Skip to content

Commit

Permalink
fix 0xrawsec#114: Consider adding TargetImageProtected flag to Proces…
Browse files Browse the repository at this point in the history
…sAccess events
  • Loading branch information
qjerome committed Jun 3, 2022
1 parent 4f7365d commit 6b6a327
Show file tree
Hide file tree
Showing 9 changed files with 377 additions and 420 deletions.
4 changes: 2 additions & 2 deletions .github/coverage/coverage.txt
Original file line number Diff line number Diff line change
Expand Up @@ -19,7 +19,7 @@ github.com/0xrawsec/whids/api/api_client.go:414: IsFileAboveUploadLimit 0.0%
github.com/0xrawsec/whids/api/api_client.go:425: PostDump 65.0%
github.com/0xrawsec/whids/api/api_client.go:461: PostLogs 68.8%
github.com/0xrawsec/whids/api/api_client.go:493: PostCommand 76.5%
github.com/0xrawsec/whids/api/api_client.go:527: FetchCommand 68.4%
github.com/0xrawsec/whids/api/api_client.go:527: FetchCommand 73.7%
github.com/0xrawsec/whids/api/api_client.go:566: PostSystemInfo 61.5%
github.com/0xrawsec/whids/api/api_client.go:591: GetSysmonConfigSha256 82.4%
github.com/0xrawsec/whids/api/api_client.go:623: GetSysmonConfig 83.3%
Expand Down Expand Up @@ -132,7 +132,7 @@ github.com/0xrawsec/whids/api/manager_admin_api.go:1443: admAPIStreamEvents 71.
github.com/0xrawsec/whids/api/manager_admin_api.go:1466: admAPIStreamDetections 0.0%
github.com/0xrawsec/whids/api/manager_admin_api.go:1491: runAdminAPI 87.5%
github.com/0xrawsec/whids/api/manager_endpoint_api.go:31: eptAPIMutEndpointFromRequest 75.0%
github.com/0xrawsec/whids/api/manager_endpoint_api.go:41: endpointAuthorizationMiddleware 82.6%
github.com/0xrawsec/whids/api/manager_endpoint_api.go:41: endpointAuthorizationMiddleware 73.9%
github.com/0xrawsec/whids/api/manager_endpoint_api.go:84: isVerboseURL 100.0%
github.com/0xrawsec/whids/api/manager_endpoint_api.go:93: endptLogHTTPMiddleware 0.0%
github.com/0xrawsec/whids/api/manager_endpoint_api.go:101: endptQuietLogHTTPMiddleware 100.0%
Expand Down
291 changes: 131 additions & 160 deletions api/openapi_def.go

Large diffs are not rendered by default.

291 changes: 131 additions & 160 deletions doc/admin.openapi.json

Large diffs are not rendered by default.

6 changes: 4 additions & 2 deletions go.mod
Original file line number Diff line number Diff line change
Expand Up @@ -6,7 +6,7 @@ require (
github.com/0xrawsec/golang-etw v1.4.5
github.com/0xrawsec/golang-evtx v1.2.9
github.com/0xrawsec/golang-utils v1.3.2
github.com/0xrawsec/golang-win32 v1.0.13
github.com/0xrawsec/golang-win32 v1.0.14
github.com/0xrawsec/sod v1.9.10
github.com/0xrawsec/toast v1.2.3
github.com/google/shlex v0.0.0-20191202100458-e7afc7fbc510
Expand All @@ -17,4 +17,6 @@ require (
golang.org/x/sys v0.0.0-20190909082730-f460065e899a
)

go 1.13
require golang.org/x/tools v0.0.0-20190625160430-252024b82959 // indirect

