From 97e9113455ed2adde596d11adbed400fdaab2ad1 Mon Sep 17 00:00:00 2001 From: Marc Guasch Date: Wed, 14 Apr 2021 10:51:28 +0200 Subject: [PATCH] [winlogbeat] Add support for sysmon v13 events 24 and 25 (#24945) * Add support for sysmon v13 events 24 and 25 * Remove category mapping for event 24 --- CHANGELOG.next.asciidoc | 1 + .../module/sysmon/config/winlogbeat-sysmon.js | 106 +++++++++++++++++- .../sysmon-11-registry.evtx.golden.json | 5 - .../sysmon-12-loadimage.evtx.golden.json | 1 - .../sysmon-12-processcreate.evtx.golden.json | 1 - .../testdata/sysmon-13-clipboardchange.evtx | Bin 0 -> 69632 bytes ...sysmon-13-clipboardchange.evtx.golden.json | 63 +++++++++++ .../testdata/sysmon-13-processtampering.evtx | Bin 0 -> 69632 bytes ...ysmon-13-processtampering.evtx.golden.json | 54 +++++++++ 9 files changed, 223 insertions(+), 8 deletions(-) create mode 100644 x-pack/winlogbeat/module/sysmon/test/testdata/sysmon-13-clipboardchange.evtx create mode 100644 x-pack/winlogbeat/module/sysmon/test/testdata/sysmon-13-clipboardchange.evtx.golden.json create mode 100644 x-pack/winlogbeat/module/sysmon/test/testdata/sysmon-13-processtampering.evtx create mode 100644 x-pack/winlogbeat/module/sysmon/test/testdata/sysmon-13-processtampering.evtx.golden.json diff --git a/CHANGELOG.next.asciidoc b/CHANGELOG.next.asciidoc index adc90d85679..5166b62ba38 100644 --- a/CHANGELOG.next.asciidoc +++ b/CHANGELOG.next.asciidoc @@ -999,6 +999,7 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d - Add additional event categorization for security and sysmon modules. {pull}22988[22988] - Add dns.question.subdomain fields for sysmon DNS events. {pull}22999[22999] - Add dns.question.top_level_domain fields for sysmon DNS events. {pull}23046[23046] +- Add support for sysmon v13 events 24 and 25. {issue}24217[24217] {pull}24945[24945] *Elastic Log Driver* diff --git a/x-pack/winlogbeat/module/sysmon/config/winlogbeat-sysmon.js b/x-pack/winlogbeat/module/sysmon/config/winlogbeat-sysmon.js index 372912027a5..c91649249f6 100644 --- a/x-pack/winlogbeat/module/sysmon/config/winlogbeat-sysmon.js +++ b/x-pack/winlogbeat/module/sysmon/config/winlogbeat-sysmon.js @@ -349,12 +349,13 @@ var sysmon = (function () { var setRuleName = function (evt) { var ruleName = evt.Get("winlog.event_data.RuleName"); + evt.Delete("winlog.event_data.RuleName"); + if (!ruleName || ruleName === "-") { return; } evt.Put("rule.name", ruleName); - evt.Delete("winlog.event_data.RuleName"); }; var addNetworkDirection = function (evt) { @@ -1635,6 +1636,107 @@ var sysmon = (function () { .Add(removeEmptyEventData) .Build(); + // Event ID 24 - ClipboardChange (New content in the clipboard). + var event24 = new processor.Chain() + .Add(parseUtcTime) + .AddFields({ + fields: { + type: ["change"], + }, + target: "event", + }) + .Convert({ + fields: [{ + from: "winlog.event_data.UtcTime", + to: "@timestamp", + }, + { + from: "winlog.event_data.ProcessGuid", + to: "process.entity_id", + }, + { + from: "winlog.event_data.ProcessId", + to: "process.pid", + type: "long", + }, + { + from: "winlog.event_data.Image", + to: "process.executable", + }, + { + from: "winlog.event_data.Archived", + to: "sysmon.file.archived", + type: "boolean", + }, + { + from: "winlog.event_data.IsExecutable", + to: "sysmon.file.is_executable", + type: "boolean", + }, + ], + mode: "rename", + ignore_missing: true, + fail_on_error: false, + }) + .Add(setRuleName) + .Add(addUser) + .Add(splitProcessHashes) + .Add(setProcessNameUsingExe) + .Add(setAdditionalFileFieldsFromPath) + .Add(removeEmptyEventData) + .Build(); + + // Event ID 25 - ProcessTampering (Process image change). + var event25 = new processor.Chain() + .Add(parseUtcTime) + .AddFields({ + fields: { + category: ["process"], + type: ["change"], + }, + target: "event", + }) + .Convert({ + fields: [{ + from: "winlog.event_data.UtcTime", + to: "@timestamp", + }, + { + from: "winlog.event_data.ProcessGuid", + to: "process.entity_id", + }, + { + from: "winlog.event_data.ProcessId", + to: "process.pid", + type: "long", + }, + { + from: "winlog.event_data.Image", + to: "process.executable", + }, + { + from: "winlog.event_data.Archived", + to: "sysmon.file.archived", + type: "boolean", + }, + { + from: "winlog.event_data.IsExecutable", + to: "sysmon.file.is_executable", + type: "boolean", + }, + ], + mode: "rename", + ignore_missing: true, + fail_on_error: false, + }) + .Add(setRuleName) + .Add(addUser) + .Add(splitProcessHashes) + .Add(setProcessNameUsingExe) + .Add(setAdditionalFileFieldsFromPath) + .Add(removeEmptyEventData) + .Build(); + // Event ID 255 - Error report. var event255 = new processor.Chain() .Add(parseUtcTime) @@ -1679,6 +1781,8 @@ var sysmon = (function () { 21: event21.Run, 22: event22.Run, 23: event23.Run, + 24: event24.Run, + 25: event25.Run, 255: event255.Run, process: function (evt) { diff --git a/x-pack/winlogbeat/module/sysmon/test/testdata/sysmon-11-registry.evtx.golden.json b/x-pack/winlogbeat/module/sysmon/test/testdata/sysmon-11-registry.evtx.golden.json index 5da24c16db5..8d4eca8c1b0 100644 --- a/x-pack/winlogbeat/module/sysmon/test/testdata/sysmon-11-registry.evtx.golden.json +++ b/x-pack/winlogbeat/module/sysmon/test/testdata/sysmon-11-registry.evtx.golden.json @@ -45,7 +45,6 @@ "event_data": { "Details": "DWORD (0x00000004)", "EventType": "SetValue", - "RuleName": "-", "TargetObject": "HKU\\S-1-5-21-1067164964-2079179834-2367582738-1000\\Software\\Key 1" }, "event_id": 13, @@ -104,7 +103,6 @@ "event_data": { "Details": "Binary Data", "EventType": "SetValue", - "RuleName": "-", "TargetObject": "HKU\\S-1-5-21-1067164964-2079179834-2367582738-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\UserAssist\\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\\Count\\HRZR_PGYFRFFVBA" }, "event_id": 13, @@ -169,7 +167,6 @@ "event_data": { "Details": "QWORD (0x00000000-0x00000005)", "EventType": "SetValue", - "RuleName": "-", "TargetObject": "HKU\\S-1-5-21-1067164964-2079179834-2367582738-1000\\Software\\Key 2" }, "event_id": 13, @@ -228,7 +225,6 @@ "event_data": { "Details": "Binary Data", "EventType": "SetValue", - "RuleName": "-", "TargetObject": "HKU\\S-1-5-21-1067164964-2079179834-2367582738-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\UserAssist\\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\\Count\\{S38OS404-1Q43-42S2-9305-67QR0O28SP23}\\ertrqvg.rkr" }, "event_id": 13, @@ -287,7 +283,6 @@ "event_data": { "Details": "Binary Data", "EventType": "SetValue", - "RuleName": "-", "TargetObject": "HKU\\S-1-5-21-1067164964-2079179834-2367582738-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\UserAssist\\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\\Count\\HRZR_PGYFRFFVBA" }, "event_id": 13, diff --git a/x-pack/winlogbeat/module/sysmon/test/testdata/sysmon-12-loadimage.evtx.golden.json b/x-pack/winlogbeat/module/sysmon/test/testdata/sysmon-12-loadimage.evtx.golden.json index e6e9a922aa3..b3b7d2bf23c 100644 --- a/x-pack/winlogbeat/module/sysmon/test/testdata/sysmon-12-loadimage.evtx.golden.json +++ b/x-pack/winlogbeat/module/sysmon/test/testdata/sysmon-12-loadimage.evtx.golden.json @@ -67,7 +67,6 @@ "Description": "Identity Store", "FileVersion": "10.0.17763.1 (WinBuild.160101.0800)", "Product": "Microsoft® Windows® Operating System", - "RuleName": "-", "Signature": "Microsoft Windows", "SignatureStatus": "Valid", "Signed": "true" diff --git a/x-pack/winlogbeat/module/sysmon/test/testdata/sysmon-12-processcreate.evtx.golden.json b/x-pack/winlogbeat/module/sysmon/test/testdata/sysmon-12-processcreate.evtx.golden.json index 678f5fe9fdf..fb4e980d43e 100644 --- a/x-pack/winlogbeat/module/sysmon/test/testdata/sysmon-12-processcreate.evtx.golden.json +++ b/x-pack/winlogbeat/module/sysmon/test/testdata/sysmon-12-processcreate.evtx.golden.json @@ -72,7 +72,6 @@ "LogonGuid": "{9f32b55f-6fdd-5f98-e7c9-020000000000}", "LogonId": "0x2c9e7", "Product": "Microsoft® Windows® Operating System", - "RuleName": "-", "TerminalSessionId": "1" }, "event_id": 1, diff --git a/x-pack/winlogbeat/module/sysmon/test/testdata/sysmon-13-clipboardchange.evtx b/x-pack/winlogbeat/module/sysmon/test/testdata/sysmon-13-clipboardchange.evtx new file mode 100644 index 0000000000000000000000000000000000000000..4df96a14519946c5a984447cd177244e9b3fde65 GIT binary patch literal 69632 zcmeHQ34ByV((jp^WXQo02zSCwxI!Q#+zcTRmMf4DKye|EKmxfS$%>%6Sub`06%W?+ zLe`UA6%`d-JP;QZSk#EF;IV!v9)RwCQNTs?ldr0)dft1JNtl^Th79{&ev^JjcU5(D z^}nmD-;q(gB(tcvKsaw!K2Z&+MFa^EV{y*X=;N5Ub2W`7ViGVlU~0hBfT;mf1EvN{ z4VW4*HDGGM)PSi0Qv;?3&Z~ip;w9;YrORQCPg{LyHC~3Gz+syZ@7X(sQf}}6BcEs2 ze9&D_p$kxr2^ZpIh!Dqu^;d*QgY#n`4B_ea)_Ka@%r)r(JaPLE=ijcY;oWd7Th+s>9DB18O2 z6o^t$3CC;U7rKluz8D=MR*4c(3>PclLWm_r6hgL2Q7%S`!SGih7Q>kW$dd>AgCH$} zGb=?I9F>VBkaG|mm%;hL;tIG{3Td)Pg1=#~mn72Qe}RL2h2h9*Id|?uXe-rjWjUcD zTU-g0D_~uYgxR8-H z(79|6{bGZ~C8A1}giFyPI>;U*ra`vVoa1y}m`+)f#YDK)2Y#Vwa!97%hY?