,7 +3387,7 @@ var OpenAPIDefinition = ` "Value": 0 }, "TimeCreated": { - "SystemTime": "2022-06-02T12:00:00.934557756+02:00" + "SystemTime": "2022-06-03T11:45:45.667359075+02:00" } } } @@ -3462,30 +3433,30 @@ var OpenAPIDefinition = ` "avg-signature-criticality": 0, "bounded-score": 0, "count-by-signature": { - "DefenderConfigChanged": 8, - "NewAutorun": 13, - "SuspiciousService": 6, - "UnknownServices": 11, - "UntrustedDriverLoaded": 12 + "DefenderConfigChanged": 3, + "NewAutorun": 14, + "SuspiciousService": 7, + "UnknownServices": 10, + "UntrustedDriverLoaded": 16 }, "count-uniq-signatures": 5, "identifier": "5a92baeb-9384-47d3-92b4-a0db6f9b8c6d", - "median-time": "2022-06-02T12:00:04.258557576+02:00", + "median-time": "2022-06-03T11:45:48.964335026+02:00", "score": 0, "signature-count": 50, "signature-criticality-metric": 0, "signature-diversity": 100, "signatures": [ "UntrustedDriverLoaded", - "SuspiciousService", - "NewAutorun", "DefenderConfigChanged", + "NewAutorun", + "SuspiciousService", "UnknownServices" ], - "start-time": "2022-06-02T12:00:04.256839129+02:00", + "start-time": "2022-06-03T11:45:48.962756586+02:00", "std-dev-alert-criticality": 0, "std-dev-signature-criticality": -92233720368547760, - "stop-time": "2022-06-02T12:00:04.260276024+02:00", + "stop-time": "2022-06-03T11:45:48.965913467+02:00", "sum-alert-criticality": 0, "sum-rule-criticality": 0, "tactics": null, @@ -3529,30 +3500,30 @@ var OpenAPIDefinition = ` "avg-signature-criticality": 0, "bounded-score": 0, "count-by-signature": { - "DefenderConfigChanged": 8, - "NewAutorun": 13, - "SuspiciousService": 6, - "UnknownServices": 11, - "UntrustedDriverLoaded": 12 + "DefenderConfigChanged": 3, + "NewAutorun": 14, + "SuspiciousService": 7, + "UnknownServices": 10, + "UntrustedDriverLoaded": 16 }, "count-uniq-signatures": 5, "identifier": "5a92baeb-9384-47d3-92b4-a0db6f9b8c6d", - "median-time": "2022-06-02T12:00:04.258557576+02:00", + "median-time": "2022-06-03T11:45:48.964335026+02:00", "score": 0, "signature-count": 50, "signature-criticality-metric": 0, "signature-diversity": 100, "signatures": [ - "SuspiciousService", - "NewAutorun", + "UntrustedDriverLoaded", "DefenderConfigChanged", - "UnknownServices", - "UntrustedDriverLoaded" + "NewAutorun", + "SuspiciousService", + "UnknownServices" ], - "start-time": "2022-06-02T12:00:04.256839129+02:00", + "start-time": "2022-06-03T11:45:48.962756586+02:00", "std-dev-alert-criticality": 0, "std-dev-signature-criticality": -92233720368547760, - "stop-time": "2022-06-02T12:00:04.260276024+02:00", + "stop-time": "2022-06-03T11:45:48.965913467+02:00", "sum-alert-criticality": 0, "sum-rule-criticality": 0, "tactics": null, @@ -3638,35 +3609,35 @@ var OpenAPIDefinition = ` { "alert-count": 50, "alert-criticality-metric": 0, - "archived-time": "2022-06-02T12:00:05.313250719+02:00", + "archived-time": "2022-06-03T11:45:50.038614848+02:00", "avg-alert-criticality": 0, "avg-signature-criticality": 0, "bounded-score": 0, "count-by-signature": { - "DefenderConfigChanged": 8, - "NewAutorun": 13, - "SuspiciousService": 6, - "UnknownServices": 11, - "UntrustedDriverLoaded": 12 + "DefenderConfigChanged": 3, + "NewAutorun": 14, + "SuspiciousService": 7, + "UnknownServices": 10, + "UntrustedDriverLoaded": 16 }, "count-uniq-signatures": 5, "identifier": "5a92baeb-9384-47d3-92b4-a0db6f9b8c6d", - "median-time": "2022-06-02T12:00:04.258557576+02:00", + "median-time": "2022-06-03T11:45:48.964335026+02:00", "score": 0, "signature-count": 50, "signature-criticality-metric": 0, "signature-diversity": 100, "signatures": [ - "SuspiciousService", - "NewAutorun", + "UntrustedDriverLoaded", "DefenderConfigChanged", - "UnknownServices", - "UntrustedDriverLoaded" + "NewAutorun", + "SuspiciousService", + "UnknownServices" ], - "start-time": "2022-06-02T12:00:04.256839129+02:00", + "start-time": "2022-06-03T11:45:48.962756586+02:00", "std-dev-alert-criticality": 0, "std-dev-signature-criticality": -92233720368547760, - "stop-time": "2022-06-02T12:00:04.260276024+02:00", + "stop-time": "2022-06-03T11:45:48.965913467+02:00", "sum-alert-criticality": 0, "sum-rule-criticality": 0, "tactics": null, @@ -3748,10 +3719,10 @@ var OpenAPIDefinition = ` "example": { "data": [ { - "guuid": "a8c17f68-4577-74c0-6bba-f77f15bf6289", + "guuid": "2a980338-3693-29a9-20e6-78fda21b9a8c", "source": "XyzTIProvider", "type": "domain", - "uuid": "bebd8aa6-638f-8cdd-cc67-5e36cb32c222", + "uuid": "d682e160-6e39-d5c6-105b-73254e6403e6", "value": "some.random.domain" } ], @@ -3799,8 +3770,8 @@ var OpenAPIDefinition = ` }, "example": [ { - "uuid": "bebd8aa6-638f-8cdd-cc67-5e36cb32c222", - "guuid": "a8c17f68-4577-74c0-6bba-f77f15bf6289", + "uuid": "d682e160-6e39-d5c6-105b-73254e6403e6", + "guuid": "2a980338-3693-29a9-20e6-78fda21b9a8c", "source": "XyzTIProvider", "value": "some.random.domain", "type": "domain" @@ -3818,10 +3789,10 @@ var OpenAPIDefinition = ` "example": { "data": [ { - "guuid": "a8c17f68-4577-74c0-6bba-f77f15bf6289", + "guuid": "2a980338-3693-29a9-20e6-78fda21b9a8c", "source": "XyzTIProvider", "type": "domain", - "uuid": "bebd8aa6-638f-8cdd-cc67-5e36cb32c222", + "uuid": "d682e160-6e39-d5c6-105b-73254e6403e6", "value": "some.random.domain" } ], @@ -4318,8 +4289,8 @@ var OpenAPIDefinition = ` "description": "", "group": "", "identifier": "TestAdminUser", - "key": "q1HvU3tVkuOlKDXDV35jsT0O5Gu0C2IiupicaVumMoz6dPsYtoYOw9ivTcTORT8V", - "uuid": "e0a23e9b-5156-ddbb-8ec2-698d55c867ec" + "key": "uXCpgXeWFDpuSJwYVPV7OtOt05klFxEUmh0QtsUqDRTXCS9NDPghn3s878fXO4Nd", + "uuid": "c40ed31e-c9a6-9934-41db-0f395f3a801b" }, "error": "", "message": "OK" @@ -4362,7 +4333,7 @@ var OpenAPIDefinition = ` } }, "example": { - "uuid": "010ebdd8-04dc-d834-47d6-af19a8316325", + "uuid": "36b8f308-fb83-ae6e-9920-912f00dccc44", "identifier": "SecondTestAdmin", "key": "ChangeMe", "group": "CSIRT", @@ -4383,7 +4354,7 @@ var OpenAPIDefinition = ` "group": "CSIRT", "identifier": "SecondTestAdmin", "key": "ChangeMe", - "uuid": "010ebdd8-04dc-d834-47d6-af19a8316325" + "uuid": "36b8f308-fb83-ae6e-9920-912f00dccc44" }, "error": "", "message": "OK" @@ -4471,7 +4442,7 @@ var OpenAPIDefinition = ` "group": "SOC", "identifier": "SecondTestAdmin", "key": "NewWeakKey", - "uuid": "010ebdd8-04dc-d834-47d6-af19a8316325" + "uuid": "36b8f308-fb83-ae6e-9920-912f00dccc44" }, "error": "", "message": "OK" @@ -4509,7 +4480,7 @@ var OpenAPIDefinition = ` "group": "SOC", "identifier": "SecondTestAdmin", "key": "NewWeakKey", - "uuid": "010ebdd8-04dc-d834-47d6-af19a8316325" + "uuid": "36b8f308-fb83-ae6e-9920-912f00dccc44" }, "error": "", "message": "OK" diff --git a/doc/admin.openapi.json b/doc/admin.openapi.json index 662fab9..e5df896 100644 --- a/doc/admin.openapi.json +++ b/doc/admin.openapi.json @@ -72,10 +72,10 @@ "group": "", "hostname": "OpenHappy", "ip": "127.0.0.1", - "key": "BW9XE8d1IIUDE9E13yz5Bq5nNw3xuo4k0VYYE0mVu12UnnQS7EnsQlfa9wdrmpdv", - "last-connection": "2022-06-02T10:00:03.071536486Z", - "last-detection": "2022-06-02T12:00:02.020455738+02:00", - "last-event": "2022-06-02T12:00:02.020455738+02:00", + "key": "jdMGINLfFFbIirpNP8fuJ6nWPgt1ilmixyURpTbCjL827L4C1Ic6ypeBnRBu96Ic", + "last-connection": "2022-06-03T09:45:47.797766967Z", + "last-detection": "2022-06-03T11:45:46.746166548+02:00", + "last-event": "2022-06-03T11:45:46.746166548+02:00", "score": 0, "status": "", "system-info": { @@ -151,13 +151,13 @@ "group": "", "hostname": "", "ip": "", - "key": "SeErw5tCsgu5xbRLUPr1bRMeH9rwhgKhrbNtTki3EPK1vSMalU2asDEfrIFpM8qR", + "key": "5k8ifrCU7h2ek6qgBvJzbFMwxJ3Bxe5WKiDOj1auWcsXQGlTplfEp1iWjXaaMdMK", "last-connection": "0001-01-01T00:00:00Z", "last-detection": "0001-01-01T00:00:00Z", "last-event": "0001-01-01T00:00:00Z", "score": 0, "status": "", - "uuid": "1f36293a-658e-8ce5-3c87-e6be45e6c8ef" + "uuid": "25645909-a661-aef5-0aec-26151d1e0ee4" }, "error": "", "message": "OK" @@ -197,21 +197,21 @@ "5a92baeb-9384-47d3-92b4-a0db6f9b8c6d": [ { "base-url": "/endpoints/5a92baeb-9384-47d3-92b4-a0db6f9b8c6d/artifacts/5a92baeb-9384-47d3-92b4-a0db6f9b8c6d/3d8441643c204ba9b9dcb5c414b25a3129f66f6c/", - "creation": "2022-06-02T10:00:06.439403368Z", + "creation": "2022-06-03T09:45:51.192861163Z", "event-hash": "3d8441643c204ba9b9dcb5c414b25a3129f66f6c", "files": [ { "name": "bar.txt", "size": 4, - "timestamp": "2022-06-02T10:00:06.4494034Z" + "timestamp": "2022-06-03T09:45:51.206194539Z" }, { "name": "foo.txt", "size": 4, - "timestamp": "2022-06-02T10:00:06.439403368Z" + "timestamp": "2022-06-03T09:45:51.192861163Z" } ], - "modification": "2022-06-02T10:00:06.4494034Z", + "modification": "2022-06-03T09:45:51.206194539Z", "process-guid": "5a92baeb-9384-47d3-92b4-a0db6f9b8c6d" } ] @@ -245,30 +245,30 @@ "avg-signature-criticality": 0, "bounded-score": 0, "count-by-signature": { - "DefenderConfigChanged": 8, - "NewAutorun": 13, - "SuspiciousService": 6, - "UnknownServices": 11, - "UntrustedDriverLoaded": 12 + "DefenderConfigChanged": 3, + "NewAutorun": 14, + "SuspiciousService": 7, + "UnknownServices": 10, + "UntrustedDriverLoaded": 16 }, "count-uniq-signatures": 5, "identifier": "5a92baeb-9384-47d3-92b4-a0db6f9b8c6d", - "median-time": "2022-06-02T12:00:04.258557576+02:00", + "median-time": "2022-06-03T11:45:48.964335026+02:00", "score": 0, "signature-count": 50, "signature-criticality-metric": 0, "signature-diversity": 100, "signatures": [ - "SuspiciousService", - "NewAutorun", + "UntrustedDriverLoaded", "DefenderConfigChanged", - "UnknownServices", - "UntrustedDriverLoaded" + "NewAutorun", + "SuspiciousService", + "UnknownServices" ], - "start-time": "2022-06-02T12:00:04.256839129+02:00", + "start-time": "2022-06-03T11:45:48.962756586+02:00", "std-dev-alert-criticality": 0, "std-dev-signature-criticality": -92233720368547760, - "stop-time": "2022-06-02T12:00:04.260276024+02:00", + "stop-time": "2022-06-03T11:45:48.965913467+02:00", "sum-alert-criticality": 0, "sum-rule-criticality": 0, "tactics": null, @@ -329,7 +329,7 @@ }, "name": "osqueryi", "os": "windows", - "uuid": "e7ea5d93-d389-2798-2413-c4ed7f60f25e" + "uuid": "97b2fc1b-08c7-09ac-7b88-00e5153c4b14" }, "error": "", "message": "OK" @@ -396,7 +396,7 @@ }, "name": "osqueryi", "os": "windows", - "uuid": "e7ea5d93-d389-2798-2413-c4ed7f60f25e" + "uuid": "97b2fc1b-08c7-09ac-7b88-00e5153c4b14" }, "error": "", "message": "OK" @@ -450,7 +450,7 @@ }, "name": "osqueryi", "os": "windows", - "uuid": "e7ea5d93-d389-2798-2413-c4ed7f60f25e" + "uuid": "97b2fc1b-08c7-09ac-7b88-00e5153c4b14" }, "error": "", "message": "OK" @@ -506,7 +506,7 @@ }, "name": "sysmon", "os": "windows", - "uuid": "c337adc2-2b6d-3519-3897-68723788e82a" + "uuid": "e52e39fe-a5cb-336e-c5a2-a22dd8b46fe2" }, "error": "", "message": "OK" @@ -573,7 +573,7 @@ }, "name": "sysmon", "os": "windows", - "uuid": "c337adc2-2b6d-3519-3897-68723788e82a" + "uuid": "e52e39fe-a5cb-336e-c5a2-a22dd8b46fe2" }, "error": "", "message": "OK" @@ -627,7 +627,7 @@ }, "name": "sysmon", "os": "windows", - "uuid": "c337adc2-2b6d-3519-3897-68723788e82a" + "uuid": "e52e39fe-a5cb-336e-c5a2-a22dd8b46fe2" }, "error": "", "message": "OK" @@ -1911,9 +1911,9 @@ "group": "", "hostname": "OpenHappy", "ip": "127.0.0.1", - "last-connection": "2022-06-02T10:00:03.082320817Z", - "last-detection": "2022-06-02T12:00:02.020455738+02:00", - "last-event": "2022-06-02T12:00:02.020455738+02:00", + "last-connection": "2022-06-03T09:45:47.797766967Z", + "last-detection": "2022-06-03T11:45:46.746166548+02:00", + "last-event": "2022-06-03T11:45:46.746166548+02:00", "score": 0, "status": "", "system-info": { @@ -2329,9 +2329,9 @@ "group": "New