diff --git a/CHANGELOG.next.asciidoc b/CHANGELOG.next.asciidoc index adc90d85679..5166b62ba38 100644 --- a/CHANGELOG.next.asciidoc +++ b/CHANGELOG.next.asciidoc @@ -999,6 +999,7 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d - Add additional event categorization for security and sysmon modules. {pull}22988[22988] - Add dns.question.subdomain fields for sysmon DNS events. {pull}22999[22999] - Add dns.question.top_level_domain fields for sysmon DNS events. {pull}23046[23046] +- Add support for sysmon v13 events 24 and 25. {issue}24217[24217] {pull}24945[24945] *Elastic Log Driver* diff --git a/x-pack/winlogbeat/module/sysmon/config/winlogbeat-sysmon.js b/x-pack/winlogbeat/module/sysmon/config/winlogbeat-sysmon.js index 372912027a5..c91649249f6 100644 --- a/x-pack/winlogbeat/module/sysmon/config/winlogbeat-sysmon.js +++ b/x-pack/winlogbeat/module/sysmon/config/winlogbeat-sysmon.js @@ -349,12 +349,13 @@ var sysmon = (function () { var setRuleName = function (evt) { var ruleName = evt.Get("winlog.event_data.RuleName"); + evt.Delete("winlog.event_data.RuleName"); + if (!ruleName || ruleName === "-") { return; } evt.Put("rule.name", ruleName); - evt.Delete("winlog.event_data.RuleName"); }; var addNetworkDirection = function (evt) { @@ -1635,6 +1636,107 @@ var sysmon = (function () { .Add(removeEmptyEventData) .Build(); + // Event ID 24 - ClipboardChange (New content in the clipboard). + var event24 = new processor.Chain() + .Add(parseUtcTime) + .AddFields({ + fields: { + type: ["change"], + }, + target: "event", + }) + .Convert({ + fields: [{ + from: "winlog.event_data.UtcTime", + to: "@timestamp", + }, + { + from: "winlog.event_data.ProcessGuid", + to: "process.entity_id", + }, + { + from: "winlog.event_data.ProcessId", + to: "process.pid", + type: "long", + }, + { + from: "winlog.event_data.Image", + to: "process.executable", + }, + { + from: "winlog.event_data.Archived", + to: "sysmon.file.archived", + type: "boolean", + }, + { + from: "winlog.event_data.IsExecutable", + to: "sysmon.file.is_executable", + type: "boolean", + }, + ], + mode: "rename", + ignore_missing: true, + fail_on_error: false, + }) + .Add(setRuleName) + .Add(addUser) + .Add(splitProcessHashes) + .Add(setProcessNameUsingExe) + .Add(setAdditionalFileFieldsFromPath) + .Add(removeEmptyEventData) + .Build(); + + // Event ID 25 - ProcessTampering (Process image change). + var event25 = new processor.Chain() + .Add(parseUtcTime) + .AddFields({ + fields: { + category: ["process"], + type: ["change"], + }, + target: "event", + }) + .Convert({ + fields: [{ + from: "winlog.event_data.UtcTime", + to: "@timestamp", + }, + { + from: "winlog.event_data.ProcessGuid", + to: "process.entity_id", + }, + { + from: "winlog.event_data.ProcessId", + to: "process.pid", + type: "long", + }, + { + from: "winlog.event_data.Image", + to: "process.executable", + }, + { + from: "winlog.event_data.Archived", + to: "sysmon.file.archived", + type: "boolean", + }, + { + from: "winlog.event_data.IsExecutable", + to: "sysmon.file.is_executable", + type: "boolean", + }, + ], + mode: "rename", + ignore_missing: true, + fail_on_error: false, + }) + .Add(setRuleName) + .Add(addUser) + .Add(splitProcessHashes) + .Add(setProcessNameUsingExe) + .Add(setAdditionalFileFieldsFromPath) + .Add(removeEmptyEventData) + .Build(); + // Event ID 255 - Error report. var event255 = new processor.Chain() .Add(parseUtcTime) @@ -1679,6 +1781,8 @@ var sysmon = (function () { 21: event21.Run, 22: event22.Run, 