~XkjMj- z6+!ijqzI_Gs9+IljS3Q>!4{k74kwhQ$F&F(xty&CG*t@MtWh=*91LyT6%Le%=f4#q zrb0$+t74f+U?!{R3w0 zk?O%-gf=yLO@yHZRUuGMsAv^ri2!TSup~1mQm5@%KoCVnNl5e7s0a~(vRn^^6d>IH zolT_6Y$!*ultig@KIF^HIc$H*C%{vL@fYuZ!OT?iTY_p3YV+H)N6yYK~6rmNH z_WBXwpy5K+tx`Z#3lSb1w)5D z{Dq4MnGcG~^GR?NBcjD5NWTqAfIM;V$6NJf?^Q{3JRBv&fDS_R?De3$6arlWw-97K z4P-V#)<7`_&Xq!2mx1wDfCdP5O5nIuEJ!P#llbb9^j%X!PZ!<%;|HFWA1r$xssein z*(TxzLHGxym))xd5!{bkRTQ@K=~0oH>qq|MV~`qiK}*)aE{?spO}qxpOhNcWNj4A8 zBRYNTc4#50h7Yv zXDP^UjRZ5QS8lXY>|msGYh(z~?9Vj2Xfz|h-VwoRRGbX0z69Fd8W~E|dvJ+Ztwbo8 zAP#{z7*;^eFv^MWhx#{Y+YW7y!zKa`B8oLK9C8N>7}vr0EdYXK)M)UFU?0@ zftEfJXg7>1^MP8GSPuEKL6de_qv2wVNQM20Vgl4H9i$rqN2#(_sbVP9G*u!~5}Zka zt60|&u!q;|&?WE~uON*yD4zu9Qh*kwL*a}aTmw6t83y@M;oLBwpA2*+ND33-$_Oz4 ztZN$R31vdb#z5)D{Z)cKsz573fIW|a1pT?ekg`3u0e*R)!5NUN67+%H6|o2rX(`mA z49=skW{qq`_PYSe&VnYLsnO^uTL?=QgZ9v8K#VJpzDa@PJ{joDf$NCZ6XA>=jTV3& zu#V{TStDE1AbS~eL4SxP?aq=mmO~rjkjEUdH4eSpkRC@^tQ+QJyja?)t30A zGoKWVPrC;AOaM9+;2h{RA4`-jVM>UytdqC~C}n}ZsYm1+sI?<%WlRnAz|;mbKy9|P z0>nK;KB8D6kr1ur{MOT+xL(d&XJ}k|G{99~hfJ`cl`tBhH5%nm78*x9CNqyw8jlWa zJLp^GfxL5o653(`__*XfmO`suDU7z*fh^w6^oDBmVwqm1#1X{dhUj!WFCDBEjw9`Bj98jwxw4idDBrsg<WgtJ?kJ8532zU%}j8w?&i zg{4&J3R4V4;SXo*t$F6&0_OCsh<3kLFnxBs@`w1+ng77UjYv;hKxDJ38$?hSM74T0~O>RWC$myD?~>-qHuva9?szdbxc!j%%jfG`iSc@{bepCv6lK;FB)b4?CIOVCmaC{ zj9X0K@fc(*Z;hcA+!klSF|MZ_ix8qaD=>cCXY2kE>b#!jDngA0sUp-du&=r)c0q&! zwPD~6Az?nGx3@@uEBnM58Gl}gS;7^^m@C%5oQFh5-M34ocojA!S&(~iX6jg3vU^pE zuFDqhx#7yp%v~{S{`Slxr8jv(gCeRJ`zD&@OtZfDbxVuo@lS#u!k!Ep?(dkJdFlSY z^*lnJBo80*2ZD z^jyYOT+zcguoh>vMz$q;!bm>q32mPB)W&5kv!TrvNmND5!g#PXGL~q#v@cgOWP{s; z7LC}fQE5k1T(+2NDrjZ6LPHDv*2wlAQb7F52PqUCYh;{<+Hj^Y6SUERXt<09xT*(5 zyo$tXki#0uv0b-yiT7*Jnh5p`#NtAr!jWC<>Da0`>Ts(@x@^^{fXj9$*O_jQz`l*; z&?>lGN6-`AcTx_xhw*yN@~47DErrt9m-7JE@h%Ts>mfZnhr@ZQ%t1q0D7jY1V zO&kj9I_p(4bJlyk%+q*nCjF(6C|Kn`+XYkXN9<{krl)N!# zB*&S>Yh-$0C&oqU-}LQOe=fMPcS#F*ec=)wIuH*PF7{$IOnIvG>972Xi;83ID#FFu zca6BHBr|alyg;L`7%2XsKXEZ1A5ehJb|Q^-eD(jT(Hc?&5-#q>03K|Iae#qs8YM7+ z35@MuUlIb$f9_5x@Xb4MRR$hdn(gf8$+{`}p-*zv80e zxG?!;xh_>szBD)aZgmsO(2#XgLSe>qV5(GPybMaA*S(Ts~f8*x!dX5ylWi*DfJNBG<=Y_{yt zwBxJ))=xD`frN`)`jgzh;#uNOt_DA6s#U6)?k#zo@UEoKX(?gEk*oNk;;8(^@(vk>_@a``#6=Sq-N40mzb50heTqxH zKHTQ~p1TOp3?y7!I)IdLFXN(Gw!n4aK-g|8j+cr*6!U`=H>@oMNZMZQqZ;g3Kn;5& zgC^*5y+y?r`*EWmd%HNerC)JTadhBfh!Gc+WF{_}xabBh&bpC0yX{uIP05Gb>DM)4 zfrN|C;EgG;-NoxJ6X+0bc?gVc`*+b2o6`2bEd}oOX9D=gs~NHyTaAr04;Qt^T*Ma> znaO)kZi|ccD=sRI<(7M8e6jqnaUQKCGjY+xMK^Hq#(Sur*n)T+wz1ttmH&8`+6ydy zu{Y17uV-AG&DHSHs)eSMCffTxF-~IBW%CFZPvzi~7eW*b@)5EZ?VP<-*Y5f_zYCN7$|=mswCI7U`(``dVrddGP)f3`tGkU+x4zI3~v zsO0EbORfgLHsQSWzR(%Q^c*H7z9aQ(DN4)UQ)Jq18@>(72ixsyNh38s^PNn3TufqZ z_5OIktyBDpi;AOTJ^B+PE-J}PTr_df4P5;8Kh#xhJAE8qobs^N2LlNgb9p`be>eMpi1KAuOJjIOWe%W(4qob zy_)0Rz;Rt=i%uNymK1MsRWF%lKIfz7U6Qs_wXf;v0vD4Rd=D&naOdTI#YM%@ai5Np zzo;ZLanZy@H*m3#o}Lx9TYQX*hjj1z3nW~8l;evNx!2#z;K$1^eAIlClJ65FHvQ@S zm!