Add registry mappings

products/microsoft_defender_for_endpoints.py

@@ -32,7 +32,9 @@
     'sha256':{'table':'DeviceProcessEvents','field':'SHA256',
               'projections':['DeviceName','AccountName','FolderPath','ProcessCommandLine']},
     'modload':{'table': 'DeviceImageLoadEvents', 'field':'FolderPath',
-               'projections':['DeviceName', 'InitiatingProcessAccountName', 'InitiatingProcessFolderPath', 'InitiatingProcessCommandLine']}
+               'projections':['DeviceName', 'InitiatingProcessAccountName', 'InitiatingProcessFolderPath', 'InitiatingProcessCommandLine']},
+    'regmod':{'table':'DeviceRegistryEvents','field':'RegistryKey',
+              'projections':['DeviceName', 'InitiatingProcessAccountName', 'InitiatingProcessFolderPath', 'InitiatingProcessCommandLine', 'RegistryValueName', 'RegistryValueData']}
 }
 
 class DefenderForEndpoints(Product):

products/sentinel_one.py

@@ -49,7 +49,8 @@ class Query:
     'process_file_description': ['SrcProcDisplayName'],
     'md5': ['Md5'],
     'sha1':['Sha1'],
-    'sha256':['Sha256']
+    'sha256':['Sha256'],
+    'regmod':['RegistryKeyPath','RegistryValue']
 }
 
 PARAMETER_MAPPING_PQ: dict[str, list[str]] = {
@@ -67,7 +68,8 @@ class Query:
     'process_file_description': ['src.process.displayName'],
     'md5': ['src.process.image.md5', 'tgt.file.md5', 'module.md5'],
     'sha256':['src.process.image.sha256','tgt.file.sha256'],
-    'sha1':['src.process.image.sha1','tgt.file.sha1','module.sha1']
+    'sha1':['src.process.image.sha1','tgt.file.sha1','module.sha1'],
+    'regmod':['registry.keyPath','registry.value']
 }
 
 class SentinelOne(Product):
@@ -530,9 +532,10 @@ def nested_process_search(self, tag: Tag, criteria: dict, base_query: dict) -> N
                     # play nice with 100 item limit per search field
                     chunked_terms = list(self.divide_chunks(terms, 100))
                     for chunk in chunked_terms:
-                        search_value = ', '.join(f'"{x}"' for x in chunk)
-
+                        search_value_orig = ', '.join(f'"{x}"' for x in chunk)
+                        
                         for param in parameter:
+                            search_value = search_value_orig
                             if param == 'query':
                                 # Formats queries as (a) OR (b) OR (c) OR (d)
                                 if len(chunk) > 1:

products/vmware_cb_enterprise_edr.py

@@ -18,7 +18,8 @@
     'domain': 'netconn_domain',
     'internal_name': 'process_internal_name',
     'md5':'hash',
-    'sha256':'hash'
+    'sha256':'hash',
+    'regmod':'regmod_name'
 }
 
 def _convert_relative_time(relative_time) -> str:

tests/data/cbc_surveyor_testing.json

@@ -7,7 +7,9 @@
     "domain":["raw.githubusercontent.com"],
     "internal_name":["powershell"],
     "md5":["asdfasdfasdfasdf"],
-    "sha256":["zxcvzxcvzxcv"]
+    "sha256":["zxcvzxcvzxcv"],
+    "regmod": ["HKLM"],
+    "ipport": ["80"]
   },
   "multiple_values":{
     "process_name":["svchost.exe", "cmd.exe"]

tests/data/cbr_surveyor_testing.json

@@ -11,7 +11,9 @@
     "modload":["pcwutl.dll"],
     "md5":["asdfasdfasdfasdf"],
     "sha1":["qwerqwerqwerqwer"],
-    "sha256":["zxcvzxcvzxcv"]
+    "sha256":["zxcvzxcvzxcv"],
+    "regmod": ["HKLM"],
+    "ipport": ["80"]
   },
   "multiple_values":{
     "process_name":["svchost.exe", "cmd.exe"]

