diff --git a/.github/coverage/badge.svg b/.github/coverage/badge.svg index fbbd359..1bee922 100644 --- a/.github/coverage/badge.svg +++ b/.github/coverage/badge.svg @@ -1 +1 @@ -coverage: 71.4%coverage71.4% \ No newline at end of file +coverage: 70.5%coverage70.5% \ No newline at end of file diff --git a/.github/coverage/coverage.txt b/.github/coverage/coverage.txt index d51fd5a..1228988 100644 --- a/.github/coverage/coverage.txt +++ b/.github/coverage/coverage.txt @@ -1,25 +1,26 @@ -github.com/0xrawsec/whids/api/api_client.go:40: ManagerIP 60.0% -github.com/0xrawsec/whids/api/api_client.go:52: DialContext 0.0% -github.com/0xrawsec/whids/api/api_client.go:69: DialTLSContext 82.4% -github.com/0xrawsec/whids/api/api_client.go:103: Transport 100.0% -github.com/0xrawsec/whids/api/api_client.go:140: init 60.0% -github.com/0xrawsec/whids/api/api_client.go:150: NewManagerClient 63.6% -github.com/0xrawsec/whids/api/api_client.go:184: Prepare 100.0% -github.com/0xrawsec/whids/api/api_client.go:199: PrepareGzip 90.0% -github.com/0xrawsec/whids/api/api_client.go:219: IsServerAuthEnforced 100.0% -github.com/0xrawsec/whids/api/api_client.go:224: IsServerUp 75.0% -github.com/0xrawsec/whids/api/api_client.go:244: IsServerAuthenticated 80.0% -github.com/0xrawsec/whids/api/api_client.go:275: buildURI 100.0% -github.com/0xrawsec/whids/api/api_client.go:281: GetRulesSha256 68.8% -github.com/0xrawsec/whids/api/api_client.go:309: GetIoCs 75.0% -github.com/0xrawsec/whids/api/api_client.go:338: GetIoCsSha256 68.8% -github.com/0xrawsec/whids/api/api_client.go:367: GetRules 68.8% -github.com/0xrawsec/whids/api/api_client.go:394: IsFileAboveUploadLimit 0.0% -github.com/0xrawsec/whids/api/api_client.go:405: PostDump 65.0% -github.com/0xrawsec/whids/api/api_client.go:441: PostLogs 68.8% -github.com/0xrawsec/whids/api/api_client.go:473: PostCommand 76.5% -github.com/0xrawsec/whids/api/api_client.go:507: FetchCommand 82.4% -github.com/0xrawsec/whids/api/api_client.go:543: Close 100.0% +github.com/0xrawsec/whids/api/api_client.go:42: ManagerIP 60.0% +github.com/0xrawsec/whids/api/api_client.go:54: DialContext 0.0% +github.com/0xrawsec/whids/api/api_client.go:71: DialTLSContext 82.4% +github.com/0xrawsec/whids/api/api_client.go:105: Transport 100.0% +github.com/0xrawsec/whids/api/api_client.go:142: init 60.0% +github.com/0xrawsec/whids/api/api_client.go:152: NewManagerClient 63.6% +github.com/0xrawsec/whids/api/api_client.go:186: Prepare 100.0% +github.com/0xrawsec/whids/api/api_client.go:201: PrepareGzip 90.0% +github.com/0xrawsec/whids/api/api_client.go:221: IsServerAuthEnforced 100.0% +github.com/0xrawsec/whids/api/api_client.go:226: IsServerUp 80.0% +github.com/0xrawsec/whids/api/api_client.go:245: IsServerAuthenticated 80.0% +github.com/0xrawsec/whids/api/api_client.go:276: buildURI 100.0% +github.com/0xrawsec/whids/api/api_client.go:282: GetRulesSha256 68.8% +github.com/0xrawsec/whids/api/api_client.go:310: GetIoCs 75.0% +github.com/0xrawsec/whids/api/api_client.go:339: GetIoCsSha256 68.8% +github.com/0xrawsec/whids/api/api_client.go:368: GetRules 68.8% +github.com/0xrawsec/whids/api/api_client.go:395: IsFileAboveUploadLimit 0.0% +github.com/0xrawsec/whids/api/api_client.go:406: PostDump 65.0% +github.com/0xrawsec/whids/api/api_client.go:442: PostLogs 68.8% +github.com/0xrawsec/whids/api/api_client.go:474: PostCommand 76.5% +github.com/0xrawsec/whids/api/api_client.go:508: FetchCommand 73.7% +github.com/0xrawsec/whids/api/api_client.go:547: PostSystemInfo 61.5% +github.com/0xrawsec/whids/api/api_client.go:573: Close 100.0% github.com/0xrawsec/whids/api/command.go:48: NewCommand 100.0% github.com/0xrawsec/whids/api/command.go:59: SetCommandLine 87.5% github.com/0xrawsec/whids/api/command.go:76: AddDropFile 83.3% @@ -32,18 +33,10 @@ github.com/0xrawsec/whids/api/command.go:134: Run 76.9% github.com/0xrawsec/whids/api/command.go:217: String 0.0% github.com/0xrawsec/whids/api/command.go:223: Strip 100.0% github.com/0xrawsec/whids/api/command.go:232: Complete 92.3% -github.com/0xrawsec/whids/api/endpoint.go:27: NewEndpoint 100.0% -github.com/0xrawsec/whids/api/endpoint.go:32: Copy 100.0% -github.com/0xrawsec/whids/api/endpoint.go:38: UpdateLastConnection 100.0% -github.com/0xrawsec/whids/api/endpoint.go:53: NewEndpoints 100.0% -github.com/0xrawsec/whids/api/endpoint.go:61: Add 100.0% -github.com/0xrawsec/whids/api/endpoint.go:69: DelByUUID 70.0% -github.com/0xrawsec/whids/api/endpoint.go:90: HasByUUID 100.0% -github.com/0xrawsec/whids/api/endpoint.go:98: GetByUUID 80.0% -github.com/0xrawsec/whids/api/endpoint.go:108: GetMutByUUID 100.0% -github.com/0xrawsec/whids/api/endpoint.go:118: Len 100.0% -github.com/0xrawsec/whids/api/endpoint.go:125: Endpoints 100.0% -github.com/0xrawsec/whids/api/endpoint.go:136: MutEndpoints 100.0% +github.com/0xrawsec/whids/api/endpoint.go:29: NewEndpoint 100.0% +github.com/0xrawsec/whids/api/endpoint.go:36: Validate 66.7% +github.com/0xrawsec/whids/api/endpoint.go:44: Copy 100.0% +github.com/0xrawsec/whids/api/endpoint.go:50: UpdateLastConnection 100.0% github.com/0xrawsec/whids/api/forwarder.go:61: NewForwarder 72.7% github.com/0xrawsec/whids/api/forwarder.go:100: LogfilePath 100.0% github.com/0xrawsec/whids/api/forwarder.go:108: ArchiveLogs 0.0% @@ -65,86 +58,85 @@ github.com/0xrawsec/whids/api/log_streamer.go:49: NewEventStreamer 100.0% github.com/0xrawsec/whids/api/log_streamer.go:55: NewStream 100.0% github.com/0xrawsec/whids/api/log_streamer.go:63: newId 100.0% github.com/0xrawsec/whids/api/log_streamer.go:73: Queue 83.3% -github.com/0xrawsec/whids/api/manager.go:63: init 75.0% -github.com/0xrawsec/whids/api/manager.go:76: IPFromRequest 0.0% -github.com/0xrawsec/whids/api/manager.go:89: gunzipMiddleware 62.5% -github.com/0xrawsec/whids/api/manager.go:112: Empty 100.0% -github.com/0xrawsec/whids/api/manager.go:117: Verify 50.0% -github.com/0xrawsec/whids/api/manager.go:130: UUIDGen 100.0% -github.com/0xrawsec/whids/api/manager.go:139: KeyGen 100.0% -github.com/0xrawsec/whids/api/manager.go:185: LoadManagerConfig 0.0% -github.com/0xrawsec/whids/api/manager.go:197: SetPath 100.0% -github.com/0xrawsec/whids/api/manager.go:202: EndpointAPIUrl 0.0% -github.com/0xrawsec/whids/api/manager.go:212: AdminAPIUrl 75.0% -github.com/0xrawsec/whids/api/manager.go:222: Save 0.0% -github.com/0xrawsec/whids/api/manager.go:261: NewManager 77.1% -github.com/0xrawsec/whids/api/manager.go:327: initializeDB 72.2% -github.com/0xrawsec/whids/api/manager.go:367: initializeGeneFromDB 84.6% -github.com/0xrawsec/whids/api/manager.go:393: updateRulesCache 100.0% -github.com/0xrawsec/whids/api/manager.go:405: ImportRules 0.0% -github.com/0xrawsec/whids/api/manager.go:430: CreateNewAdminAPIUser 83.3% -github.com/0xrawsec/whids/api/manager.go:443: AddEndpoint 100.0% -github.com/0xrawsec/whids/api/manager.go:448: UpdateReducer 100.0% -github.com/0xrawsec/whids/api/manager.go:464: Wait 100.0% -github.com/0xrawsec/whids/api/manager.go:469: IsDone 0.0% -github.com/0xrawsec/whids/api/manager.go:474: Shutdown 86.7% -github.com/0xrawsec/whids/api/manager.go:498: Run 100.0% +github.com/0xrawsec/whids/api/manager.go:64: init 75.0% +github.com/0xrawsec/whids/api/manager.go:77: IPFromRequest 0.0% +github.com/0xrawsec/whids/api/manager.go:90: gunzipMiddleware 62.5% +github.com/0xrawsec/whids/api/manager.go:113: Empty 100.0% +github.com/0xrawsec/whids/api/manager.go:118: Verify 50.0% +github.com/0xrawsec/whids/api/manager.go:131: UUIDGen 100.0% +github.com/0xrawsec/whids/api/manager.go:140: KeyGen 100.0% +github.com/0xrawsec/whids/api/manager.go:186: LoadManagerConfig 0.0% +github.com/0xrawsec/whids/api/manager.go:198: SetPath 100.0% +github.com/0xrawsec/whids/api/manager.go:203: EndpointAPIUrl 0.0% +github.com/0xrawsec/whids/api/manager.go:213: AdminAPIUrl 75.0% +github.com/0xrawsec/whids/api/manager.go:223: Save 0.0% +github.com/0xrawsec/whids/api/manager.go:262: NewManager 75.0% +github.com/0xrawsec/whids/api/manager.go:317: initializeDB 75.0% +github.com/0xrawsec/whids/api/manager.go:359: initializeGeneFromDB 84.6% +github.com/0xrawsec/whids/api/manager.go:385: updateRulesCache 100.0% +github.com/0xrawsec/whids/api/manager.go:402: MutEndpoint 66.7% +github.com/0xrawsec/whids/api/manager.go:415: MutEndpoints 85.7% +github.com/0xrawsec/whids/api/manager.go:429: ImportRules 0.0% +github.com/0xrawsec/whids/api/manager.go:454: CreateNewAdminAPIUser 50.0% +github.com/0xrawsec/whids/api/manager.go:467: AddEndpoint 100.0% +github.com/0xrawsec/whids/api/manager.go:472: UpdateReducer 100.0% +github.com/0xrawsec/whids/api/manager.go:488: Wait 100.0% +github.com/0xrawsec/whids/api/manager.go:493: IsDone 0.0% +github.com/0xrawsec/whids/api/manager.go:498: Shutdown 82.4% +github.com/0xrawsec/whids/api/manager.go:527: Run 100.0% github.com/0xrawsec/whids/api/manager_admin_api.go:33: admApiParseDuration 71.4% github.com/0xrawsec/whids/api/manager_admin_api.go:46: admApiParseTime 66.7% -github.com/0xrawsec/whids/api/manager_admin_api.go:53: muxGetVar 75.0% -github.com/0xrawsec/whids/api/manager_admin_api.go:61: format 100.0% -github.com/0xrawsec/whids/api/manager_admin_api.go:66: readPostAsJSON 80.0% -github.com/0xrawsec/whids/api/manager_admin_api.go:92: NewAdminAPIResponse 100.0% -github.com/0xrawsec/whids/api/manager_admin_api.go:97: NewAdminAPIRespError 0.0% -github.com/0xrawsec/whids/api/manager_admin_api.go:102: NewAdminAPIRespErrorString 0.0% -github.com/0xrawsec/whids/api/manager_admin_api.go:107: UnmarshalData 75.0% -github.com/0xrawsec/whids/api/manager_admin_api.go:116: ToJSON 50.0% -github.com/0xrawsec/whids/api/manager_admin_api.go:127: Err 66.7% -github.com/0xrawsec/whids/api/manager_admin_api.go:134: admErr 0.0% -github.com/0xrawsec/whids/api/manager_admin_api.go:138: admJSONResp 100.0% -github.com/0xrawsec/whids/api/manager_admin_api.go:142: admMsgStr 0.0% -github.com/0xrawsec/whids/api/manager_admin_api.go:153: adminAuthorizationMiddleware 66.7% -github.com/0xrawsec/whids/api/manager_admin_api.go:169: admLogHTTPMiddleware 100.0% -github.com/0xrawsec/whids/api/manager_admin_api.go:177: adminRespHeaderMiddleware 100.0% -github.com/0xrawsec/whids/api/manager_admin_api.go:187: admAPIUsers 54.8% -github.com/0xrawsec/whids/api/manager_admin_api.go:255: admAPIUser 59.4% -github.com/0xrawsec/whids/api/manager_admin_api.go:316: admAPIEndpoints 83.3% -github.com/0xrawsec/whids/api/manager_admin_api.go:361: admAPIEndpoint 73.5% -github.com/0xrawsec/whids/api/manager_admin_api.go:440: ToCommand 77.8% -github.com/0xrawsec/whids/api/manager_admin_api.go:462: admAPIEndpointCommand 75.0% -github.com/0xrawsec/whids/api/manager_admin_api.go:507: admAPIEndpointCommandField 52.9% -github.com/0xrawsec/whids/api/manager_admin_api.go:544: admAPIEndpointLogs 69.7% -github.com/0xrawsec/whids/api/manager_admin_api.go:685: admAPIEndpointReport 78.9% -github.com/0xrawsec/whids/api/manager_admin_api.go:725: admAPIEndpointReportArchive 67.4% -github.com/0xrawsec/whids/api/manager_admin_api.go:800: admAPIEndpointsReports 100.0% -github.com/0xrawsec/whids/api/manager_admin_api.go:823: listEndpointDumps 80.6% -github.com/0xrawsec/whids/api/manager_admin_api.go:890: admAPIArtifacts 61.1% -github.com/0xrawsec/whids/api/manager_admin_api.go:921: admAPIEndpointArtifacts 61.1% -github.com/0xrawsec/whids/api/manager_admin_api.go:952: admAPIEndpointArtifact 62.9% -github.com/0xrawsec/whids/api/manager_admin_api.go:1023: admAPIStats 100.0% -github.com/0xrawsec/whids/api/manager_admin_api.go:1031: admAPIIocs 62.1% -github.com/0xrawsec/whids/api/manager_admin_api.go:1153: admAPIRules 62.5% -github.com/0xrawsec/whids/api/manager_admin_api.go:1252: