Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add new sub-category Process Call Stacks #80

Open
wants to merge 7 commits into
base: main
Choose a base branch
from
Open

Add new sub-category Process Call Stacks #80

wants to merge 7 commits into from

Conversation

jdu2600
Copy link
Contributor

@jdu2600 jdu2600 commented Oct 21, 2024

Pull Request Template

Description

Please provide the below information so we can validate before merging:

  1. Does the proposed EDR feature align with our definition of telemetry? Yes
  2. Could you please provide documentation to support the telemetry you are proposing? Yes

Type of change

  • New feature (proposing new event categories/sub-categories)

@jdu2600 jdu2600 changed the title add new sub-category Process Call Stacks Add new sub-category Process Call Stacks Oct 21, 2024
@tsale
Copy link
Owner

tsale commented Oct 21, 2024

Hello @jdu2600,

I think this is a great idea! Could you assist me in collecting information on most of the vendors we currently support for this new telemetry sub-category? I’ll also investigate this. We can use this PR to monitor progress, and once we’re ready, we can merge it 🙂

@tsale tsale self-assigned this Oct 22, 2024
@tsale tsale added the under review Evaluating proposal label Oct 22, 2024
@jdu2600
Copy link
Contributor Author

jdu2600 commented Oct 25, 2024

Here's a sample Elastic call stack from a process creation event -

"process.thread.Ext": {
    "call_stack_summary": "ntdll.dll|kernelbase.dll|kernel32.dll|Unbacked",
    "call_stack_contains_unbacked": true,
    "call_stack": [
        { "symbol_info": "C:\\Windows\\System32\\ntdll.dll!NtCreateUserProcess+0x14" },
        { "symbol_info": "C:\\Windows\\System32\\KernelBase.dll!CreateProcessInternalW+0x1610" },
        { "symbol_info": "C:\\Windows\\System32\\KernelBase.dll!CreateProcessW+0x66" },
        { "symbol_info": "C:\\Windows\\System32\\kernel32.dll!CreateProcessW+0x53" },
        { "symbol_info": "Unbacked+0x15e2d7",
            "callsite_trailing_bytes": "488b5560c6420c01833d622d435f007406ff156a36435f8bf0e8cb859a5e85f60f95c10fb6c9898d940000004883bdd8000000007420488b8dd8000000e8374a",
            "protection": "RWX",
            "callsite_leading_bytes": "897c2448488bc8488b95d80000004c8b85c80000004c8b8db800000041bb30000000488b454848894520488d050f00000048894538488b4560c6400c0041ffd2"
        }
    ]
}

I asked the stack spoofing community on twitter about other products and so far only CrowdStrike has been mentioned - though it looks like they only include them sometimes and don't fully enrich them.

I found a CrowdStrike sample here -
https://www.reddit.com/r/crowdstrike/comments/mwuz92/20210423_cool_query_friday_parsing_the_call_stack/

"CallStackModuleNames" : "0<-1>\Device\HarddiskVolume1\Windows\System32\ntdll.dll+0x9f8a4:0x1ec000:0x6e7b7e33|\Device\HarddiskVolume1\Windows\System32\KernelBase.dll+0x5701e:0x294000:0xc97af40a|1+0x56d84|1+0x55a0d|1+0x54dda|1+0x547ed|0+0x25d37|0+0x285e9|0+0x28854|0+0x2887e|0+0x29551|0+0x26921|0+0x23238|0+0x22794|0+0xd53e9|0+0x7837b|0+0x78203|0+0x781ae"

@tsale
Copy link
Owner

tsale commented Oct 26, 2024

Awesome, thank you! I'll be testing MDE and LimaCharlie. Feel free to keep updating this commit as you go along the list of vendors. I will do the same! Thank you so much 😊🙏

@pixmaip
Copy link

pixmaip commented Oct 29, 2024

HarfangLab returns the following (for process creation events, but other events also generate stacktraces, and I can provide screenshots if needed):

{
    "stacktrace_minimal":"ntdll.dll|KernelBase.dll|KernelBase.dll|rpcss.dll|rpcss.dll|[...]",
    "stacktrace":"C:\\Windows\\System32\\ntdll.dll!ZwCreateUserProcess+0xa|C:\\Windows\\System32\\KernelBase.dll!CreateProcessInternalW+0x1a9e|C:\\Windows\\System32\\KernelBase.dll!CreateProcessAsUserW+0x2d|C:\\Windows\\System32\\rpcss.dll!rpcss.dll+0x64a24|C:\\Windows\\System32\\rpcss.dll!rpcss.dll+0x2dc2a|C:\\Windows\\System32\\rpcss.dll!rpcss.dll+0x2da9a|[...]"
}

(I eluded part of the data for readability)

@tsale
Copy link
Owner

tsale commented Oct 29, 2024
edited
Loading

That's great @pixmaip! Thanks for sharing, a couple of screenshots would be nice. You can send them here or privately to me. 🙏

@tsale
Copy link
Owner

tsale commented Oct 29, 2024
edited
Loading

@maximelb (LimaCharlie) ❌
@MyPeaches,@zbeastofburden (Trend Micro) ❌
@joshlemon-uptycs (Uptycs) ❌
@pep-un (Cortex XDR)
@idev (Symantec) ❌
@j91321 (ESET) ❌
@thiboog (Sentinel One)
@QueenSquishy (Carbon Black) ❌
@alwashali (Cybereason)
@mthcht (Trellix) ❌

Hey everyone! Could you help speed up adding this new sub-category by answering the question below for the EDR assigned to you? Thank you! 🙏

Does your EDR include Process Call Stack Telemetry events?

@j91321
Copy link
Contributor

j91321 commented Oct 29, 2024

@tsale For ESET Inspect the answer is no.

@idev
Copy link
Contributor

idev commented Oct 30, 2024

@tsale I am not aware that Symantec is supporting this, so the answer is no.

@igecko-oss
Copy link

for carbon balck the answer is no as well

@tsale
Copy link
Owner

tsale commented Nov 6, 2024

I also checked LC and I can't find evidence of stack trace.

@mthcht
Copy link
Contributor

mthcht commented Nov 6, 2024

@tsale I'm not seeing this telemetry with Trellix EDR.

@joshlemon-uptycs
Copy link
Contributor

@tsale Uptycs can't log Process Call Stacks at this point, so it's a No for Uptycs.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees

@tsale tsale

Labels
under review Evaluating proposal
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
8 participants
@jdu2600 @tsale @pixmaip @j91321 @idev @igecko-oss @mthcht @joshlemon-uptycs