tests/data/dfe_surveyor_testing.json

@@ -10,7 +10,9 @@
     "md5":["asdfasdfasdfasdf"],
     "sha1":["qwerqwerqwerqwer"],
     "sha256":["zxcvzxcvzxcv"],
-    "modload":["pcwutl.dll"]
+    "modload":["pcwutl.dll"],
+    "regmod":["HKLM"],
+    "ipport": ["80"]
   }, 
   "multiple_values":{
     "process_name":["svchost.exe", "cmd.exe"]

tests/data/s1_surveyor_testing.json

@@ -12,7 +12,9 @@
     "process_file_description": ["Evil Stuff Here"],
     "md5":["asdfasdfasdfasdf"],
     "sha1":["qwerqwerqwerqwer"],
-    "sha256":["zxcvzxcvzxcv"]
+    "sha256":["zxcvzxcvzxcv"],
+    "regmod":["HKLM"],
+    "ipport": ["80"]
   }, 
   "multiple_values":{
     "process_name":["svchost.exe", "cmd.exe"]

tests/test_microsoft_defender_for_endpoints.py

@@ -119,6 +119,8 @@ def test_nested_process_search(dfe_product : DefenderForEndpoints, mocker):
             call(Tag('field_translation', data=None), {}, "DeviceProcessEvents | where SHA1 has_any ('qwerqwerqwerqwer') | project Timestamp, DeviceName, AccountName, FolderPath, ProcessCommandLine"),
             call(Tag('field_translation', data=None), {}, "DeviceProcessEvents | where SHA256 has_any ('zxcvzxcvzxcv') | project Timestamp, DeviceName, AccountName, FolderPath, ProcessCommandLine"),
             call(Tag('field_translation', data=None), {}, "DeviceImageLoadEvents | where FolderPath has_any ('pcwutl.dll') | project Timestamp, DeviceName, InitiatingProcessAccountName, InitiatingProcessFolderPath, InitiatingProcessCommandLine"),
+            call(Tag('field_translation', data=None), {}, "DeviceRegistryEvents | where RegistryKey has_any ('HKLM') | project Timestamp, DeviceName, InitiatingProcessAccountName, InitiatingProcessFolderPath, InitiatingProcessCommandLine, RegistryValueName, RegistryValueData"),
+            call(Tag('field_translation', data=None), {}, "DeviceNetworkEvents | where RemotePort has_any ('80') | project Timestamp, DeviceName, InitiatingProcessAccountName, InitiatingProcessFolderPath, InitiatingProcessCommandLine"),
             call(Tag('multiple_values', data=None), {}, "DeviceProcessEvents | where FolderPath has_any ('svchost.exe', 'cmd.exe') | project Timestamp, DeviceName, AccountName, FolderPath, ProcessCommandLine"),
             call(Tag('single_query', data=None), {}, "DeviceProcessEvents | where FileName contains \"rundll.exe\""),
             call(Tag('multiple_query', data=None), {}, "DeviceProcessEvents | where ProcessCommandLine contains \"-enc\""),

tests/test_sentinel_one.py

@@ -144,7 +144,7 @@ def test_nested_process_search_dv(s1_product : SentinelOne):
 
     assert len(s1_product._queries) == 4
 
-    assert len(s1_product._queries[Tag('field_translation')]) == 13
+    assert len(s1_product._queries[Tag('field_translation')]) == 16
     sdate = s1_product._queries[Tag('field_translation')][0].start_date
     edate = s1_product._queries[Tag('field_translation')][0].end_date
     assert Query(sdate, edate, 'ProcessName', 'containscis', '"notepad.exe"', None) in s1_product._queries[Tag('field_translation')]
@@ -160,7 +160,10 @@ def test_nested_process_search_dv(s1_product : SentinelOne):
     assert Query(sdate, edate, 'Md5', 'containscis', '"asdfasdfasdfasdf"', None) in s1_product._queries[Tag('field_translation')]
     assert Query(sdate, edate, 'Sha1', 'containscis', '"qwerqwerqwerqwer"', None) in s1_product._queries[Tag('field_translation')]
     assert Query(sdate, edate, 'Sha256', 'containscis', '"zxcvzxcvzxcv"', None) in s1_product._queries[Tag('field_translation')]
-
+    assert Query(sdate, edate, 'DstPort', 'containscis', '"80"', None) in s1_product._queries[Tag('field_translation')]
+    assert Query(sdate, edate, 'RegistryKeyPath', 'containscis', '"HKLM"', None) in s1_product._queries[Tag('field_translation')]
+    assert Query(sdate, edate, 'RegistryValue', 'containscis', '"HKLM"', None) in s1_product._queries[Tag('field_translation')]
+
     assert len(s1_product._queries[Tag('multiple_values')]) == 1
     sdate = s1_product._queries[Tag('multiple_values')][0].start_date
     edate = s1_product._queries[Tag('multiple_values')][0].end_date    
@@ -188,7 +191,7 @@ def test_nested_process_search_pq(s1_product : SentinelOne):
 