wsHandleControlMessage 100.0% -github.com/0xrawsec/whids/api/manager_admin_api.go:1262: admAPIStreamEvents 71.4% -github.com/0xrawsec/whids/api/manager_admin_api.go:1285: admAPIStreamDetections 0.0% -github.com/0xrawsec/whids/api/manager_admin_api.go:1310: runAdminAPI 86.5% -github.com/0xrawsec/whids/api/manager_endpoint_api.go:27: endpointFromRequest 75.0% -github.com/0xrawsec/whids/api/manager_endpoint_api.go:35: mutEndpointFromRequest 75.0% -github.com/0xrawsec/whids/api/manager_endpoint_api.go:45: endpointAuthorizationMiddleware 76.2% -github.com/0xrawsec/whids/api/manager_endpoint_api.go:85: isVerboseURL 100.0% -github.com/0xrawsec/whids/api/manager_endpoint_api.go:94: endptLogHTTPMiddleware 0.0% -github.com/0xrawsec/whids/api/manager_endpoint_api.go:102: endptQuietLogHTTPMiddleware 100.0% -github.com/0xrawsec/whids/api/manager_endpoint_api.go:112: runEndpointAPI 77.8% -github.com/0xrawsec/whids/api/manager_endpoint_api.go:177: ServerKey 100.0% -github.com/0xrawsec/whids/api/manager_endpoint_api.go:182: Rules 100.0% -github.com/0xrawsec/whids/api/manager_endpoint_api.go:189: RulesSha256 100.0% -github.com/0xrawsec/whids/api/manager_endpoint_api.go:195: IoCs 50.0% -github.com/0xrawsec/whids/api/manager_endpoint_api.go:204: IoCsSha256 100.0% -github.com/0xrawsec/whids/api/manager_endpoint_api.go:209: UploadDump 44.4% -github.com/0xrawsec/whids/api/manager_endpoint_api.go:242: Collect 84.6% -github.com/0xrawsec/whids/api/manager_endpoint_api.go:315: AddCommand 75.0% -github.com/0xrawsec/whids/api/manager_endpoint_api.go:324: GetCommand 66.7% -github.com/0xrawsec/whids/api/manager_endpoint_api.go:334: Command 84.6% +github.com/0xrawsec/whids/api/manager_admin_api.go:70: NewAdminAPIResponse 100.0% +github.com/0xrawsec/whids/api/manager_admin_api.go:75: NewAdminAPIRespError 0.0% +github.com/0xrawsec/whids/api/manager_admin_api.go:80: NewAdminAPIRespErrorString 0.0% +github.com/0xrawsec/whids/api/manager_admin_api.go:85: UnmarshalData 75.0% +github.com/0xrawsec/whids/api/manager_admin_api.go:94: ToJSON 50.0% +github.com/0xrawsec/whids/api/manager_admin_api.go:105: Err 66.7% +github.com/0xrawsec/whids/api/manager_admin_api.go:112: admErr 0.0% +github.com/0xrawsec/whids/api/manager_admin_api.go:116: admJSONResp 100.0% +github.com/0xrawsec/whids/api/manager_admin_api.go:120: admMsgStr 0.0% +github.com/0xrawsec/whids/api/manager_admin_api.go:131: adminAuthorizationMiddleware 66.7% +github.com/0xrawsec/whids/api/manager_admin_api.go:147: admLogHTTPMiddleware 100.0% +github.com/0xrawsec/whids/api/manager_admin_api.go:155: adminRespHeaderMiddleware 100.0% +github.com/0xrawsec/whids/api/manager_admin_api.go:165: admAPIUsers 54.8% +github.com/0xrawsec/whids/api/manager_admin_api.go:233: admAPIUser 59.4% +github.com/0xrawsec/whids/api/manager_admin_api.go:294: admAPIEndpoints 82.1% +github.com/0xrawsec/whids/api/manager_admin_api.go:344: admAPIEndpoint 76.5% +github.com/0xrawsec/whids/api/manager_admin_api.go:425: ToCommand 77.8% +github.com/0xrawsec/whids/api/manager_admin_api.go:447: admAPIEndpointCommand 73.1% +github.com/0xrawsec/whids/api/manager_admin_api.go:496: admAPIEndpointCommandField 52.9% +github.com/0xrawsec/whids/api/manager_admin_api.go:533: admAPIEndpointLogs 69.7% +github.com/0xrawsec/whids/api/manager_admin_api.go:674: admAPIEndpointReport 78.9% +github.com/0xrawsec/whids/api/manager_admin_api.go:714: admAPIEndpointReportArchive 67.4% +github.com/0xrawsec/whids/api/manager_admin_api.go:789: admAPIEndpointsReports 83.3% +github.com/0xrawsec/whids/api/manager_admin_api.go:816: listEndpointDumps 80.6% +github.com/0xrawsec/whids/api/manager_admin_api.go:883: admAPIArtifacts 61.1% +github.com/0xrawsec/whids/api/manager_admin_api.go:914: admAPIEndpointArtifacts 61.1% +github.com/0xrawsec/whids/api/manager_admin_api.go:945: admAPIEndpointArtifact 62.9% +github.com/0xrawsec/whids/api/manager_admin_api.go:1016: admAPIStats 75.0% +github.com/0xrawsec/whids/api/manager_admin_api.go:1028: admAPIIocs 62.1% +github.com/0xrawsec/whids/api/manager_admin_api.go:1150: admAPIRules 62.5% +github.com/0xrawsec/whids/api/manager_admin_api.go:1249: wsHandleControlMessage 100.0% +github.com/0xrawsec/whids/api/manager_admin_api.go:1259: admAPIStreamEvents 71.4% +github.com/0xrawsec/whids/api/manager_admin_api.go:1282: admAPIStreamDetections 0.0% +github.com/0xrawsec/whids/api/manager_admin_api.go:1307: runAdminAPI 86.5% +github.com/0xrawsec/whids/api/manager_endpoint_api.go:28: eptAPIMutEndpointFromRequest 75.0% +github.com/0xrawsec/whids/api/manager_endpoint_api.go:38: endpointAuthorizationMiddleware 65.2% +github.com/0xrawsec/whids/api/manager_endpoint_api.go:81: isVerboseURL 100.0% +github.com/0xrawsec/whids/api/manager_endpoint_api.go:90: endptLogHTTPMiddleware 0.0% +github.com/0xrawsec/whids/api/manager_endpoint_api.go:98: endptQuietLogHTTPMiddleware 100.0% +github.com/0xrawsec/whids/api/manager_endpoint_api.go:108: runEndpointAPI 78.6% +github.com/0xrawsec/whids/api/manager_endpoint_api.go:174: ServerKey 100.0% +github.com/0xrawsec/whids/api/manager_endpoint_api.go:179: Rules 100.0% +github.com/0xrawsec/whids/api/manager_endpoint_api.go:186: RulesSha256 100.0% +github.com/0xrawsec/whids/api/manager_endpoint_api.go:192: IoCs 60.0% +github.com/0xrawsec/whids/api/manager_endpoint_api.go:202: IoCsSha256 100.0% +github.com/0xrawsec/whids/api/manager_endpoint_api.go:207: UploadDump 47.4% +github.com/0xrawsec/whids/api/manager_endpoint_api.go:240: Collect 85.4% +github.com/0xrawsec/whids/api/manager_endpoint_api.go:320: AddCommand 75.0% +github.com/0xrawsec/whids/api/manager_endpoint_api.go:329: GetCommand 66.7% +github.com/0xrawsec/whids/api/manager_endpoint_api.go:339: Command 80.0% +github.com/0xrawsec/whids/api/manager_endpoint_api.go:395: SystemInfo 72.7% github.com/0xrawsec/whids/api/upload.go:31: NewUploadShrinker 0.0% github.com/0xrawsec/whids/api/upload.go:65: Size 0.0% github.com/0xrawsec/whids/api/upload.go:70: Next 0.0% @@ -155,6 +147,10 @@ github.com/0xrawsec/whids/api/upload.go:118: Validate 57.1% github.com/0xrawsec/whids/api/upload.go:132: Implode 100.0% github.com/0xrawsec/whids/api/upload.go:137: Dump 71.4% github.com/0xrawsec/whids/api/upload.go:155: write 31.6% +github.com/0xrawsec/whids/api/utils.go:12: respBodyToString 0.0% +github.com/0xrawsec/whids/api/utils.go:21: muxGetVar 75.0% +github.com/0xrawsec/whids/api/utils.go:29: format 100.0% +github.com/0xrawsec/whids/api/utils.go:34: readPostAsJSON 80.0% github.com/0xrawsec/whids/event/event.go:43: NewEdrEvent 100.0% github.com/0xrawsec/whids/event/event.go:47: InitEdrData 100.0% github.com/0xrawsec/whids/event/event.go:51: Hash 100.0% @@ -238,4 +234,4 @@ github.com/0xrawsec/whids/logger/search.go:187: Events 89.7% github.com/0xrawsec/whids/logger/search.go:254: Err 100.0% github.com/0xrawsec/whids/logger/search.go:258: close 80.0% github.com/0xrawsec/whids/logger/search.go:269: Close 100.0% -total: (statements) 71.4% +total: (statements) 70.5% diff --git a/api/api_client.go b/api/api_client.go index 2c54300..531ab6a 100644 --- a/api/api_client.go +++ b/api/api_client.go @@ -525,17 +525,21 @@ func (m *ManagerClient) FetchCommand() (*Command, error) { return command, ErrNothingToDo } - jsonCommand, err := ioutil.ReadAll(resp.Body) - if err != nil { - return command, fmt.Errorf("FetchCommand failed to read HTTP response body: %s", err) - } + if resp.StatusCode == http.StatusOK { + jsonCommand, err := ioutil.ReadAll(resp.Body) + if err != nil { + return command, fmt.Errorf("FetchCommand failed to read HTTP response body: %s", err) + } + + // unmarshal command to be executed + if err := json.Unmarshal(jsonCommand, &command); err != nil { + return command, fmt.Errorf("FetchCommand failed to unmarshal command: %s", err) + } - // unmarshal command to be executed - if err := json.Unmarshal(jsonCommand, &command); err != nil { - return command, fmt.Errorf("FetchCommand failed to unmarshal command: %s", err) + return command, nil } + return command, fmt.Errorf("FetchCommand unexpected HTTP status %d", resp.StatusCode) - return command, nil } return command, fmt.Errorf("FetchCommand failed, server cannot be authenticated") } diff --git a/api/endpoint.go b/api/endpoint.go index 9501216..d6beccc 100644 --- a/api/endpoint.go +++ b/api/endpoint.go @@ -1,7 +1,7 @@ package api import ( - "sync" + "fmt" "time" "github.com/0xrawsec/sod" @@ -27,7 +27,17 @@ type Endpoint struct { // NewEndpoint returns a new Endpoint structure func NewEndpoint(uuid, key string) *Endpoint { - return &Endpoint{Uuid: uuid, Key: key} + e := &Endpoint{Uuid: uuid, Key: key} + e.Initialize(e.Uuid) + return e +} + +// Validate overwrite sod.Item function +func (e *Endpoint) Validate() error { + if e.Criticality < 0 || e.Criticality > 10 { + return fmt.Errorf("criticality field must be in [0;10]") + } + return nil } // Copy returns a pointer to a new copy of the Endpoint @@ -40,105 +50,3 @@ func (e *Endpoint) Copy() *Endpoint { func (e *Endpoint) UpdateLastConnection() { e.LastConnection = time.Now().UTC() } - -// Endpoints structure used to manage endpoints -// This struct looks over complicated for what it -// does but it is because it was more complex before -// and got simplified (too lazy to change it...) -type Endpoints struct { - sync.RWMutex - endpoints []*Endpoint - mapUUID map[string]int -} - -// NewEndpoints creates a new Endpoints structure -func NewEndpoints() Endpoints { - return Endpoints{ - endpoints: make([]*Endpoint, 0), - mapUUID: make(map[string]int), - } -} - -// Add adds an Endpoint to the Endpoints -func (es *Endpoints) Add(e *Endpoint) { - es.Lock() - defer es.Unlock() - es.endpoints = append(es.endpoints, e) - es.mapUUID[e.Uuid] = len(es.endpoints) - 1 -} - -// DelByUUID deletes an Endpoint by its UUID -func (es *Endpoints) DelByUUID(uuid string) { - es.Lock() - defer es.Unlock() - if i, ok := es.mapUUID[uuid]; ok { - delete(es.mapUUID, uuid) - - switch { - case i == 0: - if len(es.endpoints) == 1 { - es.endpoints = make([]*Endpoint, 0) - } else { - es.endpoints = es.endpoints[i+1:] - } - case i == len(es.endpoints)-1: - es.endpoints = es.endpoints[:i] - default: - es.endpoints = append(es.endpoints[:i], es.endpoints[i+1:]...) - } - } -} - -func (es *Endpoints) HasByUUID(uuid string) bool { - es.RLock() - defer es.RUnlock() - _, ok := es.mapUUID[uuid] - return ok -} - -// GetByUUID returns a reference to the copy of an Endpoint by its UUID -func (es *Endpoints) GetByUUID(uuid string) (*Endpoint, bool) { - es.RLock() - defer es.RUnlock() - if i, ok := es.mapUUID[uuid]; ok { - return es.endpoints[i].Copy(), true - } - return nil, false -} - -// GetMutByUUID returns reference to an Endpoint -func (es *Endpoints) GetMutByUUID(uuid string) (*Endpoint, bool) { - es.RLock() - defer es.RUnlock() - if i, ok := es.mapUUID[uuid]; ok { - return es.endpoints[i], true - } - return nil, false -} - -// Len returns the number of endpoints -func (es *Endpoints) Len() int { - es.RLock() - defer es.RUnlock() - return len(es.endpoints) -} - -// Endpoints returns a list of references to copies of the endpoints -func (es *Endpoints) Endpoints() []*Endpoint { - es.RLock() - defer es.RUnlock() - endpts := make([]*Endpoint, 0, len(es.endpoints)) - for _, e := range es.endpoints { - endpts = append(endpts, e.Copy()) - } - return endpts -} - -// MutEndpoints returns a list of references of the endpoints -func (es *Endpoints) MutEndpoints() []*Endpoint { - es.RLock() - defer es.RUnlock() - endpts := make([]*Endpoint, len(es.endpoints)) - copy(endpts, es.endpoints) - return endpts -} diff --git a/api/manager.go b/api/manager.go index 93bc124..9c4de01 100644 --- a/api/manager.go +++ b/api/manager.go @@ -239,10 +239,10 @@ type Manager struct { detectionLogger *logger.EventLogger detectionSearcher *logger.EventSearcher endpointAPI *http.Server - endpoints Endpoints - adminAPI *http.Server - stop chan bool - done bool + //endpoints Endpoints + adminAPI *http.Server + stop chan bool + done bool // Gene related members gene struct { @@ -261,7 +261,6 @@ type Manager struct { // NewManager creates a new WHIDS manager with a logfile as parameter func NewManager(c *ManagerConfig) (*Manager, error) { var err error - var objects []sod.Object m := Manager{Config: c, iocs: ioc.NewIocs()} //logPath := filepath.Join(c.Logging.Root, c.Logging.LogBasename) @@ -296,16 +295,6 @@ func NewManager(c *ManagerConfig) (*Manager, error) { // initialize IoCs from db m.iocs.FromDB(m.db) - // Endpoints initialization - m.endpoints = NewEndpoints() - if objects, err = m.db.All(&Endpoint{}); err != nil { - return nil, err - } - for _, o := range objects { - ept := o.