Skip to content

Commit

Permalink
[winlogbeat] Add support for sysmon v13 events 24 and 25 (#24945)
Browse files Browse the repository at this point in the history
* Add support for sysmon v13 events 24 and 25

* Remove category mapping for event 24
  • Loading branch information
marc-gr authored Apr 14, 2021
1 parent 164bb5e commit 97e9113
Show file tree
Hide file tree
Showing 9 changed files with 223 additions and 8 deletions.
1 change: 1 addition & 0 deletions CHANGELOG.next.asciidoc
Original file line number Diff line number Diff line change
Expand Up @@ -999,6 +999,7 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d
- Add additional event categorization for security and sysmon modules. {pull}22988[22988]
- Add dns.question.subdomain fields for sysmon DNS events. {pull}22999[22999]
- Add dns.question.top_level_domain fields for sysmon DNS events. {pull}23046[23046]
- Add support for sysmon v13 events 24 and 25. {issue}24217[24217] {pull}24945[24945]

*Elastic Log Driver*

Expand Down
106 changes: 105 additions & 1 deletion x-pack/winlogbeat/module/sysmon/config/winlogbeat-sysmon.js
Original file line number Diff line number Diff line change
Expand Up @@ -349,12 +349,13 @@ var sysmon = (function () {

var setRuleName = function (evt) {
var ruleName = evt.Get("winlog.event_data.RuleName");
evt.Delete("winlog.event_data.RuleName");

if (!ruleName || ruleName === "-") {
return;
}

evt.Put("rule.name", ruleName);
evt.Delete("winlog.event_data.RuleName");
};

var addNetworkDirection = function (evt) {
Expand Down Expand Up @@ -1635,6 +1636,107 @@ var sysmon = (function () {
.Add(removeEmptyEventData)
.Build();

// Event ID 24 - ClipboardChange (New content in the clipboard).
var event24 = new processor.Chain()
.Add(parseUtcTime)
.AddFields({
fields: {
type: ["change"],
},
target: "event",
})
.Convert({
fields: [{
from: "winlog.event_data.UtcTime",
to: "@timestamp",
},
{
from: "winlog.event_data.ProcessGuid",
to: "process.entity_id",
},
{
from: "winlog.event_data.ProcessId",
to: "process.pid",
type: "long",
},
{
from: "winlog.event_data.Image",
to: "process.executable",
},
{
from: "winlog.event_data.Archived",
to: "sysmon.file.archived",
type: "boolean",
},
{
from: "winlog.event_data.IsExecutable",
to: "sysmon.file.is_executable",
type: "boolean",
},
],
mode: "rename",
ignore_missing: true,
fail_on_error: false,
})
.Add(setRuleName)
.Add(addUser)
.Add(splitProcessHashes)
.Add(setProcessNameUsingExe)
.Add(setAdditionalFileFieldsFromPath)
.Add(removeEmptyEventData)
.Build();

// Event ID 25 - ProcessTampering (Process image change).
var event25 = new processor.Chain()
.Add(parseUtcTime)
.AddFields({
fields: {
category: ["process"],
type: ["change"],
},
target: "event",
})
.Convert({
fields: [{
from: "winlog.event_data.UtcTime",
to: "@timestamp",
},
{
from: "winlog.event_data.ProcessGuid",
to: "process.entity_id",
},
{
from: "winlog.event_data.ProcessId",
to: "process.pid",
type: "long",
},
{
from: "winlog.event_data.Image",
to: "process.executable",
},
{
from: "winlog.event_data.Archived",
to: "sysmon.file.archived",
type: "boolean",
},
{
from: "winlog.event_data.IsExecutable",
to: "sysmon.file.is_executable",
type: "boolean",
},
],
mode: "rename",
ignore_missing: true,
fail_on_error: false,
})
.Add(setRuleName)
.Add(addUser)
.Add(splitProcessHashes)
.Add(setProcessNameUsingExe)
.Add(setAdditionalFileFieldsFromPath)
.Add(removeEmptyEventData)
.Build();

// Event ID 255 - Error report.
var event255 = new processor.Chain()
.Add(parseUtcTime)
Expand Down Expand Up @@ -1679,6 +1781,8 @@ var sysmon = (function () {
21: event21.Run,
22: event22.Run,
23: event23.Run,
24: event24.Run,
25: event25.Run,
255: event255.Run,