*&gm(m;LmLBubdh{#oL6@&{fr~>K7b7f(-&*2VTvQxu`tyA{XN~@%lFYhdj2w#E!7H&7J!SdDN@s^d=Je_#(wN;oI?tIvp+ZD=sRI@ds!I=c7<_%+e^&Vw7Zt~v)%+cr+l=3# zQIeUsXyT$9xY%(bS+XrQ$IE_FPqDZErOn#{2^Z7&^{uwfRI#b-FY@fM*}uPg%+XBQ zqF;q~l(=|y5xseE`EhzbZT6Y)dRolQ)7SkoLFSyajbB8e_ZNpVE`I*=t+s3Yii?Wl z!rSORo$8H7TvU>oxM<>{8@M<-n{n~(3^)6Qo7vv{Y^)<^AmQS({D8|F-0OoRx(Lyc zYr`GiQ8%?y-+6W2Uuo}lga9u@Qbg^hjf97P2&VgVHk@(2{-STM24$W8G!clYa&ezd zDyyN>;G^Bv`xO@zM|Jdd)Z6deLtZ zs7`u+F^#NAq&&*cRAuUEbW=N3H8aZhAS|3>oi%g{94wG z!bSZ4)dW2F1q^upW;{_E-J|`Vq7%8|5sX8TC^C)ef0&+Jown^V)*!|5MALn zJtJLyE>q!RwmrulpFS}Oricz4bY7K2gJz?Kz4LFHH%NJBPSVN*5)Sg~Asp{lZ0`P` zre)eYK8n(WcuFVv_`U*>=ByF*{l7xM*^z8A?<788KiOpdVO&@Ow9h`#!fFxKSj~75 zt~gSywf{+pLTrUM<|@f7&Hp>7cW(Ucmzy?I6>vX)&!7bprnX)^A!1%(Zy0Q%;q$MS zbLTq3ZX)R1THhDp>;FnUbZz`ZO7QX>q0g!}WsK;+XtFOjeNfNxJ0VV08QHv1jE40S1*#{AS%!ws%v5)x& z!MCF6yWhd|rRyG?CsxZ73g1}I11Xk*JeBZW=@824lG;=;TTF*Mp_B&~8jxczjan4Q zh}7`=(@3uX_J=?jI<`iJHK1o#C3B%reyNmL72(rsEpv5!Yb`u2CLwP0?|U_K0hWfoqIMT!-tpw(^MUa0A!Y9&t_8 zac$!f*Hi=7wjOa!({YXUh-;dGYdhc?EYSOJ4K56R#cu$o`Y%eigLC-Bzj#j7aa*VJ zUHNzzr|NoLR|`Yyc6PiJc4^;zp9Sc!7(Q=~Xu1-G1jPnS33;<$e`3s_{%Z&?$jIpjgULpfO1y5=mH1;6py|$9R6FfWZS&fY|?s@Z^Zt+gV3j;Es*A4@7+W)f3t$pLVlih zDaYwwV>JbH-F&MxCfbPPw$byXqyu(U0$vGGlNTqCt2WbjjdCq}C1gjR8YH>s+sQ4q zAI{B_`D#}29Y87$wG{xJ?ll(Tt0u+8TuTBBtNX+mn1~3m5XA{s9P7hHC0S7OpMO~% z|0MV!h?^upz0iBmdkrx#;lLlBNAIEq45NsL`WTe{yTQ);dRqE@l`mYxO4>q1$+Rz| z>?fd__1pgMPwsv*@#|LAKUFsn|7jrhqp(N!1eKmX?avCfhQ!xB4QKkoPhOlwmz6)E z&#d*%DuMQ?#_utF;j;JhJA}0G=Q@(&c;rgDAG7=(x?f#Mtt2zYZ|NQDzlp7E6w}AR z;`P^>(>{+Bv)Y%f+4NHP(xVTR9 zDXPA`8kG6SRA9KHR=KH{L-lkZ>`QpGw(@ZWCn9tmztIQZ?;Yr%5lFcB6fQ!-wjAAY*p6{eSNEweqSG)LHg3%Y7tbE1C$dhg zpf3?j-d!#QEuTg4w|A~vBSpQg*APPm^zCK1;CztwB~?9X3~NY_i{n`h`|X2sGFJiyZ#^JSP zT$?8ywW6Kof`>}1Y5VL_q){7UW%}$>H0?ckyijHdZ)fK?4VBQhlcLdJ`kjsLOkH%s z#q-|8TZl*RE?U;luehi z#JH$mBUI}pDt4%jU8O2db6WGKwY%=fPlUTSl!k_EU zisQ!H+q{Eu#F{xq|4>PG5#ykF|CsOYA1nTtEZKI|IS!jEb8loCH}j-|mVo-s>u-C? zWm@r7GNsk*FV12=aRbA`Sk}*APF2{!ld+_cDt1}?zU6a!;)SaYcew)7caz@fj_J+2 z+sXLf<@cOygU2~Hr%J!^t8QbZAGzY_G5JKhzTGfio$Z>tf08QL`9=+0)BA_~b}7+k zb5r7?EB{b&tPdBJWEU|mn*Lz}_pzPFKXl-rulsMz0IdfFl7Fa4O?$r9i!=SEKGwH` zPk4npQ_=f}8LY0ntgI;q{pueoj^c@RyU{<)a`F$AWEU|Gn*O2h{KH4SCQG)xd%v^2 zH|{w0h9@165=gk1gO8fR_Qf1Z5458+NqSLm+qLwngt(4QJLc8oO={0M@nyd!g%xp9 z?~jhzBG*4I+xLl-{FNJuq=@Cu{4NHCy6)Jw^8B;$^rE9vGar-weA}q9I>=|J#P>^Q z%i~Eo@pNAKhe@CrdRL_o5BJ=@=1`O2;)j;H&vz@1F`+zf&Zc?uH=vCT9W==-&HwoV z^?dh#$rFmSOsAf6towu_SQ)fo(?6l8da(2Jh`xJ5k)8*`exjapxP&pX%jVk`eAHz9 z#np3)ilf7ixYQVDQj(c|gt-ps#yaHDvt-G(xRW$0`0D@eifZm7f%Tn|0o9~|WPHgE zY{5LLs`%|M>9kO&!|nw2N zy*gcr);aNyGF>0CK$g?Dn@ibGye#8bBL66*LirK+9M~kTe#L!FiHokDQ&b%5!$l>T z`J5t*%E5JhYAw>A&nYVG@zHaN?BE-WR_l$GhUXO3$8YBxc&FlXzmDIEV@=1a(idoF>WgzF=bu|$E7Pp92{JwYPn=f5`_A4crPg2cn zv(=XsYv9^l9{+@ z;-VY4IIjca;_6!Esn_2nJh{@^*3FSUkZ|$E$7rUqHi5eM+YE?Z83pX5FUP#bl{e+6 z_yyS6QI;$vPU^j&EwX=N!!p^h3&XyVGqmK@lVtkEk5i;{d3Vh4Ov)XFT}d+!kE4PL z7jgY)3ghBqhnf->U9F!hj`iW9lI$YJMRWb!