(*Endpoint) - m.endpoints.Add(ept) - } - m.stop = make(chan bool) if err = c.TLS.Verify(); err != nil && !c.TLS.Empty() { return nil, err @@ -405,6 +394,38 @@ func (m *Manager) updateRulesCache() { m.gene.sha256 = hex.EncodeToString(sha256.Sum(nil)) } +// MutEndpoint returns an Endpoint pointer from database +// Result must be handled with care as any change to the Endpoint +// might be commited to the database. If an Endpoint needs to be +// modified but changes don't need to be commited, use Endpoint.Copy() +// to work on a copy +func (m *Manager) MutEndpoint(uuid string) (*Endpoint, bool) { + if o, err := m.db.GetByUUID(&Endpoint{}, uuid); err == nil { + // we return copy to endpoints not to modify cached structures + return o.(*Endpoint), true + } + return nil, false +} + +// MutEndpoints returns a slice of Endpoint pointers from database +// Result must be handled with care as any change to the Endpoint +// might be commited to the database. If an Endpoint needs to be +// modified but changes don't need to be commited, use Endpoint.Copy() +// to work on a copy +func (m *Manager) MutEndpoints() (endpoints []*Endpoint, err error) { + var all []sod.Object + + if all, err = m.db.All(&Endpoint{}); err != nil { + return + } + endpoints = make([]*Endpoint, 0, len(all)) + for _, o := range all { + // we return copy to endpoints not to modify cached structures + endpoints = append(endpoints, o.(*Endpoint)) + } + return +} + func (m *Manager) ImportRules(directory string) (err error) { engine := engine.NewEngine() engine.SetDumpRaw(true) @@ -444,7 +465,7 @@ func (m *Manager) CreateNewAdminAPIUser(user *AdminAPIUser) (err error) { // AddEndpoint adds new endpoint to the manager func (m *Manager) AddEndpoint(uuid, key string) { - m.endpoints.Add(NewEndpoint(uuid, key)) + m.db.InsertOrUpdate(NewEndpoint(uuid, key)) } // UpdateReducer updates the reducer member of the Manager @@ -494,6 +515,11 @@ func (m *Manager) Shutdown() (lastErr error) { if err := m.eventLogger.Close(); err != nil { lastErr = err } + + if err := m.db.Close(); err != nil { + lastErr = err + } + return } diff --git a/api/manager_admin_api.go b/api/manager_admin_api.go index c330765..63960cc 100644 --- a/api/manager_admin_api.go +++ b/api/manager_admin_api.go @@ -296,38 +296,43 @@ func (m *Manager) admAPIEndpoints(wt http.ResponseWriter, rq *http.Request) { group := rq.URL.Query().Get(qpGroup) status := rq.URL.Query().Get(qpStatus) criticality, _ := strconv.ParseInt(rq.URL.Query().Get(qpCriticality), 10, 8) - + log.Infof("showkey=%t", showKey) switch { case rq.Method == "GET": // we return the list of all endpoints - endpoints := make([]*Endpoint, 0, m.endpoints.Len()) - for _, endpt := range m.endpoints.Endpoints() { - // filter on group - if group != "" && endpt.Group != group { - continue - } - // filter on status - if status != "" && endpt.Status != status { - continue - } - if endpt.Criticality < int(criticality) { - continue - } - // never show command - endpt.Command = nil - if !showKey { - endpt.Key = "" + if endpoints, err := m.MutEndpoints(); err != nil { + wt.Write(admErr(err)) + } else { + out := make([]*Endpoint, 0, len(endpoints)) + for _, endpt := range endpoints { + // filter on group + if group != "" && endpt.Group != group { + continue + } + // filter on status + if status != "" && endpt.Status != status { + continue + } + if endpt.Criticality < int(criticality) { + continue + } + // never show command + endpt.Command = nil + if !showKey { + // to prevent modifying data in the db cache + endpt = endpt.Copy() + endpt.Key = "" + } + // score is updated at every call as it depends on all the other endpoints + endpt.Score = m.gene.reducer.BoundedScore(endpt.Uuid) + out = append(out, endpt) } - // score is updated at every call as it depends on all the other endpoints - endpt.Score = m.gene.reducer.BoundedScore(endpt.Uuid) - // add endpoint to the list to return - endpoints = append(endpoints, endpt) + wt.Write(admJSONResp(out)) } - wt.Write(NewAdminAPIResponse(endpoints).ToJSON()) case rq.Method == "PUT": endpt := NewEndpoint(UUIDGen().String(), KeyGen(DefaultKeySize)) - m.endpoints.Add(endpt) + m.db.InsertOrUpdate(endpt) // save endpoint to database if err := m.db.InsertOrUpdate(endpt); err != nil { log.Errorf("Failed to save new endpoint") @@ -344,7 +349,9 @@ func (m *Manager) admAPIEndpoint(wt http.ResponseWriter, rq *http.Request) { newKey, _ := strconv.ParseBool(rq.URL.Query().Get(qpNewKey)) if euuid, err = muxGetVar(rq, "euuid"); err == nil { - if endpt, ok := m.endpoints.GetMutByUUID(euuid); ok { + if endpt, ok := m.MutEndpoint(euuid); ok { + var err error + switch rq.Method { case "POST": new := Endpoint{Criticality: -1} @@ -363,11 +370,6 @@ func (m *Manager) admAPIEndpoint(wt http.ResponseWriter, rq *http.Request) { } if new.Criticality != -1 { - // we have to do further checks on criticality - if new.Criticality < 0 || new.Criticality > 10 { - wt.Write(admErr("criticality field must be in [0;10]")) - return - } endpt.Criticality = new.Criticality } @@ -377,27 +379,32 @@ func (m *Manager) admAPIEndpoint(wt http.ResponseWriter, rq *http.Request) { } // save endpoint to database - if err := m.db.InsertOrUpdate(endpt); err != nil { - log.Errorf("Failed to save updated endpoint") + if err = m.db.InsertOrUpdate(endpt); err != nil { + log.Errorf("Failed to save updated endpoint UUID=%s", euuid) } case "DELETE": // deleting endpoints from live config - m.endpoints.DelByUUID(euuid) - if err := m.db.Delete(endpt); err != nil { - log.Errorf("Failed to delete endpoint from database") + if err = m.db.Delete(endpt); err != nil { + log.Errorf("Failed to delete endpoint UUID=%s from database", euuid) } } - // we have to use the copy of the endpoint has we modify the key - endpt = endpt.Copy() + // score is updated at every call as it depends on all the other endpoints + endpt.Score = m.gene.reducer.BoundedScore(endpt.Uuid) + // we return the endpoint anyway if !showKey { + // to prevent modifying struct in db cache + endpt = endpt.Copy() endpt.Key = "" } - // score is updated at every call as it depends on all the other endpoints - endpt.Score = m.gene.reducer.BoundedScore(endpt.Uuid) - wt.Write(NewAdminAPIResponse(endpt).ToJSON()) + + apiResp := NewAdminAPIResponse(endpt) + if err != nil { + apiResp.Error = err.Error() + } + wt.Write(apiResp.ToJSON()) } else { wt.Write(admErr(format("Unknown endpoint: %s", euuid))) } @@ -447,7 +454,7 @@ func (m *Manager) admAPIEndpointCommand(wt http.ResponseWriter, rq *http.Request if euuid, err = muxGetVar(rq, "euuid"); err != nil { wt.Write(NewAdminAPIRespError(err).ToJSON()) } else { - if endpt, ok := m.endpoints.GetByUUID(euuid); ok { + if endpt, ok := m.MutEndpoint(euuid); ok { if endpt.Command != nil { for wait && !endpt.Command.Completed { time.Sleep(time.Millisecond * 50) @@ -460,19 +467,23 @@ func (m *Manager) admAPIEndpointCommand(wt http.ResponseWriter, rq *http.Request } case "POST": if euuid, err = muxGetVar(rq, "euuid"); err != nil { - wt.Write(NewAdminAPIRespError(err).ToJSON()) + wt.Write(admErr(err)) } else { - if endpt, ok := m.endpoints.GetMutByUUID(euuid); ok { + if endpt, ok := m.MutEndpoint(euuid); ok { c := CommandAPI{} if err = readPostAsJSON(rq, &c); err != nil { - wt.Write(NewAdminAPIRespError(err).ToJSON()) + wt.Write(admErr(err)) } else { tmpCmd, err := c.ToCommand() if err != nil { wt.Write(admErr(format("Failed to create command to execute: %s", err))) } else { endpt.Command = tmpCmd - wt.Write(NewAdminAPIResponse(endpt).ToJSON()) + if err := m.db.InsertOrUpdate(endpt); err != nil { + wt.Write(admErr(err)) + } else { + wt.Write(admJSONResp(endpt)) + } } } } else { @@ -489,7 +500,7 @@ func (m *Manager) admAPIEndpointCommandField(wt http.ResponseWriter, rq *http.Re if euuid, err = muxGetVar(rq, "euuid"); err != nil { wt.Write(NewAdminAPIRespError(err).ToJSON()) } else { - if endpt, ok := m.endpoints.GetByUUID(euuid); ok { + if endpt, ok := m.MutEndpoint(euuid); ok { if field, err = muxGetVar(rq, "field"); err != nil { wt.Write(NewAdminAPIRespError(err).ToJSON()) } else { @@ -667,7 +678,7 @@ func (m *Manager) admAPIEndpointReport(wt http.ResponseWriter, rq *http.Request) if euuid, err = muxGetVar(rq, "euuid"); err != nil { wt.Write(NewAdminAPIRespError(err).ToJSON()) } else { - if endpt, ok := m.endpoints.GetByUUID(euuid); ok { + if endpt, ok := m.MutEndpoint(euuid); ok { // we return the report anyway rs := m.gene.reducer.ReduceCopy(endpt.Uuid) switch rq.Method { @@ -757,7 +768,7 @@ func (m *Manager) admAPIEndpointReportArchive(wt http.ResponseWriter, rq *http.R if euuid, err = muxGetVar(rq, "euuid"); err != nil { wt.Write(NewAdminAPIRespError(err).ToJSON()) } else { - if endpt, ok := m.endpoints.GetByUUID(euuid); ok { + if endpt, ok := m.MutEndpoint(euuid); ok { search := m.db.Search(&ArchivedReport{}, "Identifier", "=", endpt.Uuid). And("ArchivedTimestamp", ">=", since). And("ArchivedTimestamp", "<=", until) @@ -777,10 +788,14 @@ func (m *Manager) admAPIEndpointReportArchive(wt http.ResponseWriter, rq *http.R func (m *Manager) admAPIEndpointsReports(wt http.ResponseWriter, rq *http.Request) { out := make(map[string]*reducer.ReducedStats) - for _, e := range m.endpoints.MutEndpoints() { - out[e.Uuid] = m.gene.reducer.ReduceCopy(e.Uuid) + if endpoints, err := m.MutEndpoints(); err != nil { + wt.Write(admErr(err)) + } else { + for _, e := range endpoints { + out[e.Uuid] = m.gene.reducer.ReduceCopy(e.Uuid) + } + wt.Write(NewAdminAPIResponse(out).ToJSON()) } - wt.Write(NewAdminAPIResponse(out).ToJSON()) } type DumpFile struct { @@ -914,7 +929,7 @@ func (m *Manager) admAPIEndpointArtifacts(wt http.ResponseWriter, rq *http.Reque if euuid, err = muxGetVar(rq, "euuid"); err != nil { wt.Write(NewAdminAPIRespError(err).ToJSON()) } else { - if m.endpoints.HasByUUID(euuid) { + if _, ok := m.MutEndpoint(euuid); ok { if dumps, err = listEndpointDumps(m.Config.DumpDir, euuid, since); err != nil { wt.Write(admErr(format("Failed to list dumps, %s", err))) return @@ -999,11 +1014,15 @@ type stats struct { } func (m *Manager) admAPIStats(wt http.ResponseWriter, rq *http.Request) { - s := stats{ - EndpointCount: m.endpoints.Len(), - RuleCount: m.gene.engine.Count(), + if count, err := m.db.Count(&Endpoint{}); err != nil { + wt.Write(admErr(err)) + } else { + s := stats{ + EndpointCount: count, + RuleCount: m.gene.engine.Count(), + } + wt.Write(admJSONResp(s)) } - wt.Write(NewAdminAPIResponse(s).ToJSON()) } func (m *Manager) admAPIIocs(wt http.ResponseWriter, rq *http.Request) { diff --git a/api/manager_endpoint_api.go