process: function (evt) {
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -45,7 +45,6 @@
"event_data": {
"Details": "DWORD (0x00000004)",
"EventType": "SetValue",
"RuleName": "-",
"TargetObject": "HKU\\S-1-5-21-1067164964-2079179834-2367582738-1000\\Software\\Key 1"
},
"event_id": 13,
Expand Down Expand Up @@ -104,7 +103,6 @@
"event_data": {
"Details": "Binary Data",
"EventType": "SetValue",
"RuleName": "-",
"TargetObject": "HKU\\S-1-5-21-1067164964-2079179834-2367582738-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\UserAssist\\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\\Count\\HRZR_PGYFRFFVBA"
},
"event_id": 13,
Expand Down Expand Up @@ -169,7 +167,6 @@
"event_data": {
"Details": "QWORD (0x00000000-0x00000005)",
"EventType": "SetValue",
"RuleName": "-",
"TargetObject": "HKU\\S-1-5-21-1067164964-2079179834-2367582738-1000\\Software\\Key 2"
},
"event_id": 13,
Expand Down Expand Up @@ -228,7 +225,6 @@
"event_data": {
"Details": "Binary Data",
"EventType": "SetValue",
"RuleName": "-",
"TargetObject": "HKU\\S-1-5-21-1067164964-2079179834-2367582738-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\UserAssist\\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\\Count\\{S38OS404-1Q43-42S2-9305-67QR0O28SP23}\\ertrqvg.rkr"
},
"event_id": 13,
Expand Down Expand Up @@ -287,7 +283,6 @@
"event_data": {
"Details": "Binary Data",
"EventType": "SetValue",
"RuleName": "-",
"TargetObject": "HKU\\S-1-5-21-1067164964-2079179834-2367582738-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\UserAssist\\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\\Count\\HRZR_PGYFRFFVBA"
},
"event_id": 13,
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -67,7 +67,6 @@
"Description": "Identity Store",
"FileVersion": "10.0.17763.1 (WinBuild.160101.0800)",
"Product": "Microsoft® Windows® Operating System",
"RuleName": "-",
"Signature": "Microsoft Windows",
"SignatureStatus": "Valid",
"Signed": "true"
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -72,7 +72,6 @@
"LogonGuid": "{9f32b55f-6fdd-5f98-e7c9-020000000000}",
"LogonId": "0x2c9e7",
"Product": "Microsoft® Windows® Operating System",
"RuleName": "-",
"TerminalSessionId": "1"
},
"event_id": 1,
Expand Down
Binary file not shown.
Original file line number Diff line number Diff line change
@@ -0,0 +1,63 @@
[
{
"@timestamp": "2021-02-25T15:04:48.592Z",
"event": {
"code": 24,
"kind": "event",
"module": "sysmon",
"provider": "Microsoft-Windows-Sysmon",
"type": [
"change"
]
},
"host": {
"name": "DESKTOP-I9CQVAQ"
},
"log": {
"level": "information"
},
"process": {
"entity_id": "{9497d8d9-aa1b-602f-a600-000000001000}",
"executable": "C:\\Program Files\\VMware\\VMware Tools\\vmtoolsd.exe",
"hash": {
"sha256": "7adb1cf1a75973079c055f929573ae92557a8c0e5b0e38a6a5427e412fb73d59"
},
"name": "vmtoolsd.exe",
"pid": 2144
},
"related": {
"hash": "7adb1cf1a75973079c055f929573ae92557a8c0e5b0e38a6a5427e412fb73d59"
},
"sysmon": {
"file": {
"archived": true
}
},
"user": {
"id": "S-1-5-18"
},
"winlog": {
"api": "wineventlog",
"channel": "Microsoft-Windows-Sysmon/Operational",
"computer_name": "DESKTOP-I9CQVAQ",
"event_data": {
"ClientInfo": "user: DESKTOP-I9CQVAQ\\luks",
"Session": "1"
},
"event_id": 24,
"process": {
"pid": 3800,
"thread": {
"id": 6444
}
},
"provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}",
"provider_name": "Microsoft-Windows-Sysmon",
"record_id": 10757412,
"user": {
"identifier": "S-1-5-18"
},
"version": 5
}
}
]
Binary file not shown.
Original file line number Diff line number Diff line change
@@ -0,0 +1,54 @@
[
{
"@timestamp": "2021-02-25T14:43:23.55Z",
"event": {
"category": [
"process"
],
"code": 25,
"kind": "event",
"module": "sysmon",
"provider": "Microsoft-Windows-Sysmon",
"type": [
"change"
]
},
"host": {
"name": "DESKTOP-I9CQVAQ"
},
"log": {
"level": "information"
},
"process": {
"entity_id": "{9497d8d9-b78b-6037-6f13-000000001000}",
"executable": "C:\\Program Files\\Git\\mingw64\\libexec\\git-core\\git.exe",
"name": "git.exe",
"pid": 2628
},
"user": {
"id": "S-1-5-18"
},
"winlog": {
"api": "wineventlog",
"channel": "Microsoft-Windows-Sysmon/Operational",
"computer_name": "DESKTOP-I9CQVAQ",
"event_data": {
"Type": "Image is replaced"
},
"event_id": 25,
"process": {
"pid": 3800,
"thread": {
"id": 5080
}
},
"provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}",
"provider_name": "Microsoft-Windows-Sysmon",
"record_id": 10737797,
"user": {
"identifier": "S-1-5-18"
},
"version": 5
}
}
]

0 comments on commit 97e9113

Please sign in to comment.