Group", "hostname": "OpenHappy", "ip": "127.0.0.1", - "last-connection": "2022-06-02T10:00:03.082320817Z", - "last-detection": "2022-06-02T12:00:02.020455738+02:00", - "last-event": "2022-06-02T12:00:02.020455738+02:00", + "last-connection": "2022-06-03T09:45:47.797766967Z", + "last-detection": "2022-06-03T11:45:46.746166548+02:00", + "last-event": "2022-06-03T11:45:46.746166548+02:00", "score": 0, "status": "New Status", "system-info": { @@ -2435,9 +2435,9 @@ "group": "New Group", "hostname": "OpenHappy", "ip": "127.0.0.1", - "last-connection": "2022-06-02T10:00:03.082320817Z", - "last-detection": "2022-06-02T12:00:02.020455738+02:00", - "last-event": "2022-06-02T12:00:02.020455738+02:00", + "last-connection": "2022-06-03T09:45:47.797766967Z", + "last-detection": "2022-06-03T11:45:46.746166548+02:00", + "last-event": "2022-06-03T11:45:46.746166548+02:00", "score": 0, "status": "New Status", "system-info": { @@ -2535,21 +2535,21 @@ "data": [ { "base-url": "/endpoints/5a92baeb-9384-47d3-92b4-a0db6f9b8c6d/artifacts/5a92baeb-9384-47d3-92b4-a0db6f9b8c6d/3d8441643c204ba9b9dcb5c414b25a3129f66f6c/", - "creation": "2022-06-02T10:00:06.439403368Z", + "creation": "2022-06-03T09:45:51.192861163Z", "event-hash": "3d8441643c204ba9b9dcb5c414b25a3129f66f6c", "files": [ { "name": "bar.txt", "size": 4, - "timestamp": "2022-06-02T10:00:06.4494034Z" + "timestamp": "2022-06-03T09:45:51.206194539Z" }, { "name": "foo.txt", "size": 4, - "timestamp": "2022-06-02T10:00:06.439403368Z" + "timestamp": "2022-06-03T09:45:51.192861163Z" } ], - "modification": "2022-06-02T10:00:06.4494034Z", + "modification": "2022-06-03T09:45:51.206194539Z", "process-guid": "5a92baeb-9384-47d3-92b4-a0db6f9b8c6d" } ], @@ -2694,11 +2694,11 @@ "json": null, "name": "/usr/bin/printf", "sent": true, - "sent-time": "2022-06-02T12:00:04.174485878+02:00", + "sent-time": "2022-06-03T11:45:48.892804448+02:00", "stderr": "", "stdout": "SGVsbG8gV29ybGQ=", "timeout": 0, - "uuid": "4f3750f2-f19a-8f7d-10fb-1b798c250a0f" + "uuid": "ebe4a344-1a90-f731-bc02-3ebad570a5f4" }, "error": "", "message": "OK" @@ -2786,16 +2786,16 @@ "stderr": null, "stdout": null, "timeout": 0, - "uuid": "4f3750f2-f19a-8f7d-10fb-1b798c250a0f" + "uuid": "ebe4a344-1a90-f731-bc02-3ebad570a5f4" }, "criticality": 0, "group": "", "hostname": "OpenHappy", "ip": "127.0.0.1", - "key": "vKmdf2qemYdLetLvHJ6Wy7lvME2IU3WL1P05tpTPB8blHHlaEE1XksQu381cPnCd", - "last-connection": "2022-06-02T10:00:04.153335053Z", - "last-detection": "2022-06-02T12:00:03.105075395+02:00", - "last-event": "2022-06-02T12:00:03.105075395+02:00", + "key": "iTkq8TSE2eGNGTEJDPpWPtUmvOdJOhnnp0jQvLVWa7qeg6UXJ4w2IHbujvalvaRY", + "last-connection": "2022-06-03T09:45:48.882860471Z", + "last-detection": "2022-06-03T11:45:47.839884007+02:00", + "last-event": "2022-06-03T11:45:47.839884007+02:00", "score": 0, "status": "", "system-info": { @@ -3027,8 +3027,8 @@ }, "Event": { "Detection": true, - "Hash": "a919fa557726543b80affc4e97a611121ecdab4d", - "ReceiptTime": "2022-06-02T10:00:01.96971879Z" + "Hash": "23f56e0b1d266d18ae1c09cf1cdd19ad5f18168a", + "ReceiptTime": "2022-06-03T09:45:46.696109732Z" } }, "EventData": { @@ -3080,7 +3080,7 @@ "Value": 0 }, "TimeCreated": { - "SystemTime": "2022-06-02T12:00:00.935291099+02:00" + "SystemTime": "2022-06-03T11:45:45.66806389+02:00" } } } @@ -3091,7 +3091,7 @@ "Actions": [], "Criticality": 10, "Signature": [ - "UnknownServices" + "UntrustedDriverLoaded" ] }, "EdrData": { @@ -3103,47 +3103,27 @@ }, "Event": { "Detection": true, - "Hash": "c32ebb63b6092556911d304020c71438207b424c", - "ReceiptTime": "2022-06-02T10:00:01.970153162Z" + "Hash": "db9f9b0c2dea57cf1ef07ff57ce1018b9d1a4ee9", + "ReceiptTime": "2022-06-03T09:45:46.696497019Z" } }, "EventData": { - "Ancestors": "System|C:\\Windows\\System32\\smss.exe|C:\\Windows\\System32\\smss.exe|C:\\Windows\\System32\\wininit.exe|C:\\Windows\\System32\\services.exe", - "CommandLine": "\"C:\\Program Files\\osquery\\osqueryd\\osqueryd.exe\" --flagfile=\"C:\\Program Files\\osquery\\osquery.flags\"", - "Company": "Facebook", - "CurrentDirectory": "C:\\Windows\\system32\\", - "Description": "osquery daemon and shell", - "FileVersion": "4.8.0.0", - "Hashes": "SHA1=ED57ADE89F017B9020D727749EC32EA6646DE163,MD5=50D99BE393641C95354D00DD9DB11F72,SHA256=4FE020D36C4031FC7E4D0AED28A1C1AABD157CAF49B2C9D16DBDDD4AAB19FA86,IMPHASH=27E96EFBAE3B96032D450234A10EDE3B", - "Image": "C:\\Program Files\\osquery\\osqueryd\\osqueryd.exe", - "ImageSize": "21713568", - "IntegrityLevel": "System", - "LogonGuid": "{515cd0d1-7667-6123-e703-000000000000}", - "LogonId": "0x3E7", - "OriginalFileName": "osqueryd.exe", - "ParentCommandLine": "C:\\Windows\\system32\\services.exe", - "ParentImage": "C:\\Windows\\System32\\services.exe", - "ParentIntegrityLevel": "System", - "ParentProcessGuid": "{515cd0d1-7666-6123-0b00-000000007300}", - "ParentProcessId": "692", - "ParentServices": "N/A", - "ParentUser": "NT AUTHORITY\\SYSTEM", - "ProcessGuid": "{515cd0d1-7669-6123-4800-000000007300}", - "ProcessId": "3184", - "Product": "osquery", + "Hashes": "SHA1=11F6CFF4F8BAD13D982ABF21BC0E33F95A97DE82,MD5=4CD8560661E3695EEF104A280D4AB656,SHA256=77DA29156BC9536400CB7ADB742A5C331D7EACC93EA806D1C03E9D0FC8DAFA54,IMPHASH=1C4067E1C451E614D2A5000171502DD1", + "ImageLoaded": "C:\\Windows\\System32\\drivers\\VBoxSF.sys", + "ImageLoadedSize": "348104", "RuleName": "-", - "Services": "osqueryd", - "TerminalSessionId": "0", - "User": "NT AUTHORITY\\SYSTEM", - "UtcTime": "2021-08-23 10:20:25.415" + "Signature": "Oracle Corporation", + "SignatureStatus": "Valid", + "Signed": "true", + "UtcTime": "2021-08-23 10:20:18.704" }, "System": { "Channel": "Microsoft-Windows-Sysmon/Operational", "Computer": "DESKTOP-LJRVE06", - "EventID": 1, + "EventID": 6, "Execution": { "ProcessID": 3220, - "ThreadID": 3848 + "ThreadID": 3584 }, "Keywords": { "Name": "", @@ -3166,7 +3146,7 @@ "Value": 0 }, "TimeCreated": { - "SystemTime": "2022-06-02T12:00:00.935321905+02:00" + "SystemTime": "2022-06-03T11:45:45.668109687+02:00" } } } @@ -3292,29 +3272,20 @@ }, "Event": { "Detection": false, - "Hash": "ea5e3b9c258fa467dfd9fc3dd805d102e50f9e78", - "ReceiptTime": "2022-06-02T10:00:01.964923877Z" + "Hash": "68995d92f7fe6d2898a68d7514f85ec8a10d2d1c", + "ReceiptTime": "2022-06-03T09:45:46.691891025Z" } }, "EventData": { - "CommandLine": "C:\\Windows\\system32\\svchost.exe -k appmodel -p -s StateRepository", - "CurrentDirectory": "C:\\Windows\\system32\\", "Details": "Binary Data", "EventType": "SetValue", - "Image": "C:\\Windows\\system32\\svchost.exe", - "ImageHashes": "SHA1=75C5A97F521F760E32A4A9639A653EED862E9C61,MD5=9520A99E77D6196D0D09833146424113,SHA256=DD191A5B23DF92E12A8852291F9FB5ED594B76A28A5A464418442584AFD1E048,IMPHASH=247B9220E5D9B720A82B2C8B5069AD69", - "ImageSignature": "?", - "ImageSignatureStatus": "?", - "ImageSigned": "false", - "IntegrityLevel": "System", - "ProcessGuid": "{515cd0d1-7668-6123-3c00-000000007300}", - "ProcessId": "2556", - "ProcessThreatScore": "0", + "Image": "System", + "ProcessGuid": "{515cd0d1-7662-6123-eb03-000000000000}", + "ProcessId": "4", + "ProcessThreatScore": "-1", "RuleName": "-", - "Services": "StateRepository", - "TargetObject": "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModel\\StateRepository\\Cache\\PackageUser\\Data\\489\\_IndexKeys", - "User": "NT AUTHORITY\\SYSTEM", - "UtcTime": "2021-08-23 10:20:30.443" + "TargetObject": "HKLM\\System\\CurrentControlSet\\Enum\\PCI\\VEN_8086\u0026DEV_1E31\u0026SUBSYS_00000000\u0026REV_00\\3\u0026267a616a\u00260\u002660\\Control\\AllocConfig", + "UtcTime": "2021-08-23 10:20:18.954" }, "System": { "Channel": "Microsoft-Windows-Sysmon/Operational", @@ -3345,7 +3316,7 @@ "Value": 0 }, "TimeCreated": { - "SystemTime": "2022-06-02T12:00:00.934557264+02:00" + "SystemTime": "2022-06-03T11:45:45.667358349+02:00" } } } @@ -3361,29 +3332,29 @@ }, "Event": { "Detection": false, - "Hash": "caf36e3fe4c84263bd3a460d1eab1857a5d0fd1f", - "ReceiptTime": "2022-06-02T10:00:01.965338558Z" + "Hash": "a6484e33fd306b07374bcb129e9564b97d27fafc", + "ReceiptTime": "2022-06-03T09:45:46.692250114Z" } }, "EventData": { - "CommandLine": "C:\\Windows\\System32\\svchost.exe -k utcsvc -p", + "CommandLine": "C:\\Windows\\system32\\svchost.exe -k appmodel -p -s StateRepository", "CurrentDirectory": "C:\\Windows\\system32\\", - "Details": "DWORD (0x00000000)", + "Details": "Binary Data", "EventType": "SetValue", - "Image": "C:\\Windows\\System32\\svchost.exe", + "Image": "C:\\Windows\\system32\\svchost.exe", "ImageHashes": "SHA1=75C5A97F521F760E32A4A9639A653EED862E9C61,MD5=9520A99E77D6196D0D09833146424113,SHA256=DD191A5B23DF92E12A8852291F9FB5ED594B76A28A5A464418442584AFD1E048,IMPHASH=247B9220E5D9B720A82B2C8B5069AD69", "ImageSignature": "?", "ImageSignatureStatus": "?", "ImageSigned": "false", "IntegrityLevel": "System", - "ProcessGuid": "{515cd0d1-7669-6123-4500-000000007300}", - "ProcessId": "2364", + "ProcessGuid": "{515cd0d1-7668-6123-3c00-000000007300}", + "ProcessId": "2556", "ProcessThreatScore": "0", "RuleName": "-", - "Services": "DiagTrack", - "TargetObject": "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Diagnostics\\DiagTrack\\HeartBeats\\Default\\EventStoreLifetimeReset", + "Services": "StateRepository", + "TargetObject": "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModel\\StateRepository\\Cache\\ApplicationExtension\\Data\\530\\_IndexKeys", "User": "NT AUTHORITY\\SYSTEM", - "UtcTime": "2021-08-23 10:20:30.007" + "UtcTime": "2021-08-23 10:20:30.795" }, "System": { "Channel": "Microsoft-Windows-Sysmon/Operational", @@ -3414,7 +3385,7 @@ "Value": 0 }, "TimeCreated": { - "SystemTime": "2022-06-02T12:00:00.934557756+02:00" + "SystemTime": "2022-06-03T11:45:45.667359075+02:00" } } } @@ -3460,30 +3431,30 @@ "avg-signature-criticality": 0, "bounded-score": 0, "count-by-signature": { - "DefenderConfigChanged": 8, - "NewAutorun": 13, - "SuspiciousService": 6, - "UnknownServices": 11, - "UntrustedDriverLoaded": 12 + "DefenderConfigChanged": 3, + "NewAutorun": 14, + "SuspiciousService": 7, + "UnknownServices": 10, + "UntrustedDriverLoaded": 16 }, "count-uniq-signatures": 5, "identifier": "5a92baeb-9384-47d3-92b4-a0db6f9b8c6d", - "median-time": "2022-06-02T12:00:04.258557576+02:00", + "median-time": "2022-06-03T11:45:48.964335026+02:00", "score": 0, "signature-count": 50, "signature-criticality-metric": 0, "signature-diversity": 100, "signatures": [ "UntrustedDriverLoaded", - "SuspiciousService", - "NewAutorun", "DefenderConfigChanged", + "NewAutorun", + "SuspiciousService", "UnknownServices" ], - "start-time": "2022-06-02T12:00:04.256839129+02:00", + "start-time": "2022-06-03T11:45:48.962756586+02:00", "std-dev-alert-criticality": 0, "std-dev-signature-criticality": -92233720368547760, - "stop-time": "2022-06-02T12:00:04.260276024+02:00", + "stop-time": "2022-06-03T11:45:48.965913467+02:00", "sum-alert-criticality": 0, "sum-rule-criticality": 0, "tactics": null, @@ -3527,30 +3498,30 @@ "avg-signature-criticality": 0, "bounded-score": 0, "count-by-signature": { - "DefenderConfigChanged": 8, - "NewAutorun": 13, - "SuspiciousService": 6, - "UnknownServices": 11, - "UntrustedDriverLoaded": 12 + "DefenderConfigChanged": 3, + "NewAutorun": 14, + "SuspiciousService": 7, + "UnknownServices": 10, + "UntrustedDriverLoaded": 16 }, "count-uniq-signatures": 5, "identifier": "5a92baeb-9384-47d3-92b4-a0db6f9b8c6d", - "median-time": "2022-06-02T12:00:04.258557576+02:00", + "median-time": "2022-06-03T11:45:48.964335026+02:00", "score": 0, "signature-count": 50, "signature-criticality-metric": 0, "signature-diversity": 100, "signatures": [ - "SuspiciousService", - "NewAutorun", + "UntrustedDriverLoaded", "DefenderConfigChanged", - "UnknownServices", - "UntrustedDriverLoaded" + "NewAutorun", + "SuspiciousService", + "UnknownServices" ], - "start-time": "2022-06-02T12:00:04.256839129+02:00", + "start-time": "2022-06-03T11:45:48.962756586+02:00", "std-dev-alert-criticality": 0, "std-dev-signature-criticality": -92233720368547760, - "stop-time": "2022-06-02T12:00:04.260276024+02:00", + "stop-time": "2022-06-03T11:45:48.965913467+02:00", "sum-alert-criticality": 0, "sum-rule-criticality": 0, "tactics": null, @@ -3636,35 +3607,35 @@ { "alert-count": 50, "alert-criticality-metric": 0, - "archived-time": "2022-06-02T12:00:05.313250719+02:00", + "archived-time": "2022-06-03T11:45:50.038614848+02:00", "avg-alert-criticality": 0, "avg-signature-criticality": 0, "bounded-score": 0, "count-by-signature": { - "DefenderConfigChanged": 8, - "NewAutorun": 13, - "SuspiciousService": 6, - "UnknownServices": 11, - "UntrustedDriverLoaded": 12 + "DefenderConfigChanged": 3, + "NewAutorun": 14, + "SuspiciousService": 7, + "UnknownServices": 10, + "UntrustedDriverLoaded": 16 }, "count-uniq-signatures": 5, "identifier": "5a92baeb-9384-47d3-92b4-a0db6f9b8c6d", - "median-time": "2022-06-02T12:00:04.258557576+02:00", + "median-time": "2022-06-03T11:45:48.964335026+02:00", "score": 0, "signature-count": 50, "signature-criticality-metric": 0, "signature-diversity": 100, "signatures": [ - "SuspiciousService", - "NewAutorun", + "UntrustedDriverLoaded", "DefenderConfigChanged", - "UnknownServices", - "UntrustedDriverLoaded" + "NewAutorun", + "SuspiciousService", + "UnknownServices" ], - "start-time": "2022-06-02T12:00:04.256839129+02:00", + "start-time": "2022-06-03T11:45:48.962756586+02:00", "std-dev-alert-criticality": 0, "std-dev-signature-criticality": -92233720368547760, - "stop-time": "2022-06-02T12:00:04.260276024+02:00", + "stop-time": "2022-06-03T11:45:48.965913467+02:00", "sum-alert-criticality": 0, "sum-rule-criticality": 0, "tactics": null, @@ -3746,10 +3717,10 @@ "example": { "data": [ { - "guuid": "a8c17f68-4577-74c0-6bba-f77f15bf6289", + "guuid": "2a980338-3693-29a9-20e6-78fda21b9a8c", "source": "XyzTIProvider", "type": "domain", - "uuid": "bebd8aa6-638f-8cdd-cc67-5e36cb32c222", + "uuid": "d682e160-6e39-d5c6-105b-73254e6403e6", "value": "some.random.domain" } ], @@ -3797,8 +3768,8 @@ }, "example": [ { - "uuid": "bebd8aa6-638f-8cdd-cc67-5e36cb32c222", - "guuid": "a8c17f68-4577-74c0-6bba-f77f15bf6289", + "uuid": "d682e160-6e39-d5c6-105b-73254e6403e6", + "guuid": "2a980338-3693-29a9-20e6-78fda21b9a8c", "source": "XyzTIProvider", "value": "some.random.domain", "type": "domain" @@ -3816,10 +3787,10 @@ "example": { "data": [ { - "guuid": "a8c17f68-4577-74c0-6bba-f77f15bf6289", + "guuid": "2a980338-3693-29a9-20e6-78fda21b9a8c", "source": "XyzTIProvider", "type": "domain", - "uuid": "bebd8aa6-638f-8cdd-cc67-5e36cb32c222", + "uuid": "d682e160-6e39-d5c6-105b-73254e6403e6", "value": "some.random.domain" } ], @@ -4316,8 +4287,8 @@ "description": "", "group": "", "identifier": "TestAdminUser", - "key": "q1HvU3tVkuOlKDXDV35jsT0O5Gu0C2IiupicaVumMoz6dPsYtoYOw9ivTcTORT8V", - "uuid": "e0a23e9b-5156-ddbb-8ec2-698d55c867ec" + "key": "uXCpgXeWFDpuSJwYVPV7OtOt05klFxEUmh0QtsUqDRTXCS9NDPghn3s878fXO4Nd", + "uuid": "c40ed31e-c9a6-9934-41db-0f395f3a801b" }, "error": "", "message": "OK" @@ -4360,7 +4331,7 @@ } }, "example": { - "uuid": "010ebdd8-04dc-d834-47d6-af19a8316325", + "uuid": "36b8f308-fb83-ae6e-9920-912f00dccc44", "identifier": "SecondTestAdmin", "key": "ChangeMe", "group": "CSIRT", @@ -4381,7 +4352,7 @@ "group": "CSIRT", "identifier": "SecondTestAdmin", "key": "ChangeMe", - "uuid": "010ebdd8-04dc-d834-47d6-af19a8316325" + "uuid": "36b8f308-fb83-ae6e-9920-912f00dccc44" }, "error": "", "message": "OK" @@ -4469,7 +4440,7 @@ "group": "SOC", "identifier": "SecondTestAdmin", "key": "NewWeakKey", - "uuid": "010ebdd8-04dc-d834-47d6-af19a8316325" + "uuid": "36b8f308-fb83-ae6e-9920-912f00dccc44" }, "error": "", "message": "OK" @@ -4507,7 +4478,7 @@ "group": "SOC", "identifier": "SecondTestAdmin", "key": "NewWeakKey", - "uuid": "010ebdd8-04dc-d834-47d6-af19a8316325" + "uuid": "36b8f308-fb83-ae6e-9920-912f00dccc44" }, "error": "", "message": "OK" diff --git a/go.mod b/go.mod index 30015fb..5abe64c 100644 --- a/go.mod +++ b/go.mod @@ -6,7 +6,7 @@ require ( github.com/0xrawsec/golang-etw v1.4.5 github.com/0xrawsec/golang-evtx v1.2.9 github.com/0xrawsec/golang-utils v1.3.2 - github.com/0xrawsec/golang-win32 v1.0.13 + github.com/0xrawsec/golang-win32 v1.0.14 github.com/0xrawsec/sod v1.9.10 github.com/0xrawsec/toast v1.2.3 github.com/google/shlex v0.0.0-20191202100458-e7afc7fbc510 @@ -17,4 +17,6 @@ require ( golang.org/x/sys v0.0.0-20190909082730-f460065e899a ) -go 1.13 +require golang.org/x/tools v0.0.0-20190625160430-252024b82959 // indirect + +go 1.18 diff --git a/go.sum b/go.sum index 2173586..3f07f3a 100644 --- a/go.sum +++ b/go.sum @@ -1,7 +1,5 @@ github.com/0xrawsec/crony v1.0.1 h1:DpkkcuvFYEgHyrm0CxeVYPxsRmEO2qX043s3SDTHaH8= github.com/0xrawsec/crony v1.0.1/go.mod h1:4MUBMHBeM5HKSUIDXYU7nkmny/pUBHXqg5ZXXC9coe0= -github.com/0xrawsec/gene/v2 v2.2.0 h1:0BcsNszFZr6moySryuB8BpAyuiMRvV+sENYH5hLMd4w= -github.com/0xrawsec/gene/v2 v2.2.0/go.mod h1:gpXuOpA823ZWvDU7Rn3lt3VWYibJedKXPzsm7kw0XtM= github.com/0xrawsec/gene/v2 v2.3.0 h1:AuScsQ/PlD8DwPzIaJmRuhDB1SgGnKZaKBB95mih0Sc= github.com/0xrawsec/gene/v2 v2.3.0/go.mod h1:Ns5p9jwmvCAAmzIBSMOL5hhMIlszxTXqVxBdJU/jm/w= github.com/0xrawsec/golang-etw v1.4.5 h1:zDGh/uSyLWwUF87F7AuF5SXh9PcPfsWXifmrw7eUgE4= @@ -10,42 +8,14 @@ github.com/0xrawsec/golang-evtx v1.2.9 h1:DaL2BICXf3vnCkqsPIwth1Qpfsv4+UYdZ0zTaj github.com/0xrawsec/golang-evtx v1.2.9/go.mod h1:1dWPugn8hfETOcaZAdu70QWkeVLvT9AUUFz0j+caV00= github.com/0xrawsec/golang-utils v1.1.3/go.mod