go 1.18
34 changes: 2 additions & 32 deletions go.sum
Original file line number Diff line number Diff line change
@@ -1,7 +1,5 @@
github.com/0xrawsec/crony v1.0.1 h1:DpkkcuvFYEgHyrm0CxeVYPxsRmEO2qX043s3SDTHaH8=
github.com/0xrawsec/crony v1.0.1/go.mod h1:4MUBMHBeM5HKSUIDXYU7nkmny/pUBHXqg5ZXXC9coe0=
github.com/0xrawsec/gene/v2 v2.2.0 h1:0BcsNszFZr6moySryuB8BpAyuiMRvV+sENYH5hLMd4w=
github.com/0xrawsec/gene/v2 v2.2.0/go.mod h1:gpXuOpA823ZWvDU7Rn3lt3VWYibJedKXPzsm7kw0XtM=
github.com/0xrawsec/gene/v2 v2.3.0 h1:AuScsQ/PlD8DwPzIaJmRuhDB1SgGnKZaKBB95mih0Sc=
github.com/0xrawsec/gene/v2 v2.3.0/go.mod h1:Ns5p9jwmvCAAmzIBSMOL5hhMIlszxTXqVxBdJU/jm/w=
github.com/0xrawsec/golang-etw v1.4.5 h1:zDGh/uSyLWwUF87F7AuF5SXh9PcPfsWXifmrw7eUgE4=
Expand All @@ -10,42 +8,14 @@ github.com/0xrawsec/golang-evtx v1.2.9 h1:DaL2BICXf3vnCkqsPIwth1Qpfsv4+UYdZ0zTaj
github.com/0xrawsec/golang-evtx v1.2.9/go.mod h1:1dWPugn8hfETOcaZAdu70QWkeVLvT9AUUFz0j+caV00=
github.com/0xrawsec/golang-utils v1.1.3/go.mod h1:DADTtCFY10qXjWmUVhhJqQIZdSweaHH4soYUDEi8mj0=
github.com/0xrawsec/golang-utils v1.3.0/go.mod h1:DADTtCFY10qXjWmUVhhJqQIZdSweaHH4soYUDEi8mj0=
github.com/0xrawsec/golang-utils v1.3.1 h1:jjiBzsxzcQPkmEV5KONJY4OnCoqTTW1eQMJcpSdk3hw=
github.com/0xrawsec/golang-utils v1.3.1/go.mod h1:DADTtCFY10qXjWmUVhhJqQIZdSweaHH4soYUDEi8mj0=
github.com/0xrawsec/golang-utils v1.3.2 h1:ww4jrtHRSnX9xrGzJYbalx5nXoZewy4zPxiY+ubJgtg=
github.com/0xrawsec/golang-utils v1.3.2/go.mod h1:m7AzHXgdSAkFCD9tWWsApxNVxMlyy7anpPVOyT/yM7E=
github.com/0xrawsec/golang-win32 v1.0.6/go.mod h1:MAxVU7dr8lujwknuhf4TwjYm8tVEELi2zwx1zDTu/RM=
github.com/0xrawsec/golang-win32 v1.0.12 h1:n7KxFvO2cMr9MrXMlt+F54kLHcQBp0bBjR0wegb+h7Y=
github.com/0xrawsec/golang-win32 v1.0.12/go.mod h1:LDGq8VzCwLZccK1qg7oKBc8n5DmPLi79w+wjew1UApg=
github.com/0xrawsec/golang-win32 v1.0.13 h1:vbRW6CIlsgNCZ8tSm+jfo+zDexrXH2dVJuV9rpzkMVM=
github.com/0xrawsec/golang-win32 v1.0.13/go.mod h1:LDGq8VzCwLZccK1qg7oKBc8n5DmPLi79w+wjew1UApg=
github.com/0xrawsec/sod v1.6.9 h1:6fqhbXkL6X3S1fssBiaanxTiZxjKCWacNVP5awrQDNY=
github.com/0xrawsec/sod v1.6.9/go.mod h1:AWB2VrKUriy5RZff2qmYkEtjcCS8NBYp0E/TUdoo+fE=
github.com/0xrawsec/sod v1.8.0 h1:YxKju2uYBq69nQZL5JgWsmPMxy7BViRAC5WNxRPzG5A=
github.com/0xrawsec/sod v1.8.0/go.mod h1:cLYvDtPgWh6FtFfIdCpoPj+zm/fJuA2Lh9Su7PjALDU=
github.com/0xrawsec/sod v1.9.0 h1:aFFW/5LKi13fFgw8z++1sYrlwFo5LLQvRWQRk8qMrVs=