b/api/manager_endpoint_api.go index cc9b3bb..5c96c30 100644 --- a/api/manager_endpoint_api.go +++ b/api/manager_endpoint_api.go @@ -25,17 +25,9 @@ var ( /////////////////// Utils -func (m *Manager) endpointFromRequest(rq *http.Request) *Endpoint { +func (m *Manager) eptAPIMutEndpointFromRequest(rq *http.Request) *Endpoint { uuid := rq.Header.Get(EndpointUUIDHeader) - if endpt, ok := m.endpoints.GetByUUID(uuid); ok { - return endpt - } - return nil -} - -func (m *Manager) mutEndpointFromRequest(rq *http.Request) *Endpoint { - uuid := rq.Header.Get(EndpointUUIDHeader) - if endpt, ok := m.endpoints.GetMutByUUID(uuid); ok { + if endpt, ok := m.MutEndpoint(uuid); ok { return endpt } return nil @@ -53,7 +45,7 @@ func (m *Manager) endpointAuthorizationMiddleware(next http.Handler) http.Handle hostname := rq.Header.Get(EndpointHostnameHeader) ip := rq.Header.Get(EndpointIPHeader) - if endpt, ok = m.endpoints.GetMutByUUID(uuid); !ok { + if endpt, ok = m.MutEndpoint(uuid); !ok { http.Error(wt, "Not Authorized", http.StatusForbidden) // we have to return not to reach ServeHTTP return @@ -79,6 +71,9 @@ func (m *Manager) endpointAuthorizationMiddleware(next http.Handler) http.Handle // update last connection timestamp endpt.UpdateLastConnection() + if err := m.db.InsertOrUpdate(endpt); err != nil { + log.Errorf("Failed to commit endpoint changes") + } next.ServeHTTP(wt, rq) }) } @@ -195,8 +190,9 @@ func (m *Manager) RulesSha256(wt http.ResponseWriter, rq *http.Request) { } func (m *Manager) IoCs(wt http.ResponseWriter, rq *http.Request) { + funcName := utils.GetCurFuncName() if data, err := json.Marshal(m.iocs.StringSlice()); err != nil { - log.Errorf("Failed to marshal IoCs: %s", err) + log.Errorf("%s failed to marshal IoCs: %s", funcName, err) http.Error(wt, "Failed to marshal IoCs", http.StatusInternalServerError) } else { wt.Write(data) @@ -210,9 +206,9 @@ func (m *Manager) IoCsSha256(wt http.ResponseWriter, rq *http.Request) { // UploadDump HTTP handler used to upload dump files from client to manager func (m *Manager) UploadDump(wt http.ResponseWriter, rq *http.Request) { defer rq.Body.Close() - + funcName := utils.GetCurFuncName() if m.Config.DumpDir == "" { - log.Errorf("Upload handler won't dump because no dump directory set") + log.Errorf("%s handler won't dump because no dump directory set", funcName) http.Error(wt, "Failed to dump file", http.StatusInternalServerError) return } @@ -220,21 +216,21 @@ func (m *Manager) UploadDump(wt http.ResponseWriter, rq *http.Request) { fu := FileUpload{} dec := json.NewDecoder(rq.Body) - if endpt := m.endpointFromRequest(rq); endpt != nil { + if endpt := m.eptAPIMutEndpointFromRequest(rq); endpt != nil { if err := dec.Decode(&fu); err != nil { - log.Errorf("Upload handler failed to decode JSON") + log.Errorf("%s handler failed to decode JSON", funcName) http.Error(wt, "Failed to decode JSON", http.StatusInternalServerError) return } endptDumpDir := filepath.Join(m.Config.DumpDir, endpt.Uuid) if err := fu.Dump(endptDumpDir); err != nil { - log.Errorf("Upload handler failed to dump file (%s): %s", fu.Implode(), err) + log.Errorf("%s handler failed to dump file (%s): %s", funcName, fu.Implode(), err) http.Error(wt, "Failed to dump file", http.StatusInternalServerError) return } } else { - log.Error("Failed to retrieve endpoint from request") + log.Errorf("%s failed to retrieve endpoint from request", funcName) } } @@ -244,6 +240,7 @@ func (m *Manager) UploadDump(wt http.ResponseWriter, rq *http.Request) { func (m *Manager) Collect(wt http.ResponseWriter, rq *http.Request) { cnt := 0 uuid := rq.Header.Get(EndpointUUIDHeader) + endpt, _ := m.MutEndpoint(uuid) defer rq.Body.Close() @@ -265,26 +262,26 @@ func (m *Manager) Collect(wt http.ResponseWriter, rq *http.Request) { edrData.Event.ReceiptTime = time.Now().UTC() edrData.Endpoint.UUID = uuid - - if endpt, ok := m.endpoints.GetMutByUUID(uuid); ok { + if endpt != nil { + // updating EdrData fields edrData.Endpoint.IP = endpt.IP edrData.Endpoint.Hostname = endpt.Hostname edrData.Endpoint.Group = endpt.Group - } - edrData.Event.Detection = e.IsDetection() - - // setting EdrData - e.Event.EdrData = &edrData - if endpt := m.mutEndpointFromRequest(rq); endpt != nil { + // updating reducer m.UpdateReducer(endpt.Uuid, &e) + + // updating last detection if e.IsDetection() { endpt.LastDetection = e.Timestamp() } - } else { - log.Error("Failed to retrieve endpoint from request") } + edrData.Event.Detection = e.IsDetection() + + // setting EdrData + e.Event.EdrData = &edrData + // If it is an alert if e.IsDetection() { if _, err := m.detectionLogger.WriteEvent(dtid, uuid, &e); err != nil { @@ -302,6 +299,12 @@ func (m *Manager) Collect(wt http.ResponseWriter, rq *http.Request) { cnt++ } + if endpt != nil { + if err := m.db.InsertOrUpdate(endpt); err != nil { + log.Errorf("Failed to update endpoint UUID=%s: %s", endpt.Uuid, err) + } + } + if err := m.eventLogger.CommitTransaction(); err != nil { log.Errorf("Failed to commit event logger transaction: %s", err) } @@ -315,16 +318,16 @@ func (m *Manager) Collect(wt http.ResponseWriter, rq *http.Request) { // AddCommand sets a command to be executed on endpoint specified by UUID func (m *Manager) AddCommand(uuid string, c *Command) error { - if endpt, ok := m.endpoints.GetMutByUUID(uuid); ok { + if endpt, ok := m.MutEndpoint(uuid); ok { endpt.Command = c - return nil + return m.db.InsertOrUpdate(endpt) } return ErrUnkEndpoint } // GetCommand gets the command set for an endpoint specified by UUID func (m *Manager) GetCommand(uuid string) (*Command, error) { - if endpt, ok := m.endpoints.GetByUUID(uuid); ok { + if endpt, ok := m.MutEndpoint(uuid); ok { // We return the command of an unmutable endpoint struct // so if Command is modified this will not affect Endpoint return endpt.Command, nil @@ -334,21 +337,24 @@ func (m *Manager) GetCommand(uuid string) (*Command, error) { // Command HTTP handler func (m *Manager) Command(wt http.ResponseWriter, rq *http.Request) { - id := rq.Header.Get(EndpointUUIDHeader) + funcName := utils.GetCurFuncName() switch rq.Method { case "GET": - if endpt, ok := m.endpoints.GetMutByUUID(id); ok { + if endpt := m.eptAPIMutEndpointFromRequest(rq); endpt != nil { // we send back the command to execute only if was not already sent if endpt.Command != nil { if !endpt.Command.Sent { jsonCmd, err := json.Marshal(endpt.Command) if err != nil { - log.Errorf("Failed at serializing command to JSON: %s", err) + log.Errorf("%s failed at serializing command to JSON: %s", funcName, err) } else { wt.Write(jsonCmd) } endpt.Command.Sent = true endpt.Command.SentTime = time.Now() + if err := m.db.InsertOrUpdate(endpt); err != nil { + log.Errorf("%s to update endpoint data: %s", funcName, err) + } return } } @@ -356,26 +362,29 @@ func (m *Manager) Command(wt http.ResponseWriter, rq *http.Request) { http.Error(wt, "", http.StatusNoContent) } case "POST": - if endpt, ok := m.endpoints.GetMutByUUID(id); ok { + if endpt := m.eptAPIMutEndpointFromRequest(rq); endpt != nil { // if command is nil we actually don't expect any result if endpt.Command != nil { if !endpt.Command.Completed { defer rq.Body.Close() body, err := ioutil.ReadAll(rq.Body) if err != nil { - log.Errorf("Failed to read response body: %s", err) + log.Errorf("%s failed to read response body: %s", funcName, err) } else { rcmd := Command{} err := json.Unmarshal(body, &rcmd) if err != nil { - log.Errorf("Failed to unmarshal received command: %s", err) + log.Errorf("%s failed to unmarshal received command: %s", funcName, err) } else { // we complete the command executed on the endpoint endpt.Command.Complete(&rcmd) + if err := m.db.InsertOrUpdate(endpt); err != nil { + log.Errorf("%s to update endpoint data: %s", funcName, err) + } } } } else { - log.Errorf("Command is already completed") + log.Errorf("%s command is already completed", funcName) } } } @@ -384,16 +393,20 @@ func (m *Manager) Command(wt http.ResponseWriter, rq *http.Request) { // Command HTTP handler func (m *Manager) SystemInfo(wt http.ResponseWriter, rq *http.Request) { - id := rq.Header.Get(EndpointUUIDHeader) + funcName := utils.GetCurFuncName() switch rq.Method { case "POST": - if endpt, ok := m.endpoints.GetMutByUUID(id); ok { + if endpt := m.eptAPIMutEndpointFromRequest(rq); endpt != nil { info := sysinfo.SystemInfo{} if err := readPostAsJSON(rq, &info); err != nil { - log.Errorf("Failed to receive system information for %s", endpt.Uuid) + log.Errorf("%s failed to receive system information for %s", funcName, endpt.Uuid) http.Error(wt, "Failed to unmarshal data", http.StatusInternalServerError) } else { endpt.SystemInfo = &info + m.db.InsertOrUpdate(endpt) + if err := m.db.InsertOrUpdate(endpt); err != nil { + log.Errorf("%s to update endpoint data: %s", funcName, err) + } } } } diff --git a/api/openapi_def.go b/api/openapi_def.go index e345c3b..ffbcf2c 100644 --- a/api/openapi_def.go +++ b/api/openapi_def.go @@ -74,9 +74,9 @@ var OpenAPIDefinition = ` "group": "", "hostname": "OpenHappy", "ip": "127.0.0.1", - "key": "tnPSrSEfaprCpUESXwD9ivyDuEX8crvfTf0O1P5ySpibmIoFgxWQ5dHOXTsTr0rk", - "last-connection": "2022-01-20T08:53:32.169058133Z", - "last-detection": "2022-01-20T09:53:31.118044016+01:00", + "key": "vH8mfUziKrzDNFabt941du6YfyqxwKmNnSLor1TGk2e2e5Kqy9Fm3p8EskcNgrIG", + "last-connection": "2022-01-28T08:23:39.76284761Z", + "last-detection": "2022-01-28T09:23:38.655464358+01:00", "score": 0, "status": "", "system-info": { @@ -148,12 +148,12 @@ var OpenAPIDefinition = ` "group": "", "hostname": "", "ip": "", - "key": "xYzpB9W2JtrDzryxfvoVoOLxEiOpi57qDL3y7gegT7gfKHLQjddHoN622aS4nghn", + "key": "Q3PIJFh8nUB6TLTQ4RTHF8hxI30ohVneVmVNRCMtTVF2BP2zr0hxbXlw50yTyD6y", "last-connection": "0001-01-01T00:00:00Z", "last-detection": "0001-01-01T00:00:00Z", "score": 0, "status": "", - "uuid": "9e233519-ebea-4280-5d42-d50741695fc9" + "uuid": "0bcc37b9-fe51-8c33-2460-00b67ef8d8a3" }, "error": "", "message": "OK" @@ -193,21 +193,21 @@ var OpenAPIDefinition = ` "5a92baeb-9384-47d3-92b4-a0db6f9b8c6d": [ { "base-url": "/endpoints/5a92baeb-9384-47d3-92b4-a0db6f9b8c6d/artifacts/5a92baeb-9384-47d3-92b4-a0db6f9b8c6d/3d8441643c204ba9b9dcb5c414b25a3129f66f6c/", - "creation": "2022-01-20T08:53:37.574506118Z", + "creation": "2022-01-28T08:23:44.335798254Z", "event-hash": "3d8441643c204ba9b9dcb5c414b25a3129f66f6c", "files": [ { "name": "bar.txt", "size": 4, - "timestamp": "2022-01-20T08:53:37.574506118Z" + "timestamp": "2022-01-28T08:23:44.34579826Z" }, { "name": "foo.txt", "size": 4, - "timestamp": "2022-01-20T08:53:37.574506118Z" + "timestamp": "2022-01-28T08:23:44.335798254Z" } ], - "modification": "2022-01-20T08:53:37.574506118Z", + "modification": "2022-01-28T08:23:44.34579826Z", "process-guid": "5a92baeb-9384-47d3-92b4-a0db6f9b8c6d" } ] @@ -241,30 +241,30 @@ var OpenAPIDefinition = ` "avg-signature-criticality": 0, "bounded-score": 0, "count-by-signature": { - "DefenderConfigChanged": 5, - "NewAutorun": 20, - "SuspiciousService": 2, - "UnknownServices": 9, - "UntrustedDriverLoaded": 14 + "DefenderConfigChanged": 7, + "NewAutorun": 14, + "SuspiciousService": 3, + "UnknownServices": 6, + "UntrustedDriverLoaded": 20 }, "count-uniq-signatures": 5, "identifier": "5a92baeb-9384-47d3-92b4-a0db6f9b8c6d", - "median-time": "2022-01-20T09:53:34.322943699+01:00", + "median-time": "2022-01-28T09:23:40.967762404+01:00", "score": 0, "signature-count": 50, "signature-criticality-metric": 0, "signature-diversity": 100, "signatures": [ + "DefenderConfigChanged", "UnknownServices", "UntrustedDriverLoaded", - "DefenderConfigChanged", - "SuspiciousService", - "NewAutorun" + "NewAutorun", + "SuspiciousService" ], - "start-time": "2022-01-20T09:53:34.321578422+01:00", + "start-time": "2022-01-28T09:23:40.966551167+01:00", "std-dev-alert-criticality": 0, "std-dev-signature-criticality": -92233720368547760, - "stop-time": "2022-01-20T09:53:34.324308976+01:00", + "stop-time": "2022-01-28T09:23:40.968973642+01:00", "sum-alert-criticality": 0, "sum-rule-criticality": 0, "tactics": null, @@ -309,8 +309,8 @@ var OpenAPIDefinition = ` "group": "", "hostname": "OpenHappy", "ip": "127.0.0.1", - "last-connection": "2022-01-20T08:53:32.169058133Z", - "last-detection": "2022-01-20T09:53:31.118044016+01:00", + "last-connection": "2022-01-28T08:23:39.76284761Z", + "last-detection": "2022-01-28T09:23:38.655464358+01:00", "score": 0, "status": "", "system-info": { @@ -689,8 +689,8 @@ var OpenAPIDefinition = ` "group": "New Group", "hostname": "OpenHappy", "ip": "127.0.0.1", - "last-connection": "2022-01-20T08:53:32.169058133Z", - "last-detection": "2022-01-20T09:53:31.118044016+01:00", + "last-connection": "2022-01-28T08:23:39.76284761Z", + "last-detection": "2022-01-28T09:23:38.655464358+01:00", "score": 0, "status": "New Status", "system-info": { @@ -773,8 +773,8 @@ var OpenAPIDefinition = ` "group": "New Group", "hostname": "OpenHappy", "ip": "127.0.0.1", - "last-connection": "2022-01-20T08:53:32.169058133Z", - "last-detection": "2022-01-20T09:53:31.118044016+01:00", + "last-connection": "2022-01-28T08:23:39.76284761Z", + "last-detection": "2022-01-28T09:23:38.655464358+01:00", "score": 0, "status": "New Status", "system-info": { @@ -868,21 +868,21 @@ var OpenAPIDefinition = ` "data": [ { "base-url": "/endpoints/5a92baeb-9384-47d3-92b4-a0db6f9b8c6d/artifacts/5a92baeb-9384-47d3-92b4-a0db6f9b8c6d/3d8441643c204ba9b9dcb5c414b25a3129f66f6c/", - "creation": "2022-01-20T08:53:37.574506118Z", + "creation": "2022-01-28T08:23:44.335798254Z", "event-hash": "3d8441643c204ba9b9dcb5c414b25a3129f66f6c", "files": [ { "name": "bar.txt", "size": 4, - "timestamp": "2022-01-20T08:53:37.574506118Z" + "timestamp": "2022-01-28T08:23:44.34579826Z" }, { "name": "foo.txt", "size": 4, - "timestamp": "2022-01-20T08:53:37.574506118Z" + "timestamp": "2022-01-28T08:23:44.335798254Z" } ], - "modification": "2022-01-20T08:53:37.574506118Z", + "modification": "2022-01-28T08:23:44.34579826Z", "process-guid": "5a92baeb-9384-47d3-92b4-a0db6f9b8c6d" } ], @@ -1027,11 +1027,11 @@ var OpenAPIDefinition = ` "json": null, "name": "/usr/bin/printf", "sent": true, - "sent-time": "2022-01-20T09:53:34.251557812+01:00", + "sent-time": "2022-01-28T09:23:40.905530126+01:00", "stderr": null, "stdout": "SGVsbG8gV29ybGQ=", "timeout": 0, - "uuid": "fbd730f7-3e06-2cc9-d22f-27beedb46e40" + "uuid": "c3ab8786-cd46-f7a4-bb6e-9b53c30cdf28" }, "error": "", "message": "OK" @@ -1119,15 +1119,15 @@ var OpenAPIDefinition = ` "stderr": null, "stdout": null, "timeout": 0, - "uuid": "fbd730f7-3e06-2cc9-d22f-27beedb46e40" + "uuid": "c3ab8786-cd46-f7a4-bb6e-9b53c30cdf28" }, "criticality": 0, "group": "", "hostname": "OpenHappy", "ip": "127.0.0.1", - "key": "O8zN5c4LpTGzKai5uQa4pac39LSHerNRukFjhBc9YEqb2sjIxi1bacXtkPEE1OSf", - "last-connection": "2022-01-20T08:53:33.249791957Z", - "last-detection": "2022-01-20T09:53:32.206676319+01:00", + "key": "uV41c5SB6PJmJnPdI4dgFj6eui6uBb4Q1XHQweEhWV562BkdBT1NPDg6mp9rUmF1", + "last-connection": "2022-01-28T08:23:40.896016444Z", + "last-detection": "2022-01-28T09:23:39.783976356+01:00", "score": 0, "status": "", "system-info": { @@ -1343,7 +1343,7 @@ var OpenAPIDefinition = ` "Actions": [], "Criticality": 8, "Signature": [ - "DefenderConfigChanged" + "NewAutorun" ] }, "EdrData": { @@ -1355,23 +1355,37 @@ var OpenAPIDefinition = ` }, "Event": { "Detection": true, - "Hash": "b868f565f41df075a4cce31163890b111d598f4f", - "ReceiptTime": "2022-01-20T08:31:10.245104195Z" + "Hash": "a937ea7beab8d8916f4fdd95d136629dc45d159f", + "ReceiptTime": "2022-01-28T08:23:38.555329952Z" } }, "EventData": { - "New Value": "HKLM\\SOFTWARE\\Microsoft\\Windows Defender\\ServiceStartStates = 0x1", - "Old Value": "Default\\ServiceStartStates = 0x0", - "Product Name": "Windows Defender Antivirus", - "Product Version": "4.18.2106.6" + "CommandLine": "\"C:\\ProgramData\\Microsoft\\Windows Defender\\Platform\\4.18.2106.6-0\\MsMpEng.exe\"", + "CurrentDirectory": "C:\\Windows\\system32\\", + "Details": "Both", + "EventType": "SetValue", + "Image": "C:\\ProgramData\\Microsoft\\Windows Defender\\Platform\\4.18.2106.6-0\\MsMpEng.exe", + "ImageHashes": "SHA1=FBF03B5D6DC1A7EDAB0BA8D4DD27291C739E5813,MD5=B1C15F9DB942B373B2FC468B7048E63F,SHA256=1DC05B6DD6281840CEB822604B0E403E499180D636D02EC08AD77B4EB56F1B9C,IMPHASH=8AA2B8727E6858A3557A4C09970B9A5D", + "ImageSignature": "?", + "ImageSignatureStatus": "?", + "ImageSigned": "false", + "IntegrityLevel": "System", + "ProcessGuid": "{515cd0d1-7669-6123-4e00-000000007300}", + "ProcessId": "3276", + "ProcessThreatScore": "16", + "RuleName": "-", + "Services": "WinDefend", + "TargetObject": "HKCR\\CLSID\\{2DCD7FDB-8809-48E4-8E4F-3157C57CF987}\\InprocServer32\\ThreadingModel", + "User": "NT AUTHORITY\\SYSTEM", + "UtcTime": "2021-08-23 10:20:25.878" }, "System": { - "Channel": "Microsoft-Windows-Windows Defender/Operational", + "Channel": "Microsoft-Windows-Sysmon/Operational", "Computer": "DESKTOP-LJRVE06", - "EventID": 5007, + "EventID": 13, "Execution": { - "ProcessID": 3276, - "ThreadID": 3592 + "ProcessID": 3220, + "ThreadID": 3848 }, "Keywords": { "Name": "", @@ -1382,19 +1396,19 @@ var OpenAPIDefinition = ` "Value": 4 }, "Opcode": { - "Name": "", + "Name": "Info", "Value": 0 }, "Provider": { - "Guid": "{11CD958A-C507-4EF3-B3F2-5FD9DFBD2C78}", - "Name": "Microsoft-Windows-Windows Defender" + "Guid": "{5770385F-C22A-43E0-BF4C-06F5698FFBD9}", + "Name": "Microsoft-Windows-Sysmon" }, "Task": { "Name": "", "Value": 0 }, "TimeCreated": { - "SystemTime": "2022-01-20T09:31:09.179106727+01:00" + "SystemTime": "2022-01-28T09:23:37.540492922+01:00" } } } @@ -1403,9 +1417,9 @@ var OpenAPIDefinition = ` "Event": { "Detection": { "Actions": [], - "Criticality": 8, + "Criticality": 10, "Signature": [ - "NewAutorun" + "UntrustedDriverLoaded" ] }, "EdrData": { @@ -1417,37 +1431,27 @@ var OpenAPIDefinition = ` }, "Event": { "Detection": true, - "Hash": "4c9e73510da8db60429f1fc5a9937f1d049bd711", - "ReceiptTime": "2022-01-20T08:31:10.24677281Z" + "Hash": "a6002ca7deb8e14168d006eab89cecde8ee8a5c3", + "ReceiptTime": "2022-01-28T08:23:38.556938044Z" } }, "EventData": { - "CommandLine": "\"C:\\ProgramData\\Microsoft\\Windows Defender\\Platform\\4.18.2106.6-0\\MsMpEng.exe\"", - "CurrentDirectory": "C:\\Windows\\system32\\", - "Details": "Both", - "EventType": "SetValue", - "Image": "C:\\ProgramData\\Microsoft\\Windows Defender\\Platform\\4.18.2106.6-0\\MsMpEng.exe", - "ImageHashes": "SHA1=FBF03B5D6DC1A7EDAB0BA8D4DD27291C739E5813,MD5=B1C15F9DB942B373B2FC468B7048E63F,SHA256=1DC05B6DD6281840CEB822604B0E403E499180D636D02EC08AD77B4EB56F1B9C,IMPHASH=8AA2B8727E6858A3557A4C09970B9A5D", - "ImageSignature": "?", - "ImageSignatureStatus": "?", - "ImageSigned": "false", - "IntegrityLevel": "System", - "ProcessGuid": "{515cd0d1-7669-6123-4e00-000000007300}", - "ProcessId": "3276", - "ProcessThreatScore": "16", + "Hashes": "SHA1=4777B847E66E26D07CAB85361A93F6B9A1DF3E21,MD5=24A56CB3ECB97815A01514B2876A4417,SHA256=7906DCF8E5CCC7D8C0C3DA61785DE448DF554B0D0CF81BFD34DF9DEAF8962F64,IMPHASH=722ECECC50D0D02124BAB0A56989296C", + "ImageLoaded": "C:\\Windows\\System32\\drivers\\VBoxWddm.sys", + "ImageLoadedSize": "404296", "RuleName": "-", - "Services": "WinDefend", - "TargetObject": "HKCR\\CLSID\\{2DCD7FDB-8809-48E4-8E4F-3157C57CF987}\\InprocServer32\\ThreadingModel", - "User": "NT AUTHORITY\\SYSTEM", - "UtcTime": "2021-08-23 10:20:25.878" + "Signature": "Oracle Corporation", + "SignatureStatus": "Valid", + "Signed": "true", + "UtcTime": "2021-08-23 10:20:18.876" }, "System": { "Channel": "Microsoft-Windows-Sysmon/Operational", "Computer": "DESKTOP-LJRVE06", - "EventID": 13, + "EventID": 6, "Execution": { "ProcessID": 3220, - "ThreadID": 3848 + "ThreadID": 3584 }, "Keywords": { "Name": "", @@ -1470,7 +1474,7 @@ var OpenAPIDefinition = ` "Value": 0 }, "TimeCreated": { - "SystemTime": "2022-01-20T09:31:09.17914717+01:00" + "SystemTime": "2022-01-28T09:23:37.540932958+01:00" } } } @@ -1596,14 +1600,14 @@ var OpenAPIDefinition = ` }, "Event": { "Detection": false, - "Hash": "09cda7dbc9d3d4626eb8d177c14db22ebc38e086", - "ReceiptTime": "2022-01-20T08:31:10.23412517Z" + "Hash": "1f0622313301da7b49509272baa9b6a408ba0f59", + "ReceiptTime": "2022-01-28T08:23:38.553164671Z" } }, "EventData": { "CommandLine": "C:\\Windows\\system32\\svchost.exe -k appmodel -p -s StateRepository", "CurrentDirectory": "C:\\Windows\\system32\\", - "Details": "Binary Data", + "Details": "QWORD (0x000a0000-0x00000000)", "EventType": "SetValue", "Image": "C:\\Windows\\system32\\svchost.exe", "ImageHashes": "SHA1=75C5A97F521F760E32A4A9639A653EED862E9C61,MD5=9520A99E77D6196D0D09833146424113,SHA256=DD191A5B23DF92E12A8852291F9FB5ED594B76A28A5A464418442584AFD1E048,IMPHASH=247B9220E5D9B720A82B2C8B5069AD69", @@ -1616,9 +1620,9 @@ var OpenAPIDefinition = ` "ProcessThreatScore": "0", "RuleName": "-", "Services": "StateRepository", - "TargetObject": "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModel\\StateRepository\\Cache\\ApplicationUser\\Data\\49\\_IndexKeys", + "TargetObject": "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModel\\StateRepository\\Cache\\Package\\Data\\12\\OSMaxVersionTested", "User": "NT AUTHORITY\\SYSTEM", - "UtcTime": "2021-08-23 10:20:30.484" + "UtcTime": "2021-08-23 10:20:29.734" }, "System": { "Channel": "Microsoft-Windows-Sysmon/Operational", @@ -1649,7 +1653,7 @@ var OpenAPIDefinition = ` "Value": 0 }, "TimeCreated": { - "SystemTime": "2022-01-20T09:31:09.178246553+01:00" + "SystemTime": "2022-01-28T09:23:37.539998343+01:00" } } } @@ -1665,29 +1669,21 @@ var OpenAPIDefinition = ` }, "Event": { "Detection": false, - "Hash": "72fb6541a856a4613a9dc3ac5d9958036d529431", - "ReceiptTime": "2022-01-20T08:31:10.234713967Z" + "Hash": "0be7497e56a1bb87b0e5e6869267323ac85760f8", + "ReceiptTime": "2022-01-28T08:23:38.553531418Z" } }, "EventData": { - "CommandLine": "C:\\Windows\\system32\\svchost.exe -k appmodel -p -s StateRepository", - "CurrentDirectory": "C:\\Windows\\system32\\", - "Details": "DWORD (0x00000014)", + "Details": "DWORD (0x00000000)", "EventType": "SetValue", - "Image": "C:\\Windows\\system32\\svchost.exe", - "ImageHashes": "SHA1=75C5A97F521F760E32A4A9639A653EED862E9C61,MD5=9520A99E77D6196D0D09833146424113,SHA256=DD191A5B23DF92E12A8852291F9FB5ED594B76A28A5A464418442584AFD1E048,IMPHASH=247B9220E5D9B720A82B2C8B5069AD69", - "ImageSignature": "?", - "ImageSignatureStatus": "?", - "ImageSigned": "false", - "IntegrityLevel": "System", - "ProcessGuid": "{515cd0d1-7668-6123-3c00-000000007300}", - "ProcessId": "2556", - "ProcessThreatScore": "0", + "Image": "System", + "ProcessGuid": "{515cd0d1-7662-6123-eb03-000000000000}", + "ProcessId": "4", + "ProcessThreatScore": "-1", "RuleName": "-", - "Services": "StateRepository", - "TargetObject": "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModel\\StateRepository\\Cache\\ApplicationExtension\\Data\\5e\\Index", - "User": "NT AUTHORITY\\SYSTEM", - "UtcTime": "2021-08-23 10:20:30.613" + "Services": "N/A", + "TargetObject": "HKLM\\System\\CurrentControlSet\\Services\\lltdio\\DriverMinorVersion", + "UtcTime": "2021-08-23 10:20:24.545" }, "System": { "Channel": "Microsoft-Windows-Sysmon/Operational", @@ -1718,7 +1714,7 @@ var OpenAPIDefinition = ` "Value": 0 }, "TimeCreated": { - "SystemTime": "2022-01-20T09:31:09.178246909+01:00" + "SystemTime": "2022-01-28T09:23:37.539998919+01:00" } } } @@ -1764,30 +1760,30 @@ var OpenAPIDefinition = ` "avg-signature-criticality": 0, "bounded-score": 0, "count-by-signature": { - "DefenderConfigChanged": 5, - "NewAutorun": 20, - "SuspiciousService": 2, - "UnknownServices": 9, - "UntrustedDriverLoaded": 14 + "DefenderConfigChanged": 7, + "NewAutorun": 14, + "SuspiciousService": 3, + "UnknownServices": 6, + "UntrustedDriverLoaded": 20 }, "count-uniq-signatures": 5, "identifier": "5a92baeb-9384-47d3-92b4-a0db6f9b8c6d", - "median-time": "2022-01-20T09:53:34.322943699+01:00", + "median-time": "2022-01-28T09:23:40.967762404+01:00", "score": 0, "signature-count": 50, "signature-criticality-metric": 0, "signature-diversity": 100, "signatures": [ - "NewAutorun", + "SuspiciousService", + "DefenderConfigChanged", "UnknownServices", "UntrustedDriverLoaded", - "DefenderConfigChanged", - "SuspiciousService" + "NewAutorun" ], - "start-time": "2022-01-20T09:53:34.321578422+01:00", + "start-time": "2022-01-28T09:23:40.966551167+01:00", "std-dev-alert-criticality": 0, "std-dev-signature-criticality": -92233720368547760, - "stop-time": "2022-01-20T09:53:34.324308976+01:00", + "stop-time": "2022-01-28T09:23:40.968973642+01:00", "sum-alert-criticality": 0, "sum-rule-criticality": 0, "tactics": null, @@ -1831,30 +1827,30 @@ var OpenAPIDefinition = ` "avg-signature-criticality": 0, "bounded-score": 0, "count-by-signature": { - "DefenderConfigChanged": 5, - "NewAutorun": 20, - "SuspiciousService": 2, - "UnknownServices": 9, - "UntrustedDriverLoaded": 14 + "DefenderConfigChanged": 7, + "NewAutorun": 14, + "SuspiciousService": 3, + "UnknownServices": 6, + "UntrustedDriverLoaded": 20 }, "count-uniq-signatures": 5, "identifier": "5a92baeb-9384-47d3-92b4-a0db6f9b8c6d", - "median-time": "2022-01-20T09:53:34.322943699+01:00", + "median-time": "2022-01-28T09:23:40.967762404+01:00", "score": 0, "signature-count": 50, "signature-criticality-metric": 0, "signature-diversity": 100, "signatures": [ - "NewAutorun", + "SuspiciousService", + "DefenderConfigChanged", "UnknownServices", "UntrustedDriverLoaded", - "DefenderConfigChanged", - "SuspiciousService" + "NewAutorun" ], - "start-time": "2022-01-20T09:53:34.321578422+01:00", + "start-time": "2022-01-28T09:23:40.966551167+01:00", "std-dev-alert-criticality": 0, "std-dev-signature-criticality": -92233720368547760, - "stop-time": "2022-01-20T09:53:34.324308976+01:00", + "stop-time": "2022-01-28T09:23:40.968973642+01:00", "sum-alert-criticality": 0, "sum-rule-criticality": 0, "tactics": null, @@ -1940,35 +1936,35 @@ var OpenAPIDefinition = ` { "alert-count": 50, "alert-criticality-metric": 0, - "archived-time": "2022-01-20T09:53:35.403897482+01:00", + "archived-time": "2022-01-28T09:23:42.070026409+01:00", "avg-alert-criticality": 0, "avg-signature-criticality": 0, "bounded-score": 0, "count-by-signature": { - "DefenderConfigChanged": 5, - "NewAutorun": 20, - "SuspiciousService": 2, - "UnknownServices": 9, - "UntrustedDriverLoaded": 14 + "DefenderConfigChanged": 7, + "NewAutorun": 14, + "SuspiciousService": 3, + "UnknownServices": 6, + "UntrustedDriverLoaded": 20 }, "count-uniq-signatures": 5, "identifier": "5a92baeb-9384-47d3-92b4-a0db6f9b8c6d", - "median-time": "2022-01-20T09:53:34.322943699+01:00", + "median-time": "2022-01-28T09:23:40.967762404+01:00", "score": 0, "signature-count": 50, "signature-criticality-metric": 0, "signature-diversity": 100, "signatures": [ - "NewAutorun", + "SuspiciousService", + "DefenderConfigChanged", "UnknownServices", "UntrustedDriverLoaded", - "DefenderConfigChanged", - "SuspiciousService" + "NewAutorun" ], - "start-time": "2022-01-20T09:53:34.321578422+01:00", + "start-time": "2022-01-28T09:23:40.966551167+01:00", "std-dev-alert-criticality": 0, "std-dev-signature-criticality": -92233720368547760, - "stop-time": "2022-01-20T09:53:34.324308976+01:00", + "stop-time": "2022-01-28T09:23:40.968973642+01:00", "sum-alert-criticality": 0, "sum-rule-criticality": 0, "tactics": null, @@ -2050,10 +2046,10 @@ var OpenAPIDefinition = ` "example": { "data": [ { - "guuid": "90e45cb0-5322-5fdd-39cd-50fb3e563e27", + "guuid": "cf1d96c2-8848-c1f4-710a-2780f7c481f6", "source": "XyzTIProvider", "type": "domain", - "uuid": "38ceda6e-7738-67ff-0827-e38f9d17b1c1", + "uuid": "c80857ca-4015-d931-0cc5-8247cb9d0e5e", "value": "some.random.domain" } ], @@ -2101,8 +2097,8 @@ var OpenAPIDefinition = ` }, "example": [ { - "uuid": "38ceda6e-7738-67ff-0827-e38f9d17b1c1", - "guuid": "90e45cb0-5322-5fdd-39cd-50fb3e563e27", + "uuid": "c80857ca-4015-d931-0cc5-8247cb9d0e5e", + "guuid": "cf1d96c2-8848-c1f4-710a-2780f7c481f6", "source": "XyzTIProvider", "value": "some.random.domain", "type": "domain" @@ -2120,10 +2116,10 @@ var OpenAPIDefinition = ` "example": { "data": [ { - "guuid": "90e45cb0-5322-5fdd-39cd-50fb3e563e27", + "guuid": "cf1d96c2-8848-c1f4-710a-2780f7c481f6", "source": "XyzTIProvider", "type": "domain", - "uuid": "38ceda6e-7738-67ff-0827-e38f9d17b1c1", + "uuid": "c80857ca-4015-d931-0cc5-8247cb9d0e5e", "value": "some.random.domain" } ], @@ -2620,8 +2616,8 @@ var OpenAPIDefinition = ` "description": "", "group": "", "identifier": "TestAdminUser", - "key": "u6hluO9qpcx911l10uT0WPf1qpXsdt6HK3f2uW57PbLGG17Bbqyz6hc8OH8vr7kW", - "uuid": "d2e553aa-3244-679d-addd-a3615e5c49d6" + "key": "M6wBoYi4iYCS9v4qaVYkkgd3KHUx5evulRowq4ncrJ7T7GkHuvg8SEmXww15laHg", + "uuid": "2e1b9db7-deef-5e3e-4314-516461c8f773" }, "error": "", "message": "OK" @@ -2664,7 +2660,7 @@ var OpenAPIDefinition = ` } }, "example": { - "uuid": "517e415f-ef80-ce59-ea2a-b509d00b08f9", + "uuid": "767a2f87-d6df-5ad7-460b-0426426b6bd8", "identifier": "SecondTestAdmin", "key": "ChangeMe", "group": "CSIRT", @@ -2685,7 +2681,7 @@ var OpenAPIDefinition = ` "group": "CSIRT", "identifier": "SecondTestAdmin", "key": "ChangeMe", - "uuid": "517e415f-ef80-ce59-ea2a-b509d00b08f9" + "uuid": "767a2f87-d6df-5ad7-460b-0426426b6bd8" }, "error": "", "message": "OK" @@ -2773,7 +2769,7 @@ var OpenAPIDefinition = ` "group": "SOC", "identifier": "SecondTestAdmin", "key": "NewWeakKey", - "uuid": "517e415f-ef80-ce59-ea2a-b509d00b08f9" + "uuid": "767a2f87-d6df-5ad7-460b-0426426b6bd8" }, "error": "", "message": "OK" @@ -2811,7 +2807,7 @@ var OpenAPIDefinition = ` "group": "SOC", "identifier": "SecondTestAdmin", "key": "NewWeakKey", - "uuid": "517e415f-ef80-ce59-ea2a-b509d00b08f9" + "uuid": "767a2f87-d6df-5ad7-460b-0426426b6bd8" }, "error": "", "message": "OK" diff --git a/doc/admin.openapi.json b/doc/admin.openapi.json index 50cf859..bcf694a 100644 --- a/doc/admin.openapi.json +++ b/doc/admin.openapi.json @@ -72,11 +72,53 @@ "group": "", "hostname": "OpenHappy", "ip": "127.0.0.1", - "key": "r6QC5g386jMGa2XnSgPnuqW1qMd6rHK4S3XljrKskhyT7Jlwsjp2kXREk2iNeHUL", - "last-connection": "2022-01-12T20:53:06.230726381Z", - "last-detection": "2022-01-12T21:53:05.091191078+01:00", + "key": "vH8mfUziKrzDNFabt941du6YfyqxwKmNnSLor1TGk2e2e5Kqy9Fm3p8EskcNgrIG", + "last-connection": "2022-01-28T08:23:39.76284761Z", + "last-detection": "2022-01-28T09:23:38.655464358+01:00", "score": 0, "status": "", + "system-info": { + "bios": { + "date": "12/01/2006", + "version": "VirtualBox" + }, + "cpu": { + "count": 4, + "name": "Intel(R) Core(TM) i7-8565U CPU @ 1.80GHz" + }, + "os": { + "build": "18362", + "edition": "Enterprise", + "name": "windows", + "product": "Windows 10 Pro", + "version": "10.0.18362" + }, + "sysmon": { + "config": { + "hash": "2d1652d67b565cabf2e774668f2598188373e957ef06aa5653bf9bf6fe7fe837", + "version": { + "binary": "15.0", + "schema": "4.70" + } + }, + "driver": { + "image": "C:\\Windows\\SysmonDrv.sys", + "name": "SysmonDrv", + "sha256": "e9ea8c0390c65c055d795b301ee50de8f8884313530023918c2eea56de37a525" + }, + "service": { + "image": "C:\\Program Files\\Whids\\Sysmon64.exe", + "name": "Sysmon64", + "sha256": "b448cd80b09fa43a3848f5181362ac52ffcb283f88693b68f1a0e4e6ae932863" + }, + "version": "v13.23" + }, + "system": { + "manufacturer": "innotek GmbH", + "name": "VirtualBox", + "virtual": true + } + }, "uuid": "5a92baeb-9384-47d3-92b4-a0db6f9b8c6d" } ], @@ -104,12 +146,12 @@ "group": "", "hostname": "", "ip": "", - "key": "77olSLKoEptwk4DLBhROXCaGL8BCQDKeufXMCr0LI5fUGWMtHWkiSWztkxw9ksQn", + "key": "Q3PIJFh8nUB6TLTQ4RTHF8hxI30ohVneVmVNRCMtTVF2BP2zr0hxbXlw50yTyD6y", "last-connection": "0001-01-01T00:00:00Z", "last-detection": "0001-01-01T00:00:00Z", "score": 0, "status": "", - "uuid": "47fea2a5-5856-ffc1-a0a2-a94616676f16" + "uuid": "0bcc37b9-fe51-8c33-2460-00b67ef8d8a3" }, "error": "", "message": "OK" @@ -149,21 +191,21 @@ "5a92baeb-9384-47d3-92b4-a0db6f9b8c6d": [ { "base-url": "/endpoints/5a92baeb-9384-47d3-92b4-a0db6f9b8c6d/artifacts/5a92baeb-9384-47d3-92b4-a0db6f9b8c6d/3d8441643c204ba9b9dcb5c414b25a3129f66f6c/", - "creation": "2022-01-12T20:53:10.854728678Z", + "creation": "2022-01-28T08:23:44.335798254Z", "event-hash": "3d8441643c204ba9b9dcb5c414b25a3129f66f6c", "files": [ { "name": "bar.txt", "size": 4, - "timestamp": "2022-01-12T20:53:10.874728726Z" + "timestamp": "2022-01-28T08:23:44.34579826Z" }, { "name": "foo.txt", "size": 4, - "timestamp": "2022-01-12T20:53:10.854728678Z" + "timestamp": "2022-01-28T08:23:44.335798254Z" } ], - "modification": "2022-01-12T20:53:10.874728726Z", + "modification": "2022-01-28T08:23:44.34579826Z", "process-guid": "5a92baeb-9384-47d3-92b4-a0db6f9b8c6d" } ] @@ -197,30 +239,30 @@ "avg-signature-criticality": 0, "bounded-score": 0, "count-by-signature": { - "DefenderConfigChanged": 5, - "NewAutorun": 19, + "DefenderConfigChanged": 7, + "NewAutorun": 14, "SuspiciousService": 3, - "UnknownServices": 9, - "UntrustedDriverLoaded": 14 + "UnknownServices": 6, + "UntrustedDriverLoaded": 20 }, "count-uniq-signatures": 5, "identifier": "5a92baeb-9384-47d3-92b4-a0db6f9b8c6d", - "median-time": "2022-01-12T21:53:07.427012062+01:00", + "median-time": "2022-01-28T09:23:40.967762404+01:00", "score": 0, "signature-count": 50, "signature-criticality-metric": 0, "signature-diversity": 100, "signatures": [ + "DefenderConfigChanged", "UnknownServices", "UntrustedDriverLoaded", "NewAutorun", - "DefenderConfigChanged", "SuspiciousService" ], - "start-time": "2022-01-12T21:53:07.425687807+01:00", + "start-time": "2022-01-28T09:23:40.966551167+01:00", "std-dev-alert-criticality": 0, "std-dev-signature-criticality": -92233720368547760, - "stop-time": "2022-01-12T21:53:07.428336317+01:00", + "stop-time": "2022-01-28T09:23:40.968973642+01:00", "sum-alert-criticality": 0, "sum-rule-criticality": 0, "tactics": null, @@ -265,10 +307,52 @@ "group": "", "hostname": "OpenHappy", "ip": "127.0.0.1", - "last-connection": "2022-01-12T20:53:06.230726381Z", - "last-detection": "2022-01-12T21:53:05.091191078+01:00", + "last-connection": "2022-01-28T08:23:39.76284761Z", + "last-detection": "2022-01-28T09:23:38.655464358+01:00", "score": 0, "status": "", + "system-info": { + "bios": { + "date": "12/01/2006", + "version": "VirtualBox" + }, + "cpu": { + "count": 4, + "name": "Intel(R) Core(TM) i7-8565U CPU @ 1.80GHz" + }, + "os": { + "build": "18362", + "edition": "Enterprise", + "name": "windows", + "product": "Windows 10 Pro", + "version": "10.0.18362" + }, + "sysmon": { + "config": { + "hash": "2d1652d67b565cabf2e774668f2598188373e957ef06aa5653bf9bf6fe7fe837", + "version": { + "binary": "15.0", + "schema": "4.70" + } + }, + "driver": { + "image": "C:\\Windows\\SysmonDrv.sys", + "name": "SysmonDrv", + "sha256": "e9ea8c0390c65c055d795b301ee50de8f8884313530023918c2eea56de37a525" + }, + "service": { + "image": "C:\\Program