`}K1N4yxzwRHs0LW}{Z88cdzmCg$0|^&j97a`G)t%CZ*&pQ7 zj<MbYecRJ-$yJfJz*-MX zT0`J)j6XDx+=q^@Wj9H^28rR)9VGE_vcpxq+u&5Dt1&{SZSryRTFABJbe)3gyRnL1fc?mO<$(Ui^%Wu-}=&q`+ zuKss*^*b_47H1Wg6bjeP$|q_dwTK`gVlA#&ntU7^cdoX{L`(vv222f@8Zb3rYQWTh zsR2_1rUpz6m>MuOU~0hBz6c`sF#QPuI)t7R6{~!5; zzn}T2oLZrj_F%X9EbbI?eWo`qWxOD@bxc!IoZ|C!P?p`>z z*hQYPaD0Y?B%NJ&EN5C+_K&JkgEc&j(}g5GRDc9g2gltb~#)W zB05@FLg%nO3}_!LE)mtTBwUISF+uhqF%`0{;vA>*!*t4;BqqSMe((!LlS48CK8z4E zfJ8p1tQe|aEJZ-oMF)#eYjltZ4Yt@sPdK40J+4)l$m49qps7;0W{tLq;9zLu?r@+? zyx{E+F$FSWTb0O60y9}fS2*a(cAB|5SmesKSSGVrk)cJz!vS^y+_rTO71N;su~|?> z$j*Y4LPT#kP(5eqJKWGw^% zu!#yFk5mu#BDAT|t0SCRP!$68go@TdmI$yG4NJ0uqIBAx2?SAOl!P>IjgAlzD9a5{ zNCCow-`Yfm%!YE5NJ*4h=Rv-#EbieE-$V#IP^<#M(ORmYrbIV7OvHpDC}6XvzTR3O zYodg8YM@XQn#;L!%Ylaikr$q81r=B+1+SKjsCg%%9MGBqWr;Y{ifwigWUPcgmLgn) zha$9M)7~&L95h_Sx>X8@ZY9ElEV0s@5R7rV4ooxya^`~}l}fp>(PD)q*mCaNc*uaL zh7C8WG+ZibIhX&V*)~3>>F}XoEqZk&tx;n5iB9qsEbtg5oVh!XY;{ zPBq9!iWH&;kMYw1U zSHaL>4}akzLgs_w@_Z5;#flg)5z_hA1jy3~{&=go;_uf=bUYj_#9=6K!{LYIr4Z;6 zxP>6=sUWj6WDORx;an-Sbr~3cC1`+PXE_{~iuvi~vlCxClCf(_=;`9ye)z!C@hFz1y`Pn2ygrmf)B8f6tRSY`m1>7voE-yI5sH7ZDiWBvrrkFC$r zhk!}p@UsNuw?=^(VLp@r>y6gK`4AYd0%ONqA&?6I87^AEaE7oEp@A)h{hsg}EQhIN zF%0&SU>}cDMLZm*z|fZ>hQt44_&)^Brb3Pn4&Qa>y64jtlu5gc6%)Ym%78rcSOZIB zdoKqHSq@wG3G7!vio<3p)Zj`OtWw|@M~{V&hp=NFT)}*ULF)*Bg^+{J4B0taG(k2KjTKGux%MM~E>Z4fZF9@u2q%(A+RMN&|h5g#W`q z>uD01l4KiX!G1FQQsp%}bO}7h)lO=5`hqlBapE=}c9QwE+J&v$gH?(s6DO^H5 zRY9w3`f5jfGMG=Q#-~Fge8vNvNn|efn6SWRRt&FLm z9+=voMySn_R)DyN$VU{HOC&^VIluLEB(9e;*XbJ9UX5_o*C7jZTLGg1TBEZZ%0lCa z$0X)4O5@RqZ3lg;e2{lGP(oWQ1Rs~Y$5Lq3tAw*Hb|Q3m)~SSuV=${VHAh3KTQJUE(h%f$k2l)02eOIidNR|xgQp4FAcD#OzHyhtfWmQ^m| zFeu%Pbn8XwWGLO;>(axabPumfr$Fg=uS=&w=>)G!kATuWy)K;wrF(f@Ivq;)_PX>) zDBXujBi10=57ca}HH=uAWf@sZ5|r=Tgz{)_{hCl7Ev`S6N7P06<;0M@#F%>WXF<;+ zFR1{=B5TwDFUum|L@&#toe%V~EL!;>FUz8h5B9PwTKEtz%c6Y`^|CBlcaoQ7(YA+C zS+}sv**4I!lf5pDwl&=A(r8^NRNBy|aP5`OBhoOJu`ShWO35yiMtDtWxC^B;uPLRt zP)hfjQmPB3kzP|8;X>&muPLRuP#WbmrF0icqrIjy(uL9(qLj&ai+ziIlaBT9*3~kT zTxea~1X`|kKDG(8TrGVZ(Lz5E#}tfKa2=y{Ga%(-jt74dJxuhy>{QZlG{V^}&7Cx_ zR9|*Hlnn+Cp2AWpbcHE~qVR{2gfVEQ=F zG|JNw&Ov+^q^q~>|L)}Ow-UcN-ueak{O}s1inJ2FhGYVlDNxUNp-7 z+0(a!PdEY^IB&82$6=7MybXq0a9flO$GDz$3_^81S%L9mKU@3vP}lV|qX;z`q>50- z!oKRJ*cGwkt1ShN5EAA=dS|NyxUx^2k@4pRm?d0sjJq%GwpX`Y+EuT6(J|G$^8qv2UVT&NLf}Uq@OjPka*mFfLia zhWk6_WL>)dFa2-&;b`xT9iTxtb{zq`iSWbtG|plWxw}Ei$Q=REHUx(%h(=d~xnmr( z0uUQ?g^}G}T%x^JA{0ts%%BM7+!G)ts2_9U3)AfR&_@1DkP(-$D49#nBrV>q5 z<}#JZ8kGbc6^!NMDuovF)yG%W><1&Zg%GpWOBqA-4Wp7;&D^CHOVluChi#7f;x=ys z(vtQm#)?aprS)vh5ucvU6zm#>t}-%)Zh%&U`Es3g1=taKXhuvMzte*!bm>q32mPB)Yh<;InZVcC8{E3VLaFx)t+b= z+Lw_GIp8)`LK`49Yg9TA6~h)Yrh-<6D>SswZ;k5cAqB**0+2${u|~yts0~*NGe8@i zh=yS_z^EP+@hTRpKn`mZ$9CP;CEl+=Ya-Y)5Q~d|3P*Oar(>()sKc!qW!S1y0GI7h zt}ERhfqfgxp;d6X&Y&kmUtE>Lc)e!%Q^2B@KxypD`GD(qmj|u}k|f>8J`L;RE=7#@ zMk68{_8N?J7Ypin?n>2zq%yR6_vl$64jc{hC>*fRc|xa2{aoi!Y7T|-DCJ-&hs!8c zbX-%F7acd;hZ|31+8@#&ID&0v$FkL%UhY|X^x@KD_Raeb{ncgu(i-w0#Ng0S3JYs= zBhj?HsfF>dskuvDaYa>ieo6c^H~~|d!g$D#IX?