github.com/0xrawsec/sod v1.9.0/go.mod h1:cLYvDtPgWh6FtFfIdCpoPj+zm/fJuA2Lh9Su7PjALDU=
github.com/0xrawsec/sod v1.9.1 h1:vEWpZ8GMdO8LpFYHYVfj72UDC8TUsP8x0Ho7W6B04Ds=
github.com/0xrawsec/sod v1.9.1/go.mod h1:cLYvDtPgWh6FtFfIdCpoPj+zm/fJuA2Lh9Su7PjALDU=
github.com/0xrawsec/sod v1.9.2 h1:3cq2ijKGobcS4VxeJGEAy27EQoyQ3jvpU/DLn7LM1UY=
github.com/0xrawsec/sod v1.9.2/go.mod h1:cLYvDtPgWh6FtFfIdCpoPj+zm/fJuA2Lh9Su7PjALDU=
github.com/0xrawsec/sod v1.9.3 h1:hB6peqrbwjPdF8tkz+Zdtqm8nO2f9NlTBHolsQIQMJg=
github.com/0xrawsec/sod v1.9.3/go.mod h1:cLYvDtPgWh6FtFfIdCpoPj+zm/fJuA2Lh9Su7PjALDU=
github.com/0xrawsec/sod v1.9.4 h1:fVRaG7yY3OX6AnOFWrZtaiZPSng2DPDZMjMCV9+QzNw=
github.com/0xrawsec/sod v1.9.4/go.mod h1:cLYvDtPgWh6FtFfIdCpoPj+zm/fJuA2Lh9Su7PjALDU=
github.com/0xrawsec/sod v1.9.5 h1:t3KJwUWij/MBSuf8SxsHr6YpszSaqKmEGmT/IF9xLT4=
github.com/0xrawsec/sod v1.9.5/go.mod h1:cLYvDtPgWh6FtFfIdCpoPj+zm/fJuA2Lh9Su7PjALDU=
github.com/0xrawsec/sod v1.9.7 h1:c2ax/Nd5EvCJSZNX6fG1bCfXMSupFZm6FwUaWMH7Q2k=
github.com/0xrawsec/sod v1.9.7/go.mod h1:N1cEdcsJxJZ6F7dPK0vpEQ+NdBO8uKS3CFPJyOmEK5E=
github.com/0xrawsec/sod v1.9.8 h1:AZ2h2mTlUDg1nmsvUJ47RKgitFvrzYvvIUrd/oy+fds=
github.com/0xrawsec/sod v1.9.8/go.mod h1:N1cEdcsJxJZ6F7dPK0vpEQ+NdBO8uKS3CFPJyOmEK5E=
github.com/0xrawsec/sod v1.9.9 h1:T0tkz2OStf7wugEENGeFkQVgzhHs10KxfKnuRGkb7rM=
github.com/0xrawsec/sod v1.9.9/go.mod h1:N1cEdcsJxJZ6F7dPK0vpEQ+NdBO8uKS3CFPJyOmEK5E=
github.com/0xrawsec/golang-win32 v1.0.14 h1:Lj45Cd7qnhCbtnrNCBI3twefRVh759q/rDXrutxQQOo=
github.com/0xrawsec/golang-win32 v1.0.14/go.mod h1:LDGq8VzCwLZccK1qg7oKBc8n5DmPLi79w+wjew1UApg=
github.com/0xrawsec/sod v1.9.10 h1:XoSdy7AEEMCjN+3weHBvstotjaDg1hhtgxtbdC+4jO4=
github.com/0xrawsec/sod v1.9.10/go.mod h1:N1cEdcsJxJZ6F7dPK0vpEQ+NdBO8uKS3CFPJyOmEK5E=
github.com/0xrawsec/toast v1.1.1/go.mod h1:sRvfNYxqVoH1sZnE18s9Knm/lkbarTGNvaNVBf2/h1k=
github.com/0xrawsec/toast v1.2.1 h1:askdLfoz1KByjnY1n+GGNocoStHetcscMFoBqLBlVlI=
github.com/0xrawsec/toast v1.2.1/go.mod h1:sRvfNYxqVoH1sZnE18s9Knm/lkbarTGNvaNVBf2/h1k=
github.com/0xrawsec/toast v1.2.3 h1:nTs5NyAdmSoDfxlYjMVMYb9wj3C/MFpnoIoQBPUsHXg=
github.com/0xrawsec/toast v1.2.3/go.mod h1:sRvfNYxqVoH1sZnE18s9Knm/lkbarTGNvaNVBf2/h1k=
github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
Expand Down
124 changes: 72 additions & 52 deletions hids/hookdefs.go
Original file line number Diff line number Diff line change
Expand Up @@ -25,7 +25,8 @@ import (