     assert len(s1_product._queries) == 4
 
-    assert len(s1_product._queries[Tag('field_translation')]) == 18
+    assert len(s1_product._queries[Tag('field_translation')]) == 21
     sdate = s1_product._queries[Tag('field_translation')][0].start_date
     edate = s1_product._queries[Tag('field_translation')][0].end_date
     assert Query(sdate, edate, 'src.process.name', 'in', '("notepad.exe")', None) in s1_product._queries[Tag('field_translation')]
@@ -209,7 +212,10 @@ def test_nested_process_search_pq(s1_product : SentinelOne):
     assert Query(sdate, edate, 'tgt.file.sha1', 'in', '("qwerqwerqwerqwer")', None) in s1_product._queries[Tag('field_translation')]
     assert Query(sdate, edate, 'module.md5', 'in', '("asdfasdfasdfasdf")', None) in s1_product._queries[Tag('field_translation')]
     assert Query(sdate, edate, 'module.sha1', 'in', '("qwerqwerqwerqwer")', None) in s1_product._queries[Tag('field_translation')]
-
+    assert Query(sdate, edate, 'registry.keyPath', 'in', '("HKLM")', None) in s1_product._queries[Tag('field_translation')]
+    assert Query(sdate, edate, 'registry.value', 'in', '("HKLM")', None) in s1_product._queries[Tag('field_translation')]
+    assert Query(sdate, edate, 'dst.port.number', 'in', '("80")', None) in s1_product._queries[Tag('field_translation')]
+
     assert len(s1_product._queries[Tag('multiple_values')]) == 1
     sdate = s1_product._queries[Tag('multiple_values')][0].start_date
     edate = s1_product._queries[Tag('multiple_values')][0].end_date    

tests/test_vmware_cb_enterprise_edr.py

@@ -126,6 +126,8 @@ def test_nested_process_search(cbc_product : CbEnterpriseEdr, mocker):
         mocker.call(Tag('field_translation'), {}, '(process_internal_name:powershell)'),
         mocker.call(Tag('field_translation'), {}, '(hash:asdfasdfasdfasdf)'),
         mocker.call(Tag('field_translation'), {}, '(hash:zxcvzxcvzxcv)'),
+        mocker.call(Tag('field_translation'), {}, '(netconn_port:80)'),
+        mocker.call(Tag('field_translation'), {}, '(regmod_name:HKLM)'),
         mocker.call(Tag('multiple_values'), {}, '(process_name:svchost.exe OR process_name:cmd.exe)'),
         mocker.call(Tag('single_query'), {}, '(process_name:rundll.exe)'),
         mocker.call(Tag('multiple_query'), {}, '((process_cmdline:-enc) OR (modload_name:malware.dll))')

tests/test_vmware_cb_response.py

@@ -106,7 +106,9 @@ def test_nested_process_search(cbr_product : CbResponse, mocker):
         mocker.call('(sha256:zxcvzxcvzxcv)'),
         mocker.call('(process_name:svchost.exe OR process_name:cmd.exe)'),
         mocker.call('(process_name:rundll.exe)'),
-        mocker.call('((cmdline:-enc) OR (modload:malware.dll))')
+        mocker.call('((cmdline:-enc) OR (modload:malware.dll))'),
+        mocker.call('(regmod:HKLM)'),
+        mocker.call('(ipport:80)')
     ]
 
     for program, criteria in programs.items():