Files\\Whids\\Sysmon64.exe", + "name": "Sysmon64", + "sha256": "b448cd80b09fa43a3848f5181362ac52ffcb283f88693b68f1a0e4e6ae932863" + }, + "version": "v13.23" + }, + "system": { + "manufacturer": "innotek GmbH", + "name": "VirtualBox", + "virtual": true + } + }, "uuid": "5a92baeb-9384-47d3-92b4-a0db6f9b8c6d" }, "error": "", @@ -451,6 +535,126 @@ "status": { "type": "string" }, + "system-info": { + "type": "object", + "properties": { + "bios": { + "type": "object", + "properties": { + "date": { + "type": "string" + }, + "version": { + "type": "string" + } + } + }, + "cpu": { + "type": "object", + "properties": { + "count": { + "type": "integer", + "format": "int64" + }, + "name": { + "type": "string" + } + } + }, + "os": { + "type": "object", + "properties": { + "build": { + "type": "string" + }, + "edition": { + "type": "string" + }, + "name": { + "type": "string" + }, + "product": { + "type": "string" + }, + "version": { + "type": "string" + } + } + }, + "sysmon": { + "type": "object", + "properties": { + "config": { + "type": "object", + "properties": { + "hash": { + "type": "string" + }, + "version": { + "type": "object", + "properties": { + "binary": { + "type": "string" + }, + "schema": { + "type": "string" + } + } + } + } + }, + "driver": { + "type": "object", + "properties": { + "image": { + "type": "string" + }, + "name": { + "type": "string" + }, + "sha256": { + "type": "string" + } + } + }, + "error": { + "type": "object" + }, + "service": { + "type": "object", + "properties": { + "image": { + "type": "string" + }, + "name": { + "type": "string" + }, + "sha256": { + "type": "string" + } + } + }, + "version": { + "type": "string" + } + } + }, + "system": { + "type": "object", + "properties": { + "manufacturer": { + "type": "string" + }, + "name": { + "type": "string" + }, + "virtual": { + "type": "boolean" + } + } + } + } + }, "uuid": { "type": "string" } @@ -483,10 +687,52 @@ "group": "New Group", "hostname": "OpenHappy", "ip": "127.0.0.1", - "last-connection": "2022-01-12T20:53:06.230726381Z", - "last-detection": "2022-01-12T21:53:05.091191078+01:00", + "last-connection": "2022-01-28T08:23:39.76284761Z", + "last-detection": "2022-01-28T09:23:38.655464358+01:00", "score": 0, "status": "New Status", + "system-info": { + "bios": { + "date": "12/01/2006", + "version": "VirtualBox" + }, + "cpu": { + "count": 4, + "name": "Intel(R) Core(TM) i7-8565U CPU @ 1.80GHz" + }, + "os": { + "build": "18362", + "edition": "Enterprise", + "name": "windows", + "product": "Windows 10 Pro", + "version": "10.0.18362" + }, + "sysmon": { + "config": { + "hash": "2d1652d67b565cabf2e774668f2598188373e957ef06aa5653bf9bf6fe7fe837", + "version": { + "binary": "15.0", + "schema": "4.70" + } + }, + "driver": { + "image": "C:\\Windows\\SysmonDrv.sys", + "name": "SysmonDrv", + "sha256": "e9ea8c0390c65c055d795b301ee50de8f8884313530023918c2eea56de37a525" + }, + "service": { + "image": "C:\\Program Files\\Whids\\Sysmon64.exe", + "name": "Sysmon64", + "sha256": "b448cd80b09fa43a3848f5181362ac52ffcb283f88693b68f1a0e4e6ae932863" + }, + "version": "v13.23" + }, + "system": { + "manufacturer": "innotek GmbH", + "name": "VirtualBox", + "virtual": true + } + }, "uuid": "5a92baeb-9384-47d3-92b4-a0db6f9b8c6d" }, "error": "", @@ -525,10 +771,52 @@ "group": "New Group", "hostname": "OpenHappy", "ip": "127.0.0.1", - "last-connection": "2022-01-12T20:53:06.230726381Z", - "last-detection": "2022-01-12T21:53:05.091191078+01:00", + "last-connection": "2022-01-28T08:23:39.76284761Z", + "last-detection": "2022-01-28T09:23:38.655464358+01:00", "score": 0, "status": "New Status", + "system-info": { + "bios": { + "date": "12/01/2006", + "version": "VirtualBox" + }, + "cpu": { + "count": 4, + "name": "Intel(R) Core(TM) i7-8565U CPU @ 1.80GHz" + }, + "os": { + "build": "18362", + "edition": "Enterprise", + "name": "windows", + "product": "Windows 10 Pro", + "version": "10.0.18362" + }, + "sysmon": { + "config": { + "hash": "2d1652d67b565cabf2e774668f2598188373e957ef06aa5653bf9bf6fe7fe837", + "version": { + "binary": "15.0", + "schema": "4.70" + } + }, + "driver": { + "image": "C:\\Windows\\SysmonDrv.sys", + "name": "SysmonDrv", + "sha256": "e9ea8c0390c65c055d795b301ee50de8f8884313530023918c2eea56de37a525" + }, + "service": { + "image": "C:\\Program Files\\Whids\\Sysmon64.exe", + "name": "Sysmon64", + "sha256": "b448cd80b09fa43a3848f5181362ac52ffcb283f88693b68f1a0e4e6ae932863" + }, + "version": "v13.23" + }, + "system": { + "manufacturer": "innotek GmbH", + "name": "VirtualBox", + "virtual": true + } + }, "uuid": "5a92baeb-9384-47d3-92b4-a0db6f9b8c6d" }, "error": "", @@ -578,21 +866,21 @@ "data": [ { "base-url": "/endpoints/5a92baeb-9384-47d3-92b4-a0db6f9b8c6d/artifacts/5a92baeb-9384-47d3-92b4-a0db6f9b8c6d/3d8441643c204ba9b9dcb5c414b25a3129f66f6c/", - "creation": "2022-01-12T20:53:10.854728678Z", + "creation": "2022-01-28T08:23:44.335798254Z", "event-hash": "3d8441643c204ba9b9dcb5c414b25a3129f66f6c", "files": [ { "name": "bar.txt", "size": 4, - "timestamp": "2022-01-12T20:53:10.874728726Z" + "timestamp": "2022-01-28T08:23:44.34579826Z" }, { "name": "foo.txt", "size": 4, - "timestamp": "2022-01-12T20:53:10.854728678Z" + "timestamp": "2022-01-28T08:23:44.335798254Z" } ], - "modification": "2022-01-12T20:53:10.874728726Z", + "modification": "2022-01-28T08:23:44.34579826Z", "process-guid": "5a92baeb-9384-47d3-92b4-a0db6f9b8c6d" } ], @@ -737,11 +1025,11 @@ "json": null, "name": "/usr/bin/printf", "sent": true, - "sent-time": "2022-01-12T21:53:07.36866772+01:00", + "sent-time": "2022-01-28T09:23:40.905530126+01:00", "stderr": null, "stdout": "SGVsbG8gV29ybGQ=", "timeout": 0, - "uuid": "78e45d4c-a084-50b8-e734-895e40e6cbbe" + "uuid": "c3ab8786-cd46-f7a4-bb6e-9b53c30cdf28" }, "error": "", "message": "OK" @@ -829,17 +1117,59 @@ "stderr": null, "stdout": null, "timeout": 0, - "uuid": "78e45d4c-a084-50b8-e734-895e40e6cbbe" + "uuid": "c3ab8786-cd46-f7a4-bb6e-9b53c30cdf28" }, "criticality": 0, "group": "", "hostname": "OpenHappy", "ip": "127.0.0.1", - "key": "x5Mw4cNw48oLQrTI3gDUkolPQyJOWmw1nOYv1vp9rGHTdmiJ9RB5F12Ud5CG1vY4", - "last-connection": "2022-01-12T20:53:07.341819947Z", - "last-detection": "2022-01-12T21:53:06.267922994+01:00", + "key": "uV41c5SB6PJmJnPdI4dgFj6eui6uBb4Q1XHQweEhWV562BkdBT1NPDg6mp9rUmF1", + "last-connection": "2022-01-28T08:23:40.896016444Z", + "last-detection": "2022-01-28T09:23:39.783976356+01:00", "score": 0, "status": "", + "system-info": { + "bios": { + "date": "12/01/2006", + "version": "VirtualBox" + }, + "cpu": { + "count": 4, + "name": "Intel(R) Core(TM) i7-8565U CPU @ 1.80GHz" + }, + "os": { + "build": "18362", + "edition": "Enterprise", + "name": "windows", + "product": "Windows 10 Pro", + "version": "10.0.18362" + }, + "sysmon": { + "config": { + "hash": "2d1652d67b565cabf2e774668f2598188373e957ef06aa5653bf9bf6fe7fe837", + "version": { + "binary": "15.0", + "schema": "4.70" + } + }, + "driver": { + "image": "C:\\Windows\\SysmonDrv.sys", + "name": "SysmonDrv", + "sha256": "e9ea8c0390c65c055d795b301ee50de8f8884313530023918c2eea56de37a525" + }, + "service": { + "image": "C:\\Program Files\\Whids\\Sysmon64.exe", + "name": "Sysmon64", + "sha256": "b448cd80b09fa43a3848f5181362ac52ffcb283f88693b68f1a0e4e6ae932863" + }, + "version": "v13.23" + }, + "system": { + "manufacturer": "innotek GmbH", + "name": "VirtualBox", + "virtual": true + } + }, "uuid": "5a92baeb-9384-47d3-92b4-a0db6f9b8c6d" }, "error": "", @@ -1023,14 +1353,14 @@ }, "Event": { "Detection": true, - "Hash": "8b88971bf4e38ccaa33654cbceaf1db66a7f25aa", - "ReceiptTime": "2022-01-12T20:53:04.882760504Z" + "Hash": "a937ea7beab8d8916f4fdd95d136629dc45d159f", + "ReceiptTime": "2022-01-28T08:23:38.555329952Z" } }, "EventData": { "CommandLine": "\"C:\\ProgramData\\Microsoft\\Windows Defender\\Platform\\4.18.2106.6-0\\MsMpEng.exe\"", "CurrentDirectory": "C:\\Windows\\system32\\", - "Details": "C:\\ProgramData\\Microsoft\\Windows Defender\\Platform\\4.18.2106.6-0\\MPUXAGENT.DLL", + "Details": "Both", "EventType": "SetValue", "Image": "C:\\ProgramData\\Microsoft\\Windows Defender\\Platform\\4.18.2106.6-0\\MsMpEng.exe", "ImageHashes": "SHA1=FBF03B5D6DC1A7EDAB0BA8D4DD27291C739E5813,MD5=B1C15F9DB942B373B2FC468B7048E63F,SHA256=1DC05B6DD6281840CEB822604B0E403E499180D636D02EC08AD77B4EB56F1B9C,IMPHASH=8AA2B8727E6858A3557A4C09970B9A5D", @@ -1040,10 +1370,10 @@ "IntegrityLevel": "System", "ProcessGuid": "{515cd0d1-7669-6123-4e00-000000007300}", "ProcessId": "3276", - "ProcessThreatScore": "32", + "ProcessThreatScore": "16", "RuleName": "-", "Services": "WinDefend", - "TargetObject": "HKCR\\CLSID\\{4DB116D1-9B24-4DFC-946B-BFE03E852002}\\InProcServer32\\(Default)", + "TargetObject": "HKCR\\CLSID\\{2DCD7FDB-8809-48E4-8E4F-3157C57CF987}\\InprocServer32\\ThreadingModel", "User": "NT AUTHORITY\\SYSTEM", "UtcTime": "2021-08-23 10:20:25.878" }, @@ -1076,7 +1406,7 @@ "Value": 0 }, "TimeCreated": { - "SystemTime": "2022-01-12T21:53:03.81353506+01:00" + "SystemTime": "2022-01-28T09:23:37.540492922+01:00" } } } @@ -1085,9 +1415,9 @@ "Event": { "Detection": { "Actions": [], - "Criticality": 8, + "Criticality": 10, "Signature": [ - "NewAutorun" + "UntrustedDriverLoaded" ] }, "EdrData": { @@ -1099,37 +1429,27 @@ }, "Event": { "Detection": true, - "Hash": "c13aa4b5143d338ce660eb4fe1ef6431809a9ecc", - "ReceiptTime": "2022-01-12T20:53:04.884131188Z" + "Hash": "a6002ca7deb8e14168d006eab89cecde8ee8a5c3", + "ReceiptTime": "2022-01-28T08:23:38.556938044Z" } }, "EventData": { - "CommandLine": "\"C:\\ProgramData\\Microsoft\\Windows Defender\\Platform\\4.18.2106.6-0\\MsMpEng.exe\"", - "CurrentDirectory": "C:\\Windows\\system32\\", - "Details": "Both", - "EventType": "SetValue", - "Image": "C:\\ProgramData\\Microsoft\\Windows Defender\\Platform\\4.18.2106.6-0\\MsMpEng.exe", - "ImageHashes": "SHA1=FBF03B5D6DC1A7EDAB0BA8D4DD27291C739E5813,MD5=B1C15F9DB942B373B2FC468B7048E63F,SHA256=1DC05B6DD6281840CEB822604B0E403E499180D636D02EC08AD77B4EB56F1B9C,IMPHASH=8AA2B8727E6858A3557A4C09970B9A5D", - "ImageSignature": "?", - "ImageSignatureStatus": "?", - "ImageSigned": "false", - "IntegrityLevel": "System", - "ProcessGuid": "{515cd0d1-7669-6123-4e00-000000007300}", - "ProcessId": "3276", - "ProcessThreatScore": "40", + "Hashes": "SHA1=4777B847E66E26D07CAB85361A93F6B9A1DF3E21,MD5=24A56CB3ECB97815A01514B2876A4417,SHA256=7906DCF8E5CCC7D8C0C3DA61785DE448DF554B0D0CF81BFD34DF9DEAF8962F64,IMPHASH=722ECECC50D0D02124BAB0A56989296C", + "ImageLoaded": "C:\\Windows\\System32\\drivers\\VBoxWddm.sys", + "ImageLoadedSize": "404296", "RuleName": "-", - "Services": "WinDefend", - "TargetObject": "HKCR\\CLSID\\{4DB116D1-9B24-4DFC-946B-BFE03E852002}\\InProcServer32\\ThreadingModel", - "User": "NT AUTHORITY\\SYSTEM", - "UtcTime": "2021-08-23 10:20:25.878" + "Signature": "Oracle Corporation", + "SignatureStatus": "Valid", + "Signed": "true", + "UtcTime": "2021-08-23 10:20:18.876" }, "System": { "Channel": "Microsoft-Windows-Sysmon/Operational", "Computer": "DESKTOP-LJRVE06", - "EventID": 13, + "EventID": 6, "Execution": { "ProcessID": 3220, - "ThreadID": 3848 + "ThreadID": 3584 }, "Keywords": { "Name": "", @@ -1152,7 +1472,7 @@ "Value": 0 }, "TimeCreated": { - "SystemTime": "2022-01-12T21:53:03.813591708+01:00" + "SystemTime": "2022-01-28T09:23:37.540932958+01:00" } } } @@ -1278,14 +1598,14 @@ }, "Event": { "Detection": false, - "Hash": "005e067e84385ca5db35edf0e4f3f58f53f61117", - "ReceiptTime": "2022-01-12T20:53:04.863044468Z" + "Hash": "1f0622313301da7b49509272baa9b6a408ba0f59", + "ReceiptTime": "2022-01-28T08:23:38.553164671Z" } }, "EventData": { "CommandLine": "C:\\Windows\\system32\\svchost.exe -k appmodel -p -s StateRepository", "CurrentDirectory": "C:\\Windows\\system32\\", - "Details": "windows.backgroundTasks", + "Details": "QWORD (0x000a0000-0x00000000)", "EventType": "SetValue", "Image": "C:\\Windows\\system32\\svchost.exe", "ImageHashes": "SHA1=75C5A97F521F760E32A4A9639A653EED862E9C61,MD5=9520A99E77D6196D0D09833146424113,SHA256=DD191A5B23DF92E12A8852291F9FB5ED594B76A28A5A464418442584AFD1E048,IMPHASH=247B9220E5D9B720A82B2C8B5069AD69", @@ -1298,9 +1618,9 @@ "ProcessThreatScore": "0", "RuleName": "-", "Services": "StateRepository", - "TargetObject": "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModel\\StateRepository\\Cache\\ApplicationExtension\\Data\\5e\\Category", + "TargetObject": "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModel\\StateRepository\\Cache\\Package\\Data\\12\\OSMaxVersionTested", "User": "NT AUTHORITY\\SYSTEM", - "UtcTime": "2021-08-23 10:20:30.613" + "UtcTime": "2021-08-23 10:20:29.734" }, "System": { "Channel": "Microsoft-Windows-Sysmon/Operational", @@ -1331,7 +1651,7 @@ "Value": 0 }, "TimeCreated": { - "SystemTime": "2022-01-12T21:53:03.812506973+01:00" + "SystemTime": "2022-01-28T09:23:37.539998343+01:00" } } } @@ -1347,29 +1667,21 @@ }, "Event": { "Detection": false, - "Hash": "3a2a1147f4108ad5ff48ff2743580832436e30e2", - "ReceiptTime": "2022-01-12T20:53:04.864092987Z" + "Hash": "0be7497e56a1bb87b0e5e6869267323ac85760f8", + "ReceiptTime": "2022-01-28T08:23:38.553531418Z" } }, "EventData": { - "CommandLine": "C:\\Windows\\system32\\svchost.exe -k appmodel -p -s StateRepository", - "CurrentDirectory": "C:\\Windows\\system32\\", - "Details": "Binary Data", + "Details": "DWORD (0x00000000)", "EventType": "SetValue", - "Image": "C:\\Windows\\system32\\svchost.exe", - "ImageHashes": "SHA1=75C5A97F521F760E32A4A9639A653EED862E9C61,MD5=9520A99E77D6196D0D09833146424113,SHA256=DD191A5B23DF92E12A8852291F9FB5ED594B76A28A5A464418442584AFD1E048,IMPHASH=247B9220E5D9B720A82B2C8B5069AD69", - "ImageSignature": "?", - "ImageSignatureStatus": "?", - "ImageSigned": "false", - "IntegrityLevel": "System", - "ProcessGuid": "{515cd0d1-7668-6123-3c00-000000007300}", - "ProcessId": "2556", - "ProcessThreatScore": "0", + "Image": "System", + "ProcessGuid": "{515cd0d1-7662-6123-eb03-000000000000}", + "ProcessId": "4", + "ProcessThreatScore": "-1", "RuleName": "-", - "Services": "StateRepository", - "TargetObject": "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModel\\StateRepository\\Cache\\ApplicationExtension\\Data\\553\\_IndexKeys", - "User": "NT AUTHORITY\\SYSTEM", - "UtcTime": "2021-08-23 10:20:30.813" + "Services": "N/A", + "TargetObject": "HKLM\\System\\CurrentControlSet\\Services\\lltdio\\DriverMinorVersion", + "UtcTime": "2021-08-23 10:20:24.545" }, "System": { "Channel": "Microsoft-Windows-Sysmon/Operational", @@ -1400,7 +1712,7 @@ "Value": 0 }, "TimeCreated": { - "SystemTime": "2022-01-12T21:53:03.812507502+01:00" + "SystemTime": "2022-01-28T09:23:37.539998919+01:00" } } } @@ -1446,30 +1758,30 @@ "avg-signature-criticality": 0, "bounded-score": 0, "count-by-signature": { - "DefenderConfigChanged": 5, - "NewAutorun": 19, + "DefenderConfigChanged": 7, + "NewAutorun": 14, "SuspiciousService": 3, - "UnknownServices": 9, - "UntrustedDriverLoaded": 14 + "UnknownServices": 6, + "UntrustedDriverLoaded": 20 }, "count-uniq-signatures": 5, "identifier": "5a92baeb-9384-47d3-92b4-a0db6f9b8c6d", - "median-time": "2022-01-12T21:53:07.427012062+01:00", + "median-time": "2022-01-28T09:23:40.967762404+01:00", "score": 0, "signature-count": 50, "signature-criticality-metric": 0, "signature-diversity": 100, "signatures": [ + "SuspiciousService", + "DefenderConfigChanged", "UnknownServices", "UntrustedDriverLoaded", - "NewAutorun", - "DefenderConfigChanged", - "SuspiciousService" + "NewAutorun" ], - "start-time": "2022-01-12T21:53:07.425687807+01:00", + "start-time": "2022-01-28T09:23:40.966551167+01:00", "std-dev-alert-criticality": 0, "std-dev-signature-criticality": -92233720368547760, - "stop-time": "2022-01-12T21:53:07.428336317+01:00", + "stop-time": "2022-01-28T09:23:40.968973642+01:00", "sum-alert-criticality": 0, "sum-rule-criticality": 0, "tactics": null, @@ -1513,30 +1825,30 @@ "avg-signature-criticality": 0, "bounded-score": 0, "count-by-signature": { - "DefenderConfigChanged": 5, - "NewAutorun": 19, + "DefenderConfigChanged": 7, + "NewAutorun": 14, "SuspiciousService": 3, - "UnknownServices": 9, - "UntrustedDriverLoaded": 14 + "UnknownServices": 6, + "UntrustedDriverLoaded": 20 }, "count-uniq-signatures": 5, "identifier": "5a92baeb-9384-47d3-92b4-a0db6f9b8c6d", - "median-time": "2022-01-12T21:53:07.427012062+01:00", + "median-time": "2022-01-28T09:23:40.967762404+01:00", "score": 0, "signature-count": 50, "signature-criticality-metric": 0, "signature-diversity": 100, "signatures": [ "SuspiciousService", + "DefenderConfigChanged", "UnknownServices", "UntrustedDriverLoaded", - "NewAutorun", - "DefenderConfigChanged" + "NewAutorun" ], - "start-time": "2022-01-12T21:53:07.425687807+01:00", + "start-time": "2022-01-28T09:23:40.966551167+01:00", "std-dev-alert-criticality": 0, "std-dev-signature-criticality": -92233720368547760, - "stop-time": "2022-01-12T21:53:07.428336317+01:00", + "stop-time": "2022-01-28T09:23:40.968973642+01:00", "sum-alert-criticality": 0, "sum-rule-criticality": 0, "tactics": null, @@ -1622,35 +1934,35 @@ { "alert-count": 50, "alert-criticality-metric": 0, - "archived-time": "2022-01-12T21:53:08.509076604+01:00", + "archived-time": "2022-01-28T09:23:42.070026409+01:00", "avg-alert-criticality": 0, "avg-signature-criticality": 0, "bounded-score": 0, "count-by-signature": { - "DefenderConfigChanged": 5, - "NewAutorun": 19, + "DefenderConfigChanged": 7, + "NewAutorun": 14, "SuspiciousService": 3, - "UnknownServices": 9, - "UntrustedDriverLoaded": 14 + "UnknownServices": 6, + "UntrustedDriverLoaded": 20 }, "count-uniq-signatures": 5, "identifier": "5a92baeb-9384-47d3-92b4-a0db6f9b8c6d", - "median-time": "2022-01-12T21:53:07.427012062+01:00", + "median-time": "2022-01-28T09:23:40.967762404+01:00", "score": 0, "signature-count": 50, "signature-criticality-metric": 0, "signature-diversity": 100, "signatures": [ "SuspiciousService", + "DefenderConfigChanged", "UnknownServices", "UntrustedDriverLoaded", - "NewAutorun", - "DefenderConfigChanged" + "NewAutorun" ], - "start-time": "2022-01-12T21:53:07.425687807+01:00", + "start-time": "2022-01-28T09:23:40.966551167+01:00", "std-dev-alert-criticality": 0, "std-dev-signature-criticality": -92233720368547760, - "stop-time": "2022-01-12T21:53:07.428336317+01:00", + "stop-time": "2022-01-28T09:23:40.968973642+01:00", "sum-alert-criticality": 0, "sum-rule-criticality": 0, "tactics": null, @@ -1732,10 +2044,10 @@ "example": { "data": [ { - "guuid": "49d8be8c-1089-f68f-c1ad-d061359f4c07", + "guuid": "cf1d96c2-8848-c1f4-710a-2780f7c481f6", "source": "XyzTIProvider", "type": "domain", - "uuid": "dab94fac-6504-76da-14d9-bd5c2807e71d", + "uuid": "c80857ca-4015-d931-0cc5-8247cb9d0e5e", "value": "some.random.domain" } ], @@ -1783,8 +2095,8 @@ }, "example": [ { - "uuid": "dab94fac-6504-76da-14d9-bd5c2807e71d", - "guuid": "49d8be8c-1089-f68f-c1ad-d061359f4c07", + "uuid": "c80857ca-4015-d931-0cc5-8247cb9d0e5e", + "guuid": "cf1d96c2-8848-c1f4-710a-2780f7c481f6", "source": "XyzTIProvider", "value": "some.random.domain", "type": "domain" @@ -1802,10 +2114,10 @@ "example": { "data": [ { - "guuid": "49d8be8c-1089-f68f-c1ad-d061359f4c07", + "guuid": "cf1d96c2-8848-c1f4-710a-2780f7c481f6", "source": "XyzTIProvider", "type": "domain", - "uuid": "dab94fac-6504-76da-14d9-bd5c2807e71d", + "uuid": "c80857ca-4015-d931-0cc5-8247cb9d0e5e", "value": "some.random.domain" } ], @@ -2302,8 +2614,8 @@ "description": "", "group": "", "identifier": "TestAdminUser", - "key": "x4ezcCUtlMsmtKtS4hymPSt33EPoJOPzH5c1QvERUPY8ver76MSutiHlW1FVlKOV", - "uuid": "37897a2d-b84a-49d5-15bd-9c26591f3fd7" + "key": "M6wBoYi4iYCS9v4qaVYkkgd3KHUx5evulRowq4ncrJ7T7GkHuvg8SEmXww15laHg", + "uuid": "2e1b9db7-deef-5e3e-4314-516461c8f773" }, "error": "", "message": "OK" @@ -2346,7 +2658,7 @@ } }, "example": { - "uuid": "533e1d7f-8023-26a8-f61e-bcfd875d0def", + "uuid": "767a2f87-d6df-5ad7-460b-0426426b6bd8", "identifier": "SecondTestAdmin", "key": "ChangeMe", "group": "CSIRT", @@ -2367,7 +2679,7 @@ "group": "CSIRT", "identifier": "SecondTestAdmin", "key": "ChangeMe", - "uuid": "533e1d7f-8023-26a8-f61e-bcfd875d0def" + "uuid": "767a2f87-d6df-5ad7-460b-0426426b6bd8" }, "error": "", "message": "OK" @@ -2455,7 +2767,7 @@ "group": "SOC", "identifier": "SecondTestAdmin", "key": "NewWeakKey", - "uuid": "533e1d7f-8023-26a8-f61e-bcfd875d0def" + "uuid": "767a2f87-d6df-5ad7-460b-0426426b6bd8" }, "error": "", "message": "OK" @@ -2493,7 +2805,7 @@ "group": "SOC", "identifier": "SecondTestAdmin", "key": "NewWeakKey", - "uuid": "533e1d7f-8023-26a8-f61e-bcfd875d0def" + "uuid": "767a2f87-d6df-5ad7-460b-0426426b6bd8" }, "error": "", "message": "OK" diff --git a/go.mod b/go.mod index 88ddf2d..b2f66f1 100644 --- a/go.mod +++ b/go.mod @@ -2,11 +2,11 @@ module github.com/0xrawsec/whids require ( github.com/0xrawsec/gene/v2 v2.2.0 - github.com/0xrawsec/golang-etw v1.4.4 + github.com/0xrawsec/golang-etw v1.4.5 github.com/0xrawsec/golang-evtx v1.2.9 github.com/0xrawsec/golang-utils v1.3.1 github.com/0xrawsec/golang-win32 v1.0.12 - github.com/0xrawsec/sod v1.6.4 + github.com/0xrawsec/sod v1.6.7 github.com/google/shlex v0.0.0-20191202100458-e7afc7fbc510 github.com/google/uuid v1.3.0 github.com/gorilla/mux v1.8.0 diff --git a/go.sum b/go.sum index 7ea7e55..791520e 100644 --- a/go.sum +++ b/go.sum @@ -2,6 +2,8 @@ github.com/0xrawsec/gene/v2 v2.2.0 h1:0BcsNszFZr6moySryuB8BpAyuiMRvV+sENYH5hLMd4 github.com/0xrawsec/gene/v2 v2.2.0/go.mod h1:gpXuOpA823ZWvDU7Rn3lt3VWYibJedKXPzsm7kw0XtM= github.com/0xrawsec/golang-etw v1.4.4 h1:f9Cz6jq6s2ZNPzTtkHFSPKVeTivtK4xfQBuBWOxNYEM= github.com/0xrawsec/golang-etw v1.4.4/go.mod h1:wxqBXEEp7NYwW8OnzmY2Titl4blVZbW4cD004pkxjeo= +github.com/0xrawsec/golang-etw v1.4.5 h1:zDGh/uSyLWwUF87F7AuF5SXh9PcPfsWXifmrw7eUgE4= +github.com/0xrawsec/golang-etw v1.4.5/go.mod h1:wxqBXEEp7NYwW8OnzmY2Titl4blVZbW4cD004pkxjeo= github.com/0xrawsec/golang-evtx v1.2.9 h1:DaL2BICXf3vnCkqsPIwth1Qpfsv4+UYdZ0zTajwYqrI= github.com/0xrawsec/golang-evtx v1.2.9/go.mod h1:1dWPugn8hfETOcaZAdu70QWkeVLvT9AUUFz0j+caV00= github.com/0xrawsec/golang-utils v1.1.3/go.mod h1:DADTtCFY10qXjWmUVhhJqQIZdSweaHH4soYUDEi8mj0= @@ -28,6 +30,12 @@ github.com/0xrawsec/sod v1.6.3 h1:osUX753wTLEl3O5wUXturyMk0jM3Y0ATxABc4y80LSs= github.com/0xrawsec/sod v1.6.3/go.mod h1:AWB2VrKUriy5RZff2qmYkEtjcCS8NBYp0E/TUdoo+fE= github.com/0xrawsec/sod v1.6.4 h1:7Ipx1SGvvNGBnkXU+Pn+xHqt+gaK4sMg5oMfY2LhKZo= github.com/0xrawsec/sod v1.6.4/go.mod h1:AWB2VrKUriy5RZff2qmYkEtjcCS8NBYp0E/TUdoo+fE= +github.com/0xrawsec/sod v1.6.5 h1:au8Y8gz3kw8kPRZoOsGY5dSCqTJHTAG9kugNmvytf18= +github.com/0xrawsec/sod v1.6.5/go.mod h1:AWB2VrKUriy5RZff2qmYkEtjcCS8NBYp0E/TUdoo+fE= +github.com/0xrawsec/sod v1.6.6 h1:xNyyePlY7ePtOrQWqtmJMN0JgTeZf1dVjXFULE+G+WQ= +github.com/0xrawsec/sod v1.6.6/go.mod h1:AWB2VrKUriy5RZff2qmYkEtjcCS8NBYp0E/TUdoo+fE= +github.com/0xrawsec/sod v1.6.7 h1:AyCQsvw37w0rVJWenr574wvQo009LwbgfDMyJJHcHW8= +github.com/0xrawsec/sod v1.6.7/go.mod h1:AWB2VrKUriy5RZff2qmYkEtjcCS8NBYp0E/TUdoo+fE= github.com/golang/snappy v0.0.1/go.mod h1:/XxbfmMg8lxefKM7IXC3fBNl/7bRcc72aCRzEWrmP2Q= github.com/google/shlex v0.0.0-20191202100458-e7afc7fbc510 h1:El6M4kTTCOh6aBiKaUGG7oYTSPP8MxqL4YI3kZKwcP4= github.com/google/shlex v0.0.0-20191202100458-e7afc7fbc510/go.mod h1:pupxD2MaaD3pAXIBCelhxNneeOaAeabZDe5s4K6zSpQ=