const (
// Empty GUID
nullGUID = "{00000000-0000-0000-0000-000000000000}"
nullGUID = "{00000000-0000-0000-0000-000000000000}"
unkFieldValue = "?"
)

var (
Expand Down Expand Up @@ -60,8 +61,8 @@ func hookSetImageSize(h *HIDS, e *event.EdrEvent) {
}

func hookImageLoad(h *HIDS, e *event.EdrEvent) {
e.Set(pathImageLoadParentImage, "?")
e.Set(pathImageLoadParentCommandLine, "?")
e.Set(pathImageLoadParentImage, unkFieldValue)
e.Set(pathImageLoadParentCommandLine, unkFieldValue)
if guid, ok := e.GetString(pathSysmonProcessGUID); ok {
if track := h.tracker.GetByGuid(guid); !track.IsZero() {
// we get a module info from cache or we update
Expand Down Expand Up @@ -135,12 +136,18 @@ func hookTrack(h *HIDS, e *event.EdrEvent) {
track.IntegrityLevel = il
track.SetHashes(hashes)

// Getting process protection level first
if pl, err := kernel32.GetProcessProtectionLevel(uint32(pid)); err == nil {
track.ProtectionLevel = uint32(pl)
}

if parent := h.tracker.GetByGuid(pguid); !parent.IsZero() {
track.Ancestors = append(parent.Ancestors, parent.Image)
track.ParentUser = parent.User
track.ParentIntegrityLevel = parent.IntegrityLevel
track.ParentServices = parent.Services
track.ParentCurrentDirectory = parent.CurrentDirectory
track.ParentProtectionLevel = parent.ProtectionLevel
} else {
// For processes created by System
if pimage, ok := e.GetString(pathSysmonParentImage); ok {
Expand All @@ -157,6 +164,8 @@ func hookTrack(h *HIDS, e *event.EdrEvent) {

h.tracker.Add(track)
e.SetIfMissing(pathAncestors, strings.Join(track.Ancestors, "|"))
e.SetIfMissing(pathProtectionLevel, fmt.Sprintf("0x%x", track.ProtectionLevel))
e.SetIfMissing(pathParentProtectionLevel, fmt.Sprintf("0x%x", track.ParentProtectionLevel))
if track.ParentUser != "" {
e.SetIfMissing(pathParentUser, track.ParentUser)
}
Expand All @@ -180,10 +189,10 @@ func hookTrack(h *HIDS, e *event.EdrEvent) {
}

// Default values
e.SetIfMissing(pathAncestors, "?")
e.SetIfMissing(pathParentUser, "?")
e.SetIfMissing(pathParentIntegrityLevel, "?")
e.SetIfMissing(pathParentServices, "?")
e.SetIfMissing(pathAncestors, unkFieldValue)
e.SetIfMissing(pathParentUser, unkFieldValue)
e.SetIfMissing(pathParentIntegrityLevel, unkFieldValue)
e.SetIfMissing(pathParentServices, unkFieldValue)

case SysmonDriverLoad:
d := DriverInfoFromEvent(e)
Expand Down Expand Up @@ -229,9 +238,9 @@ func hookStats(h *HIDS, e *event.EdrEvent) {
now := time.Now()