h1:DADTtCFY10qXjWmUVhhJqQIZdSweaHH4soYUDEi8mj0= github.com/0xrawsec/golang-utils v1.3.0/go.mod h1:DADTtCFY10qXjWmUVhhJqQIZdSweaHH4soYUDEi8mj0= -github.com/0xrawsec/golang-utils v1.3.1 h1:jjiBzsxzcQPkmEV5KONJY4OnCoqTTW1eQMJcpSdk3hw= github.com/0xrawsec/golang-utils v1.3.1/go.mod h1:DADTtCFY10qXjWmUVhhJqQIZdSweaHH4soYUDEi8mj0= github.com/0xrawsec/golang-utils v1.3.2 h1:ww4jrtHRSnX9xrGzJYbalx5nXoZewy4zPxiY+ubJgtg= github.com/0xrawsec/golang-utils v1.3.2/go.mod h1:m7AzHXgdSAkFCD9tWWsApxNVxMlyy7anpPVOyT/yM7E= github.com/0xrawsec/golang-win32 v1.0.6/go.mod h1:MAxVU7dr8lujwknuhf4TwjYm8tVEELi2zwx1zDTu/RM= -github.com/0xrawsec/golang-win32 v1.0.12 h1:n7KxFvO2cMr9MrXMlt+F54kLHcQBp0bBjR0wegb+h7Y= -github.com/0xrawsec/golang-win32 v1.0.12/go.mod h1:LDGq8VzCwLZccK1qg7oKBc8n5DmPLi79w+wjew1UApg= -github.com/0xrawsec/golang-win32 v1.0.13 h1:vbRW6CIlsgNCZ8tSm+jfo+zDexrXH2dVJuV9rpzkMVM= -github.com/0xrawsec/golang-win32 v1.0.13/go.mod h1:LDGq8VzCwLZccK1qg7oKBc8n5DmPLi79w+wjew1UApg= -github.com/0xrawsec/sod v1.6.9 h1:6fqhbXkL6X3S1fssBiaanxTiZxjKCWacNVP5awrQDNY= -github.com/0xrawsec/sod v1.6.9/go.mod h1:AWB2VrKUriy5RZff2qmYkEtjcCS8NBYp0E/TUdoo+fE= -github.com/0xrawsec/sod v1.8.0 h1:YxKju2uYBq69nQZL5JgWsmPMxy7BViRAC5WNxRPzG5A= -github.com/0xrawsec/sod v1.8.0/go.mod h1:cLYvDtPgWh6FtFfIdCpoPj+zm/fJuA2Lh9Su7PjALDU= -github.com/0xrawsec/sod v1.9.0 h1:aFFW/5LKi13fFgw8z++1sYrlwFo5LLQvRWQRk8qMrVs= -github.com/0xrawsec/sod v1.9.0/go.mod h1:cLYvDtPgWh6FtFfIdCpoPj+zm/fJuA2Lh9Su7PjALDU= -github.com/0xrawsec/sod v1.9.1 h1:vEWpZ8GMdO8LpFYHYVfj72UDC8TUsP8x0Ho7W6B04Ds= -github.com/0xrawsec/sod v1.9.1/go.mod h1:cLYvDtPgWh6FtFfIdCpoPj+zm/fJuA2Lh9Su7PjALDU= -github.com/0xrawsec/sod v1.9.2 h1:3cq2ijKGobcS4VxeJGEAy27EQoyQ3jvpU/DLn7LM1UY= -github.com/0xrawsec/sod v1.9.2/go.mod h1:cLYvDtPgWh6FtFfIdCpoPj+zm/fJuA2Lh9Su7PjALDU= -github.com/0xrawsec/sod v1.9.3 h1:hB6peqrbwjPdF8tkz+Zdtqm8nO2f9NlTBHolsQIQMJg= -github.com/0xrawsec/sod v1.9.3/go.mod h1:cLYvDtPgWh6FtFfIdCpoPj+zm/fJuA2Lh9Su7PjALDU= -github.com/0xrawsec/sod v1.9.4 h1:fVRaG7yY3OX6AnOFWrZtaiZPSng2DPDZMjMCV9+QzNw= -github.com/0xrawsec/sod v1.9.4/go.mod h1:cLYvDtPgWh6FtFfIdCpoPj+zm/fJuA2Lh9Su7PjALDU= -github.com/0xrawsec/sod v1.9.5 h1:t3KJwUWij/MBSuf8SxsHr6YpszSaqKmEGmT/IF9xLT4= -github.com/0xrawsec/sod v1.9.5/go.mod h1:cLYvDtPgWh6FtFfIdCpoPj+zm/fJuA2Lh9Su7PjALDU= -github.com/0xrawsec/sod v1.9.7 h1:c2ax/Nd5EvCJSZNX6fG1bCfXMSupFZm6FwUaWMH7Q2k= -github.com/0xrawsec/sod v1.9.7/go.mod h1:N1cEdcsJxJZ6F7dPK0vpEQ+NdBO8uKS3CFPJyOmEK5E= -github.com/0xrawsec/sod v1.9.8 h1:AZ2h2mTlUDg1nmsvUJ47RKgitFvrzYvvIUrd/oy+fds= -github.com/0xrawsec/sod v1.9.8/go.mod h1:N1cEdcsJxJZ6F7dPK0vpEQ+NdBO8uKS3CFPJyOmEK5E= -github.com/0xrawsec/sod v1.9.9 h1:T0tkz2OStf7wugEENGeFkQVgzhHs10KxfKnuRGkb7rM= -github.com/0xrawsec/sod v1.9.9/go.mod h1:N1cEdcsJxJZ6F7dPK0vpEQ+NdBO8uKS3CFPJyOmEK5E= +github.com/0xrawsec/golang-win32 v1.0.14 h1:Lj45Cd7qnhCbtnrNCBI3twefRVh759q/rDXrutxQQOo= +github.com/0xrawsec/golang-win32 v1.0.14/go.mod h1:LDGq8VzCwLZccK1qg7oKBc8n5DmPLi79w+wjew1UApg= github.com/0xrawsec/sod v1.9.10 h1:XoSdy7AEEMCjN+3weHBvstotjaDg1hhtgxtbdC+4jO4= github.com/0xrawsec/sod v1.9.10/go.mod h1:N1cEdcsJxJZ6F7dPK0vpEQ+NdBO8uKS3CFPJyOmEK5E= -github.com/0xrawsec/toast v1.1.1/go.mod h1:sRvfNYxqVoH1sZnE18s9Knm/lkbarTGNvaNVBf2/h1k= -github.com/0xrawsec/toast v1.2.1 h1:askdLfoz1KByjnY1n+GGNocoStHetcscMFoBqLBlVlI= -github.com/0xrawsec/toast v1.2.1/go.mod h1:sRvfNYxqVoH1sZnE18s9Knm/lkbarTGNvaNVBf2/h1k= github.com/0xrawsec/toast v1.2.3 h1:nTs5NyAdmSoDfxlYjMVMYb9wj3C/MFpnoIoQBPUsHXg= github.com/0xrawsec/toast v1.2.3/go.mod h1:sRvfNYxqVoH1sZnE18s9Knm/lkbarTGNvaNVBf2/h1k= github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= diff --git a/hids/hookdefs.go b/hids/hookdefs.go index 31dd60f..4b45468 100644 --- a/hids/hookdefs.go +++ b/hids/hookdefs.go @@ -25,7 +25,8 @@ import ( const ( // Empty GUID - nullGUID = "{00000000-0000-0000-0000-000000000000}" + nullGUID = "{00000000-0000-0000-0000-000000000000}" + unkFieldValue = "?" ) var ( @@ -60,8 +61,8 @@ func hookSetImageSize(h *HIDS, e *event.EdrEvent) { } func hookImageLoad(h *HIDS, e *event.EdrEvent) { - e.Set(pathImageLoadParentImage, "?") - e.Set(pathImageLoadParentCommandLine, "?") + e.Set(pathImageLoadParentImage, unkFieldValue) + e.Set(pathImageLoadParentCommandLine, unkFieldValue) if guid, ok := e.GetString(pathSysmonProcessGUID); ok { if track := h.tracker.GetByGuid(guid); !track.IsZero() { // we get a module info from cache or we update @@ -135,12 +136,18 @@ func hookTrack(h *HIDS, e *event.EdrEvent) { track.IntegrityLevel = il track.SetHashes(hashes) + // Getting process protection level first + if pl, err := kernel32.GetProcessProtectionLevel(uint32(pid)); err == nil { + track.ProtectionLevel = uint32(pl) + } + if parent := h.tracker.GetByGuid(pguid); !parent.IsZero() { track.Ancestors = append(parent.Ancestors, parent.Image) track.ParentUser = parent.User track.ParentIntegrityLevel = parent.IntegrityLevel track.ParentServices = parent.Services track.ParentCurrentDirectory = parent.CurrentDirectory + track.ParentProtectionLevel = parent.ProtectionLevel } else { // For processes created by System if pimage, ok := e.GetString(pathSysmonParentImage); ok { @@ -157,6 +164,8 @@ func hookTrack(h *HIDS, e *event.EdrEvent) { h.tracker.Add(track) e.SetIfMissing(pathAncestors, strings.Join(track.Ancestors, "|")) + e.SetIfMissing(pathProtectionLevel, fmt.Sprintf("0x%x", track.ProtectionLevel)) + e.SetIfMissing(pathParentProtectionLevel, fmt.Sprintf("0x%x", track.ParentProtectionLevel)) if track.ParentUser != "" { e.SetIfMissing(pathParentUser, track.ParentUser) } @@ -180,10 +189,10 @@ func hookTrack(h *HIDS, e *event.EdrEvent) { } // Default values - e.SetIfMissing(pathAncestors, "?") - e.SetIfMissing(pathParentUser, "?") - e.SetIfMissing(pathParentIntegrityLevel, "?") - e.SetIfMissing(pathParentServices, "?") + e.SetIfMissing(pathAncestors, unkFieldValue) + e.SetIfMissing(pathParentUser, unkFieldValue) + e.SetIfMissing(pathParentIntegrityLevel, unkFieldValue) + e.SetIfMissing(pathParentServices, unkFieldValue) case SysmonDriverLoad: d := DriverInfoFromEvent(e) @@ -229,9 +238,9 @@ func hookStats(h *HIDS, e *event.EdrEvent) { now := time.Now() // Set new fields - e.Set(pathFileCount, "?") - e.Set(pathFileCountByExt, "?") - e.Set(pathFileExtension, "?") + e.Set(pathFileCount, unkFieldValue) + e.Set(pathFileCountByExt, unkFieldValue) + e.Set(pathFileExtension, unkFieldValue) if pt.Stats.Files.TimeFirstFileCreated.IsZero() { pt.Stats.Files.TimeFirstFileCreated = now @@ -263,9 +272,9 @@ func hookStats(h *HIDS, e *event.EdrEvent) { now := time.Now() // Set new fields - e.Set(pathFileCount, "?") - e.Set(pathFileCountByExt, "?") - e.Set(pathFileExtension, "?") + e.Set(pathFileCount, unkFieldValue) + e.Set(pathFileCountByExt, unkFieldValue) + e.Set(pathFileExtension, unkFieldValue) if pt.Stats.Files.TimeFirstFileDeleted.IsZero() { pt.Stats.Files.TimeFirstFileDeleted = now @@ -373,10 +382,10 @@ func hookSelfGUID(h *HIDS, e *event.EdrEvent) { } func hookFileSystemAudit(h *HIDS, e *event.EdrEvent) { - e.Set(pathSysmonCommandLine, "?") + e.Set(pathSysmonCommandLine, unkFieldValue) e.Set(pathSysmonProcessGUID, nullGUID) - e.Set(pathSysmonImage, "?") - e.Set(pathImageHashes, "?") + e.Set(pathSysmonImage, unkFieldValue) + e.Set(pathImageHashes, unkFieldValue) if pid, ok := e.GetInt(pathFSAuditProcessId); ok { if pt := h.tracker.GetByPID(pid); !pt.IsZero() { @@ -462,8 +471,8 @@ func hookEnrichServices(h *HIDS, e *event.EdrEvent) { // Nothing to do break case SysmonCreateRemoteThread, SysmonAccessProcess: - e.Set(pathSourceServices, "?") - e.Set(pathTargetServices, "?") + e.Set(pathSourceServices, unkFieldValue) + e.Set(pathTargetServices, unkFieldValue) sguidPath := pathSysmonSourceProcessGUID tguidPath := pathSysmonTargetProcessGUID @@ -507,7 +516,7 @@ func hookEnrichServices(h *HIDS, e *event.EdrEvent) { } } default: - e.Set(pathServices, "?") + e.Set(pathServices, unkFieldValue) // image, guid and pid are supposed to be available for all the remaining Sysmon logs if guid, ok := e.GetString(pathSysmonProcessGUID); ok { if pid, ok := e.GetInt(pathSysmonProcessId); ok { @@ -591,6 +600,9 @@ func hookEnrichAnySysmon(h *HIDS, e *event.EdrEvent) { e.SetIfMissing(pathSourceHashes, strack.hashes) } + // Source Protection level + e.SetIfMissing(pathSourceProtectionLevel, toHex(strack.ProtectionLevel)) + // Source process score e.Set(pathSrcProcessGeneScore, toString(strack.ThreatScore.Score)) } @@ -609,21 +621,26 @@ func hookEnrichAnySysmon(h *HIDS, e *event.EdrEvent) { if ttrack.hashes != "" { e.SetIfMissing(pathTargetHashes, ttrack.hashes) } + + e.SetIfMissing(pathTargetProtectionLevel, toHex(ttrack.ProtectionLevel)) + // Target process score e.Set(pathTgtProcessGeneScore, toString(ttrack.ThreatScore.Score)) } - - // Default Values for fields - e.SetIfMissing(pathSourceUser, "?") - e.SetIfMissing(pathSourceIntegrityLevel, "?") - e.SetIfMissing(pathTargetUser, "?") - e.SetIfMissing(pathTargetIntegrityLevel, "?") - e.SetIfMissing(pathTargetParentProcessGuid, "?") - e.SetIfMissing(pathSourceHashes, "?") - e.SetIfMissing(pathTargetHashes, "?") } } + // Default Values for fields + e.SetIfMissing(pathSourceUser, unkFieldValue) + e.SetIfMissing(pathSourceIntegrityLevel, unkFieldValue) + e.SetIfMissing(pathTargetUser, unkFieldValue) + e.SetIfMissing(pathTargetIntegrityLevel, unkFieldValue) + e.SetIfMissing(pathTargetParentProcessGuid, unkFieldValue) + e.SetIfMissing(pathSourceHashes, unkFieldValue) + e.SetIfMissing(pathTargetHashes, unkFieldValue) + e.SetIfMissing(pathSourceProtectionLevel, toHex(ZeroProtectionLevel)) + e.SetIfMissing(pathTargetProtectionLevel, toHex(ZeroProtectionLevel)) + // should be missing e.SetIfMissing(pathSrcProcessGeneScore, "-1") e.SetIfMissing(pathTgtProcessGeneScore, "-1") @@ -633,60 +650,63 @@ func hookEnrichAnySysmon(h *HIDS, e *event.EdrEvent) { /* Any other event than CreateRemoteThread and ProcessAccess*/ if guid, ok := e.GetString(pathSysmonProcessGUID); ok { - // Setting GeneScore only if we can identify process by its GUID - // Default value - e.Set(pathProcessGeneScore, "-1") - if track := h.tracker.GetByGuid(guid); !track.IsZero() { // setting CommandLine field if track.CommandLine != "" { e.SetIfMissing(pathSysmonCommandLine, track.CommandLine) } - // default value set only if missing - e.SetIfMissing(pathSysmonCommandLine, "?") // setting User field if track.User != "" { e.SetIfMissing(pathSysmonUser, track.User) } - // default value set only if missing - e.SetIfMissing(pathSysmonUser, "?") // setting IntegrityLevel if track.IntegrityLevel != "" { e.SetIfMissing(pathSysmonIntegrityLevel, track.IntegrityLevel) } - // default value set only if missing - e.SetIfMissing(pathSysmonIntegrityLevel, "?") // setting CurrentDirectory if track.CurrentDirectory != "" { e.SetIfMissing(pathSysmonCurrentDirectory, track.CurrentDirectory) } - // default value set only if missing - e.SetIfMissing(pathSysmonCurrentDirectory, "?") // event never has ImageHashes field since it is not Sysmon standard if track.hashes != "" { e.Set(pathImageHashes, track.hashes) } - e.SetIfMissing(pathImageHashes, "?") // Signature information e.SetIfMissing(pathImageSigned, toString(track.Signed)) e.SetIfMissing(pathImageSignature, track.Signature) e.SetIfMissing(pathImageSignatureStatus, track.SignatureStatus) + // Protection level + e.SetIfMissing(pathProtectionLevel, toHex(track.ProtectionLevel)) + // Overal criticality score e.Set(pathProcessGeneScore, toString(track.ThreatScore.Score)) } + + // Setting GeneScore only if we can identify process