+D@o%&#*zo?I2DdJu){x%vs%x(P za8_Q#K^Qi5U8VYSGK2JQ(a#MJ0Xybw&)S>Q&wU{%0o1xrd~ZQ^3s8)3#jznjS4kG^ ziI1v0MgRJ_JO25|13_Rs8Bi~@BE6NlS}tB!)@#vOubQ!I7D*8SbzYyUJedBsMgUZ= zv7yJR-_XMJwy(ctv=5!YX*<4BI}D@g7}9x7zZgc74H=ed*G91oA2*6z(K`vToujt%MVSc)6e&nWEU_F>PK;fa|+|s zu~Dk>v~(O~!}HFQfMAsHz?&Fgrw(JAhAyWMx6xafGSCbpTwHSzDd7dU=M%U0cyJge zj~f2R*&5E^rz^ec@}wyFW6ns9GfGy=^uSJxi!{9H+pFPRaAoh}R`U9S#XNK%9x7by z!)loPbm=o+`V|)y$GVk-i*@fg(R3>|C zB<<*Nu`f5eW!uMZ)cF+`6~_h1ugG_jf zMSSs50{(q-yUO!x-~P$wk?bEwPLcWh-p?x0<6=L?#XlXW`{;YW;-cdC)M&=VpPX?~ zNoL}riHmOF;z#)0Eo`=&(X`{M|JF}6N`Zun-3F4}SMV%xCs%`?Gu0~9LiZLwL3p>k z-)Sk~z|KiB?Uw8#kN5B{B2+s#id3M-#r}+oK?f7-tYOV{Kao*$*Kw*A`}iB0MI-;o0M_#*-Q z6EzH3O|8ZTnum+JV+QfXL}v20r?$nl_bVIE$;{qg4w{Db2L^U1FTXrpx9ME}qK8CohC3 z9^xZpFWFC$XQvs=qX#lB4w-R$P<0Ij=}fA5ToN-`4{OXM;>o%Z?YKinZZ1I zFgJSQ?4`4k{ECZ;#Ok3Qp!i%K#R7foDr0~g2gtjK2Z@eL=(p5|^7V7NGYB6a&z zc8lKN2YIp>4T`wuYpBl`T1e8V&zn-TvoEI7y75iZ<#GJM=~BW)r+P`(SKmG!iGHHE zv&_G^v@Mm>`-?+ZEi?N)Ry@+LxTrWDc{TR{KIc;Yg)=TH$xK`{anTK2T>SwVx9w3M z#~0^asomKUNd96so<|?#=-D;~4K{Oc_3fg{ zc$6NQP1%o3<4A)Z7l*QXDvy7C&3M1!qT*PyaXQ5pk2~X{lFYEq{qc1)>hw-2i-o|uehi-~5NVifyNl zip%8c|H1X&bX)~GjY+xMK^G9a2RzL+ZZ3uqvxE^ zI$$8-Vm0GpZ=NM?=4xnB0j*vwac}V0?y^NE40>CNx2U?0OtYT%(eo}z+o{@XdK=(k zGK24d#edj&xnFTnadh0L9pcaq*DueSd+3i;r=9aRT@H z`x*Rr`Gt>KZnFHl1c^<*fBzLJk`Pv@+&zo;ZLanZy@H*oPGzRl3~T(xie`Y%${N=0DZr*n21>EW00l-|W|)*kNh zEqy+{s`@P{=^aZaNl_PP(~FH_kM)wr_Ltca_O`k6UL}uutw-0n+`p(KGjY+xMK^Hqf7o7ZPcHJdqZpTa47&?&f#ffSvERJDCkcOw zC(tw-ZTau1jeBsV#KkH5|15FvgLOOP@#Z=4vO;U(Y}_hdCR^5LQOPF_?(0tF(PQWh z`TtqzS6oyaYgh4iXzp{qEs$_AonPN- z>q-@y!u}%99$WnTyT=^Ok}djWcxQ==XBX0&2bUeE_tWN_32&gq+&q2#KN4iliQD)^ z6ncMg1mogAf4bea#;>@jI4-z@?$fE+;Ean(G7}d~Tyz5$XXP+1-ka%Wzi>0#Tc2I* z$Qeku_#8jr@+SBCAc-zQbmrP{$9L3C?KE^=UH4bow*w)-i%}F&yLAKM;ctWKKArVv zjMrcE?bWEP)1Dy$vDF6m>7=n5x(q$qW1U}dQE^oFFN%AdaZyQT;-ZO*Zs6j^g^Y_g zOefXwJ2Ud_J+oJxet&=EQYD(HY?lVX6K*GgucN6mc`EJ7X-xg3cUf|a*yyfCQ zDy{W))b{7yx$*U0^3z=_DsttkH4pw_m2?!J-S|&Af&TMVZ^$RVTi5+kw*2AC&Pajx ze0oBC@~iO*T)cIvELeUWYewNBe*bDD#DJ}N|a_)W{qke|y`xR_(lwZ~^nNP;P%0|#AKCDEYSsA2E?o8}Et z-We0MGJ%AH{CWt-`xRTdKd5P$_KuIDG$EeSi9WusK%~2BM1B9S2ypfyHko%5AF`ip zHvcd#ECJeQpJ-*Zh#IVBya-nusn**6q(mXM!W(myWR{ly9n`xwT>HhQ%~S>4FW56= z{`e_vR*jFCThtc@n;7`~tL5Ce&aj&ZI=43TMfirlQV(4lzgnCMJn(DEc;^;>O*y9C z_r^2fW4!p?Wc3Yt3w@#Z5-y9c4dAkIjg-Z2Kvx1J;TP)hThPVuq2E&YuCtXS!CM+o zl5QHc2%)}0>-;tQAmWcXu>>ymG5;X=Ry2M0JD9$7-HY?I*YbqIH`en(iX|XV74Q$C zoQBkHCgDnMtH<^xQ?sMBd)`pxJG)!HATlY$|J5RPF$ls;+m@C8siby zR41;n9&sI^)XxlUi*)w3YC=gUFO&TF!Fp}Fe_Rwvgoe~f&PVh-~A}6mI!;kf5?x`=4Tjv2SjmPV5Rpu zi<_O}^GdP{c)n$RXIRd+aA8e>Kq+)$#C0S6*pMP1N_$2sYh?^upz0iBmdkwKL;lLlBNAIE)45NsL`WTe{yTPve zdRqE@l`mYhm$Ze5mT7-T*-t<<>$m;io!tFa;#aL}eynLE{?kb8M`4fd2`W8(+MgM0 z4T-OR8qV~GpS(DeE-QaRpIPgj)dKBPjo)MV!e#FlbP8$Z&vhil@yJzlKW6!TbicZi zT1jS(-_kqQe-m5TD5j5t#p|!Nq(idpRI_ed}{p0^kSx+^5E9N(SF56#j$QB z;o^daoY&WtWF{`w!