// Set new fields
e.Set(pathFileCount, "?")
e.Set(pathFileCountByExt, "?")
e.Set(pathFileExtension, "?")
e.Set(pathFileCount, unkFieldValue)
e.Set(pathFileCountByExt, unkFieldValue)
e.Set(pathFileExtension, unkFieldValue)

if pt.Stats.Files.TimeFirstFileCreated.IsZero() {
pt.Stats.Files.TimeFirstFileCreated = now
Expand Down Expand Up @@ -263,9 +272,9 @@ func hookStats(h *HIDS, e *event.EdrEvent) {
now := time.Now()

// Set new fields
e.Set(pathFileCount, "?")
e.Set(pathFileCountByExt, "?")
e.Set(pathFileExtension, "?")
e.Set(pathFileCount, unkFieldValue)
e.Set(pathFileCountByExt, unkFieldValue)
e.Set(pathFileExtension, unkFieldValue)

if pt.Stats.Files.TimeFirstFileDeleted.IsZero() {
pt.Stats.Files.TimeFirstFileDeleted = now
Expand Down Expand Up @@ -373,10 +382,10 @@ func hookSelfGUID(h *HIDS, e *event.EdrEvent) {
}

func hookFileSystemAudit(h *HIDS, e *event.EdrEvent) {
e.Set(pathSysmonCommandLine, "?")
e.Set(pathSysmonCommandLine, unkFieldValue)
e.Set(pathSysmonProcessGUID, nullGUID)
e.Set(pathSysmonImage, "?")
e.Set(pathImageHashes, "?")
e.Set(pathSysmonImage, unkFieldValue)
e.Set(pathImageHashes, unkFieldValue)
if pid, ok := e.GetInt(pathFSAuditProcessId); ok {
if pt := h.tracker.GetByPID(pid); !pt.IsZero() {

Expand Down Expand Up @@ -462,8 +471,8 @@ func hookEnrichServices(h *HIDS, e *event.EdrEvent) {
// Nothing to do
break
case SysmonCreateRemoteThread, SysmonAccessProcess:
e.Set(pathSourceServices, "?")
e.Set(pathTargetServices, "?")
e.Set(pathSourceServices, unkFieldValue)
e.Set(pathTargetServices, unkFieldValue)

sguidPath := pathSysmonSourceProcessGUID
tguidPath := pathSysmonTargetProcessGUID
Expand Down Expand Up @@ -507,7 +516,7 @@ func hookEnrichServices(h *HIDS, e *event.EdrEvent) {
}
}
default:
e.Set(pathServices, "?")
e.Set(pathServices, unkFieldValue)
// image, guid and pid are supposed to be available for all the remaining Sysmon logs
if guid, ok := e.GetString(pathSysmonProcessGUID); ok {
if pid, ok := e.GetInt(pathSysmonProcessId); ok {
Expand Down Expand Up @@ -591,6 +600,9 @@ func hookEnrichAnySysmon(h *HIDS, e *event.EdrEvent) {
e.SetIfMissing(pathSourceHashes, strack.hashes)
}

// Source Protection level
e.SetIfMissing(pathSourceProtectionLevel, toHex(strack.ProtectionLevel))

// Source process score
e.Set(pathSrcProcessGeneScore, toString(strack.ThreatScore.Score))
}
Expand All @@ -609,21 +621,26 @@ func hookEnrichAnySysmon(h *HIDS, e *event.EdrEvent) {
if ttrack.hashes != "" {
e.SetIfMissing(pathTargetHashes, ttrack.hashes)
}

e.SetIfMissing(pathTargetProtectionLevel, toHex(ttrack.ProtectionLevel))

// Target process score
e.Set(pathTgtProcessGeneScore, toString(ttrack.ThreatScore.Score))
}