by its GUID + // Default values + e.Set(pathProcessGeneScore, "-1") + e.SetIfMissing(pathSysmonCommandLine, unkFieldValue) + e.SetIfMissing(pathSysmonUser, unkFieldValue) + e.SetIfMissing(pathSysmonIntegrityLevel, unkFieldValue) + e.SetIfMissing(pathSysmonCurrentDirectory, unkFieldValue) + e.SetIfMissing(pathImageHashes, unkFieldValue) + e.SetIfMissing(pathImageSigned, unkFieldValue) + e.SetIfMissing(pathImageSignature, unkFieldValue) + e.SetIfMissing(pathImageSignatureStatus, unkFieldValue) + e.SetIfMissing(pathProtectionLevel, toHex(ZeroProtectionLevel)) } } } func hookClipboardEvents(h *HIDS, e *event.EdrEvent) { - e.Set(pathSysmonClipboardData, "?") + e.Set(pathSysmonClipboardData, unkFieldValue) if hashes, ok := e.GetString(pathSysmonHashes); ok { fname := fmt.Sprintf("CLIP-%s", sysmonArcFileRe.ReplaceAllString(hashes, "")) path := filepath.Join(h.config.Sysmon.ArchiveDirectory, fname) @@ -713,7 +733,7 @@ var ( ) func hookKernelFiles(h *HIDS, e *event.EdrEvent) { - fileName := "?" + fileName := unkFieldValue // Enrich all events with Sysmon Info pt := h.tracker.GetByPID(int64(e.Event.System.Execution.ProcessID)) @@ -762,18 +782,18 @@ func hookKernelFiles(h *HIDS, e *event.EdrEvent) { if !e.IsSkipped() { // We enrich event with other data - e.SetIfOr(pathSysmonProcessGUID, pt.ProcessGUID, !pt.IsZero(), "?") - e.SetIfOr(pathSysmonImage, pt.Image, !pt.IsZero(), "?") - e.SetIfOr(pathSysmonCommandLine, pt.CommandLine, !pt.IsZero(), "?") + e.SetIfOr(pathSysmonProcessGUID, pt.ProcessGUID, !pt.IsZero(), unkFieldValue) + e.SetIfOr(pathSysmonImage, pt.Image, !pt.IsZero(), unkFieldValue) + e.SetIfOr(pathSysmonCommandLine, pt.CommandLine, !pt.IsZero(), unkFieldValue) // put hashes in ImageHashes field to avoid confusion in analyst's mind // not to think it is file content hashes - e.SetIfOr(pathImageHashes, pt.hashes, !pt.IsZero(), "?") + e.SetIfOr(pathImageHashes, pt.hashes, !pt.IsZero(), unkFieldValue) e.SetIfOr(pathSysmonProcessId, toString(pt.PID), !pt.IsZero(), toString(-1)) - e.SetIfOr(pathSysmonIntegrityLevel, pt.IntegrityLevel, !pt.IsZero(), "?") - e.SetIfOr(pathSysmonUser, pt.User, !pt.IsZero(), "?") - e.SetIfOr(pathServices, pt.Services, !pt.IsZero(), "?") - e.SetIfOr(pathImageSignature, pt.Signature, !pt.IsZero(), "?") - e.SetIfOr(pathImageSignatureStatus, pt.SignatureStatus, !pt.IsZero(), "?") + e.SetIfOr(pathSysmonIntegrityLevel, pt.IntegrityLevel, !pt.IsZero(), unkFieldValue) + e.SetIfOr(pathSysmonUser, pt.User, !pt.IsZero(), unkFieldValue) + e.SetIfOr(pathServices, pt.Services, !pt.IsZero(), unkFieldValue) + e.SetIfOr(pathImageSignature, pt.Signature, !pt.IsZero(), unkFieldValue) + e.SetIfOr(pathImageSignatureStatus, pt.SignatureStatus, !pt.IsZero(), unkFieldValue) e.Set(pathSysmonEventType, KernelFileOperations[e.EventID()]) } } diff --git a/hids/hookutils.go b/hids/hookutils.go index b262620..16cbfcf 100644 --- a/hids/hookutils.go +++ b/hids/hookutils.go @@ -11,10 +11,18 @@ import ( "github.com/0xrawsec/whids/event" ) -func toString(i interface{}) string { +func toString(i any) string { return fmt.Sprintf("%v", i) } +func toHex(i any) string { + switch i.(type) { + case int, uint, int8, int16, int32, int64, uint8, uint16, uint32, uint64: + return fmt.Sprintf("0x%x", i) + } + return "cannot format to hex" +} + func terminate(pid int) error { // prevents from terminating our own process if os.Getpid() != pid { diff --git a/hids/paths.go b/hids/paths.go index ae53a99..6e6a99f 100644 --- a/hids/paths.go +++ b/hids/paths.go @@ -147,4 +147,10 @@ var ( pathFileCountByExt = engine.Path("/Event/EventData/CountByExt") pathFileExtension = engine.Path("/Event/EventData/Extension") pathFileFrequency = engine.Path("/Event/EventData/FrequencyEps") + + // ProcessProtectionLevel + pathProtectionLevel = engine.Path("/Event/EventData/ProtectionLevel") + pathSourceProtectionLevel = engine.Path("/Event/EventData/SourceProtectionLevel") + pathTargetProtectionLevel = engine.Path("/Event/EventData/TargetProtectionLevel") + pathParentProtectionLevel = engine.Path("/Event/EventData/ParentProtectionLevel") ) diff --git a/hids/ptrack.go b/hids/ptrack.go index 67845c4..c6cf6e6 100644 --- a/hids/ptrack.go +++ b/hids/ptrack.go @@ -1,6 +1,7 @@ package hids import ( + "math" "strings" "sync" "time" @@ -124,6 +125,10 @@ func sysmonHashesToMap(hashes string) map[string]string { return m } +const ( + ZeroProtectionLevel = uint32(math.MaxUint32) +) + type ProcessTrack struct { /* Private */ hashes string @@ -145,6 +150,8 @@ type ProcessTrack struct { ParentProcessGUID string `json:"parent-process-guid"` Services string `json:"services"` ParentServices string `json:"parent-services"` + ProtectionLevel uint32 `json:"protection-lvl"` + ParentProtectionLevel uint32 `json:"parent-protection-lvl"` HashesMap map[string]string `json:"hashes"` Signature string `json:"signature"` SignatureStatus string `json:"signature-status"` @@ -176,17 +183,19 @@ func EmptyProcessTrack() *ProcessTrack { // that minimal information is encoded (image, guid, pid) func NewProcessTrack(image, pguid, guid string, pid int64) *ProcessTrack { return &ProcessTrack{ - Image: image, - ParentProcessGUID: pguid, - ProcessGUID: guid, - PID: pid, - Signature: "?", - SignatureStatus: "?", - Ancestors: make([]string, 0), - Modules: make([]*ModuleInfo, 0), - Integrity: -1.0, - Stats: NewProcStats(), - ThreatScore: NewGeneScore(), + Image: image, + ParentProcessGUID: pguid, + ProcessGUID: guid, + PID: pid, + Signature: "?", + SignatureStatus: "?", + Ancestors: make([]string, 0), + Modules: make([]*ModuleInfo, 0), + Integrity: -1.0, + ProtectionLevel: ZeroProtectionLevel, // 0x0 is a valid protection level and 0xfffffffe is ProtectionNone + ParentProtectionLevel: ZeroProtectionLevel, + Stats: NewProcStats(), + ThreatScore: NewGeneScore(), } }