23: event23.Run, + 24: event24.Run, + 25: event25.Run, 255: event255.Run, process: function (evt) { diff --git a/x-pack/winlogbeat/module/sysmon/test/testdata/sysmon-11-registry.evtx.golden.json b/x-pack/winlogbeat/module/sysmon/test/testdata/sysmon-11-registry.evtx.golden.json index 5da24c16db5..8d4eca8c1b0 100644 --- a/x-pack/winlogbeat/module/sysmon/test/testdata/sysmon-11-registry.evtx.golden.json +++ b/x-pack/winlogbeat/module/sysmon/test/testdata/sysmon-11-registry.evtx.golden.json @@ -45,7 +45,6 @@ "event_data": { "Details": "DWORD (0x00000004)", "EventType": "SetValue", - "RuleName": "-", "TargetObject": "HKU\\S-1-5-21-1067164964-2079179834-2367582738-1000\\Software\\Key 1" }, "event_id": 13, @@ -104,7 +103,6 @@ "event_data": { "Details": "Binary Data", "EventType": "SetValue", - "RuleName": "-", "TargetObject": "HKU\\S-1-5-21-1067164964-2079179834-2367582738-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\UserAssist\\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\\Count\\HRZR_PGYFRFFVBA" }, "event_id": 13, @@ -169,7 +167,6 @@ "event_data": { "Details": "QWORD (0x00000000-0x00000005)", "EventType": "SetValue", - "RuleName": "-", "TargetObject": "HKU\\S-1-5-21-1067164964-2079179834-2367582738-1000\\Software\\Key 2" }, "event_id": 13, @@ -228,7 +225,6 @@ "event_data": { "Details": "Binary Data", "EventType": "SetValue", - "RuleName": "-", "TargetObject": "HKU\\S-1-5-21-1067164964-2079179834-2367582738-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\UserAssist\\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\\Count\\{S38OS404-1Q43-42S2-9305-67QR0O28SP23}\\ertrqvg.rkr" }, "event_id": 13, @@ -287,7 +283,6 @@ "event_data": { "Details": "Binary Data", "EventType": "SetValue", - "RuleName": "-", "TargetObject": "HKU\\S-1-5-21-1067164964-2079179834-2367582738-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\UserAssist\\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\\Count\\HRZR_PGYFRFFVBA" }, "event_id": 13, diff --git a/x-pack/winlogbeat/module/sysmon/test/testdata/sysmon-12-loadimage.evtx.golden.json b/x-pack/winlogbeat/module/sysmon/test/testdata/sysmon-12-loadimage.evtx.golden.json index e6e9a922aa3..b3b7d2bf23c 100644 --- a/x-pack/winlogbeat/module/sysmon/test/testdata/sysmon-12-loadimage.evtx.golden.json +++ b/x-pack/winlogbeat/module/sysmon/test/testdata/sysmon-12-loadimage.evtx.golden.json @@ -67,7 +67,6 @@ "Description": "Identity Store", "FileVersion": "10.0.17763.1 (WinBuild.160101.0800)", "Product": "Microsoft® Windows® Operating System", - "RuleName": "-", "Signature": "Microsoft Windows", "SignatureStatus": "Valid", "Signed": "true" diff --git a/x-pack/winlogbeat/module/sysmon/test/testdata/sysmon-12-processcreate.evtx.golden.json b/x-pack/winlogbeat/module/sysmon/test/testdata/sysmon-12-processcreate.evtx.golden.json index 678f5fe9fdf..fb4e980d43e 100644 --- a/x-pack/winlogbeat/module/sysmon/test/testdata/sysmon-12-processcreate.evtx.golden.json +++ b/x-pack/winlogbeat/module/sysmon/test/testdata/sysmon-12-processcreate.evtx.golden.json @@ -72,7 +72,6 @@ "LogonGuid": "{9f32b55f-6fdd-5f98-e7c9-020000000000}", "LogonId": "0x2c9e7", "Product": "Microsoft® Windows® Operating System", - "RuleName": "-", "TerminalSessionId": "1" }, "event_id": 1, diff --git a/x-pack/winlogbeat/module/sysmon/test/testdata/sysmon-13-clipboardchange.evtx b/x-pack/winlogbeat/module/sysmon/test/testdata/sysmon-13-clipboardchange.evtx new file mode 100644 index 00000000000..4df96a14519 Binary files /dev/null