// Default Values for fields
e.SetIfMissing(pathSourceUser, "?")
e.SetIfMissing(pathSourceIntegrityLevel, "?")
e.SetIfMissing(pathTargetUser, "?")
e.SetIfMissing(pathTargetIntegrityLevel, "?")
e.SetIfMissing(pathTargetParentProcessGuid, "?")
e.SetIfMissing(pathSourceHashes, "?")
e.SetIfMissing(pathTargetHashes, "?")
}
}

// Default Values for fields
e.SetIfMissing(pathSourceUser, unkFieldValue)
e.SetIfMissing(pathSourceIntegrityLevel, unkFieldValue)
e.SetIfMissing(pathTargetUser, unkFieldValue)
e.SetIfMissing(pathTargetIntegrityLevel, unkFieldValue)
e.SetIfMissing(pathTargetParentProcessGuid, unkFieldValue)
e.SetIfMissing(pathSourceHashes, unkFieldValue)
e.SetIfMissing(pathTargetHashes, unkFieldValue)
e.SetIfMissing(pathSourceProtectionLevel, toHex(ZeroProtectionLevel))
e.SetIfMissing(pathTargetProtectionLevel, toHex(ZeroProtectionLevel))

// should be missing
e.SetIfMissing(pathSrcProcessGeneScore, "-1")
e.SetIfMissing(pathTgtProcessGeneScore, "-1")
Expand All @@ -633,60 +650,63 @@ func hookEnrichAnySysmon(h *HIDS, e *event.EdrEvent) {
/* Any other event than CreateRemoteThread and ProcessAccess*/
if guid, ok := e.GetString(pathSysmonProcessGUID); ok {

// Setting GeneScore only if we can identify process by its GUID
// Default value
e.Set(pathProcessGeneScore, "-1")

if track := h.tracker.GetByGuid(guid); !track.IsZero() {

// setting CommandLine field
if track.CommandLine != "" {
e.SetIfMissing(pathSysmonCommandLine, track.CommandLine)
}
// default value set only if missing
e.SetIfMissing(pathSysmonCommandLine, "?")

// setting User field
if track.User != "" {
e.SetIfMissing(pathSysmonUser, track.User)
}
// default value set only if missing
e.SetIfMissing(pathSysmonUser, "?")

// setting IntegrityLevel
if track.IntegrityLevel != "" {
e.SetIfMissing(pathSysmonIntegrityLevel, track.IntegrityLevel)
}
// default value set only if missing
e.SetIfMissing(pathSysmonIntegrityLevel, "?")

// setting CurrentDirectory
if track.CurrentDirectory != "" {
e.SetIfMissing(pathSysmonCurrentDirectory, track.CurrentDirectory)
}
// default value set only if missing
e.SetIfMissing(pathSysmonCurrentDirectory, "?")

// event never has ImageHashes field since it is not Sysmon standard
if track.hashes != "" {
e.Set(pathImageHashes, track.hashes)
}
e.SetIfMissing(pathImageHashes, "?")

// Signature information
e.SetIfMissing(pathImageSigned, toString(track.Signed))
e.SetIfMissing(pathImageSignature, track.Signature)
e.SetIfMissing(pathImageSignatureStatus, track.SignatureStatus)

// Protection level
e.SetIfMissing(pathProtectionLevel, toHex(track.ProtectionLevel))

// Overal criticality score
e.Set(pathProcessGeneScore, toString(track.ThreatScore.Score))
}

// Setting GeneScore only if we can identify process by its GUID
// Default values
e.Set(pathProcessGeneScore, "-1")
e.SetIfMissing(pathSysmonCommandLine, unkFieldValue)
e.SetIfMissing(pathSysmonUser, unkFieldValue)
e.SetIfMissing(pathSysmonIntegrityLevel, unkFieldValue)
e.SetIfMissing(pathSysmonCurrentDirectory, unkFieldValue)
e.SetIfMissing(pathImageHashes, unkFieldValue)
e.SetIfMissing(pathImageSigned, unkFieldValue)
e.SetIfMissing(pathImageSignature, unkFieldValue)
e.SetIfMissing(pathImageSignatureStatus, unkFieldValue)
e.SetIfMissing(pathProtectionLevel, toHex(ZeroProtectionLevel))
}
}
}