#xuhVPR=@ennyYw7jXA^OIl`zj}ai@fi#d`*8d6+&BldK*Gf+ zekx@rx=pZcyE^Rh?fFKdnA4?&N-NyJ3=(^*8z8yS;-QGy(}1pTFPf9 zg>)Jw!_Hev!Ns$O>4~fpE9grElXjO&LCa@S{O#TAS4&Z^?=#G)0{ZrHy5M?{{smP% zX$)&fkBj424g2jw^Wy!Ai;Clhc*4c(-OjkEBr|c*#6>r7@$}1N$+p)fx^{r39bYu0 zuY*7!;o@+T*bOLzx6 z$7!g9zMT|}M$>O?bZ6?q69&(F6K^3NySI4h0Kej*;#gBo^XTj@Z#vzlt|T*Y(ZoeJ za50JACL?UajyKvHJid6>54{{^0tpv;+(}}evQs*iZ(Nlj@6#O5 z>WI9*IdReGK6S;hAzW0FUBI}gUn5lOB`S8Pj*U{4r=_pEp#2(jH}}>l&vT!;0|zy4 zj;tFQ8Zf1c2LIt!V5jYaB<(Pea8RK)!<|Pu&}#hi?X^EjytnZDU*8Tsk?I9C0w`+g zK6S*y3^tkf?@KJ&8sX3NXT@>Doo(O6IAZN=Xa7)1b^+s{dH3d1<_QdqI-5q57@ACUjw#DPz+tQ@p_+^iar60NC=rQ?3yT08pU%hS3 zy+2A7?0mD9uIc?le!G$#CD{dxi>80r$bD?*@edt1=Z?>*>h?@c>yf8$dQNC_ld%*97dVf%bGr3X4tnk2m_xb0ecRYF`( zrycWZ@+P(CocOZelcLHvsrSdmY?139m+kvRO8)AN#ZtubXMYomLS29C8+rb@czV&% zsTq$;f4*IGSv}-)s>F9oX367;x$$&f`G-lM8G2Wx5RdfUzWPwJ;o^su`pzssCuyL^N7BCLXn;a z!+xTkbGU>tvfJi6=YP~}{l(}xMa9wKM_lS0XHt@xeuTLW>Bc(b(X(X9wz!itD){RE z?#deOBZ2jul0h}3fnvV5up z=-aNNJ4~h*S4h!D=3Xw-*I%0^MeCaQJDIKvnJ>%f+s#n+6R*fPmMAz%sZf3dJ_k0D zt6%v*bK;`WbBc;%L%66UGoMq0Q8~EYPpw7z^EpL@JwAF)ksW*|qt$w2mD6*I>f^Vw z54>CXPrr`eieqi(tL6Pe+4G&pZzY*Iew*XB8{>EP2#MOl_A8$6I+=eH4z}D{?kF8d zae&Ue9@LkoC+hVJG+P!z-h=}+lWQfADuhtSj!OSbJ5yeoBRT)n`Z}3rmyMU{@qgg7 z65e*+Qf$6VuA|4?y!wd)}{Z?0SB>>n!0E?^uq*Ux>oe!i(c`-iPB^+~UB5b3^0 zL&`wH#g|g33M+e3`Uv}jeA@9=(UyvrCAHI~XkTO}OUVx}`kk!EW0f>eMI9&qSKmI4 zMssK9L-p;8Yuq|Q~HDiyq7ip(iu1U6&Dr9ahvG-Ipw!FH@pbGbsn;MeT)KlKe$DgzLzAVX9p{~p z^XF~<{=LMp>0f^?&%ai?Ps$Vdn(~Z26z}#WPskFxR5ct||d|{{LqfXXK{~vsA BJ)8gl literal 0 HcmV?d00001 diff --git a/x-pack/winlogbeat/module/sysmon/test/testdata/sysmon-13-processtampering.evtx.golden.json b/x-pack/winlogbeat/module/sysmon/test/testdata/sysmon-13-processtampering.evtx.golden.json new file mode 100644 index 00000000000..e85f559cee8 --- /dev/null +++ b/x-pack/winlogbeat/module/sysmon/test/testdata/sysmon-13-processtampering.evtx.golden.json @@ -0,0 +1,54 @@ +[ + { + "@timestamp": "2021-02-25T14:43:23.55Z", + "event": { + "category": [ + "process" + ], + "code": 25, + "kind": "event", + "module": "sysmon", + "provider": "Microsoft-Windows-Sysmon", + "type": [ + "change" + ] + }, + "host": { + "name": "DESKTOP-I9CQVAQ" + }, + "log": { + "level": "information" + }, + "process": { + "entity_id": "{9497d8d9-b78b-6037-6f13-000000001000}", + "executable": "C:\\Program Files\\Git\\mingw64\\libexec\\git-core\\git.exe", + "name": "git.exe", + "pid": 2628 + }, + "user": { + "id": "S-1-5-18" + }, + "winlog": { + "api": "wineventlog", + "channel": "Microsoft-Windows-Sysmon/Operational", + "computer_name": "DESKTOP-I9CQVAQ", + "event_data": { + "Type": "Image is replaced" + }, + "event_id": 25, + "process": { + "pid": 3800, + "thread": { + "id": 5080 + } + }, + "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", + "provider_name": "Microsoft-Windows-Sysmon", + "record_id": 10737797, + "user": { + "identifier": "S-1-5-18" + }, + "version": 5 + } + } +] \ No newline at end of file