and b/x-pack/winlogbeat/module/sysmon/test/testdata/sysmon-13-clipboardchange.evtx differ diff --git a/x-pack/winlogbeat/module/sysmon/test/testdata/sysmon-13-clipboardchange.evtx.golden.json b/x-pack/winlogbeat/module/sysmon/test/testdata/sysmon-13-clipboardchange.evtx.golden.json new file mode 100644 index 00000000000..12f737bb25d --- /dev/null +++ b/x-pack/winlogbeat/module/sysmon/test/testdata/sysmon-13-clipboardchange.evtx.golden.json @@ -0,0 +1,63 @@ +[ + { + "@timestamp": "2021-02-25T15:04:48.592Z", + "event": { + "code": 24, + "kind": "event", + "module": "sysmon", + "provider": "Microsoft-Windows-Sysmon", + "type": [ + "change" + ] + }, + "host": { + "name": "DESKTOP-I9CQVAQ" + }, + "log": { + "level": "information" + }, + "process": { + "entity_id": "{9497d8d9-aa1b-602f-a600-000000001000}", + "executable": "C:\\Program Files\\VMware\\VMware Tools\\vmtoolsd.exe", + "hash": { + "sha256": "7adb1cf1a75973079c055f929573ae92557a8c0e5b0e38a6a5427e412fb73d59" + }, + "name": "vmtoolsd.exe", + "pid": 2144 + }, + "related": { + "hash": "7adb1cf1a75973079c055f929573ae92557a8c0e5b0e38a6a5427e412fb73d59" + }, + "sysmon": { + "file": { + "archived": true + } + }, + "user": { + "id": "S-1-5-18" + }, + "winlog": { + "api": "wineventlog", + "channel": "Microsoft-Windows-Sysmon/Operational", + "computer_name": "DESKTOP-I9CQVAQ", + "event_data": { + "ClientInfo": "user: DESKTOP-I9CQVAQ\\luks", + "Session": "1" + }, + "event_id": 24, + "process": { + "pid": 3800, + "thread": { + "id": 6444 + } + }, + "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", + "provider_name": "Microsoft-Windows-Sysmon", + "record_id": 10757412, + "user": { + "identifier": "S-1-5-18" + }, + "version": 5 + } + } +] \ No newline at end of file diff --git a/x-pack/winlogbeat/module/sysmon/test/testdata/sysmon-13-processtampering.evtx b/x-pack/winlogbeat/module/sysmon/test/testdata/sysmon-13-processtampering.evtx new file mode 100644 index 00000000000..85c84148e36 Binary files /dev/null and b/x-pack/winlogbeat/module/sysmon/test/testdata/sysmon-13-processtampering.evtx differ diff --git a/x-pack/winlogbeat/module/sysmon/test/testdata/sysmon-13-processtampering.evtx.golden.json b/x-pack/winlogbeat/module/sysmon/test/testdata/sysmon-13-processtampering.evtx.golden.json new file mode 100644 index 00000000000..e85f559cee8 --- /dev/null +++ b/x-pack/winlogbeat/module/sysmon/test/testdata/sysmon-13-processtampering.evtx.golden.json @@ -0,0 +1,54 @@ +[ + { + "@timestamp": "2021-02-25T14:43:23.55Z", + "event": { + "category": [ + "process" + ], + "code": 25, + "kind": "event", + "module": "sysmon", + "provider": "Microsoft-Windows-Sysmon", + "type": [ + "change" + ] + }, + "host": { + "name": "DESKTOP-I9CQVAQ" + }, + "log": { + "level": "information" + }, + "process": { + "entity_id": "{9497d8d9-b78b-6037-6f13-000000001000}", + "executable": "C:\\Program Files\\Git\\mingw64\\libexec\\git-core\\git.exe", + "name": "git.exe", + "pid": 2628 + }, + "user": { + "id": "S-1-5-18" + }, + "winlog": { + "api": "wineventlog", + "channel": "Microsoft-Windows-Sysmon/Operational", + "computer_name": "DESKTOP-I9CQVAQ", + "event_data": { + "Type": "Image is replaced" + }, + "event_id": 25, + "process": { + "pid": 3800, + "thread": { + "id": 5080 + } + }, + "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", + "provider_name": "Microsoft-Windows-Sysmon", + "record_id": 10737797, + "user": { + "identifier": "S-1-5-18" + }, + "version": 5 + } + } +] \ No newline at end of file