func hookClipboardEvents(h *HIDS, e *event.EdrEvent) {
e.Set(pathSysmonClipboardData, "?")
e.Set(pathSysmonClipboardData, unkFieldValue)
if hashes, ok := e.GetString(pathSysmonHashes); ok {
fname := fmt.Sprintf("CLIP-%s", sysmonArcFileRe.ReplaceAllString(hashes, ""))
path := filepath.Join(h.config.Sysmon.ArchiveDirectory, fname)
Expand All @@ -713,7 +733,7 @@ var (
)

func hookKernelFiles(h *HIDS, e *event.EdrEvent) {
fileName := "?"
fileName := unkFieldValue

// Enrich all events with Sysmon Info
pt := h.tracker.GetByPID(int64(e.Event.System.Execution.ProcessID))
Expand Down Expand Up @@ -762,18 +782,18 @@ func hookKernelFiles(h *HIDS, e *event.EdrEvent) {

if !e.IsSkipped() {
// We enrich event with other data
e.SetIfOr(pathSysmonProcessGUID, pt.ProcessGUID, !pt.IsZero(), "?")
e.SetIfOr(pathSysmonImage, pt.Image, !pt.IsZero(), "?")
e.SetIfOr(pathSysmonCommandLine, pt.CommandLine, !pt.IsZero(), "?")
e.SetIfOr(pathSysmonProcessGUID, pt.ProcessGUID, !pt.IsZero(), unkFieldValue)
e.SetIfOr(pathSysmonImage, pt.Image, !pt.IsZero(), unkFieldValue)
e.SetIfOr(pathSysmonCommandLine, pt.CommandLine, !pt.IsZero(), unkFieldValue)
// put hashes in ImageHashes field to avoid confusion in analyst's mind
// not to think it is file content hashes
e.SetIfOr(pathImageHashes, pt.hashes, !pt.IsZero(), "?")
e.SetIfOr(pathImageHashes, pt.hashes, !pt.IsZero(), unkFieldValue)
e.SetIfOr(pathSysmonProcessId, toString(pt.PID), !pt.IsZero(), toString(-1))
e.SetIfOr(pathSysmonIntegrityLevel, pt.IntegrityLevel, !pt.IsZero(), "?")
e.SetIfOr(pathSysmonUser, pt.User, !pt.IsZero(), "?")
e.SetIfOr(pathServices, pt.Services, !pt.IsZero(), "?")
e.SetIfOr(pathImageSignature, pt.Signature, !pt.IsZero(), "?")
e.SetIfOr(pathImageSignatureStatus, pt.SignatureStatus, !pt.IsZero(), "?")
e.SetIfOr(pathSysmonIntegrityLevel, pt.IntegrityLevel, !pt.IsZero(), unkFieldValue)
e.SetIfOr(pathSysmonUser, pt.User, !pt.IsZero(), unkFieldValue)
e.SetIfOr(pathServices, pt.Services, !pt.IsZero(), unkFieldValue)
e.SetIfOr(pathImageSignature, pt.Signature, !pt.IsZero(), unkFieldValue)
e.SetIfOr(pathImageSignatureStatus, pt.SignatureStatus, !pt.IsZero(), unkFieldValue)
e.Set(pathSysmonEventType, KernelFileOperations[e.EventID()])
}
}
10 changes: 9 additions & 1 deletion hids/hookutils.go
Original file line number Diff line number Diff line change
Expand Up @@ -11,10 +11,18 @@ import (
"github.com/0xrawsec/whids/event"
)

func toString(i interface{}) string {
func toString(i any) string {
return fmt.Sprintf("%v", i)
}

func toHex(i any) string {
switch i.(type) {
case int, uint, int8, int16, int32, int64, uint8, uint16, uint32, uint64:
return fmt.Sprintf("0x%x", i)
}
return "cannot format to hex"
}

func terminate(pid int) error {
// prevents from terminating our own process
if os.Getpid() != pid {
Expand Down
Loading

0 comments on commit 6b6a327

Please sign in to comment.