Fix #90 v1.8.0 beta5 bug

Fix #91 Correlate and enrich Microsoft-Windows-Kernel-File ETW logs

Author: qjerome

event/event.go

@@ -81,10 +81,35 @@ func (e *EdrEvent) GetInt(p engine.XPath) (i int64, ok bool) {
 			return
 		}
 	}
+	return
+}
+
+func (e *EdrEvent) GetIntOr(p engine.XPath, or int64) (i int64, ok bool) {
+	if i, ok = e.GetInt(p); ok {
+		return
+	}
+	return or, ok
+}
+
+func (e *EdrEvent) GetUint(p engine.XPath) (i uint64, ok bool) {
+	var s string
+	var err error
 
+	if s, ok = e.GetString(p); ok {
+		if i, err = strconv.ParseUint(s, 0, 64); err == nil {
+			return
+		}
+	}
 	return
 }
 
+func (e *EdrEvent) GetUintOr(p engine.XPath, or uint64) (i uint64, ok bool) {
+	if i, ok = e.GetUint(p); ok {
+		return
+	}
+	return or, ok
+}
+
 func (e *EdrEvent) GetBool(p engine.XPath) (b bool, ok bool) {
 	var s string
 	var err error

hids/eventids.go

@@ -35,3 +35,60 @@ const (
 	// https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4663
 	SecurityAccessObject = 4663
 )
+
+// Microsoft-Windows-Kernel-File/Analytic
+const (
+	KernelFileNameCreate int64 = iota + 10
+	KernelFileNameDelete
+	KernelFileCreate
+	KernelFileCleanup
+	KernelFileClose
+	KernelFileRead
+	KernelFileWrite
+	KernelFileSetInformation
+	KernelFileSetDelete
+	KernelFileRename
+	KernelFileDirEnum
+	KernelFileFlush
+	KernelFileQueryInformation
+	KernelFileFSCTL
+	KernelFileOperationEnd
+	KernelFileDirNotify
+	KernelFileDeletePath
+	KernelFileRenamePath
+	KernelFileSetLinkPath
+	KernelFileCreateNewFile
+	KernelFileSetSecurity
+	KernelFileQuerySecurity
+	KernelFileSetEA
+	KernelFileQueryEA
+)
+
+var (
+	KernelFileOperations = map[int64]string{
+		KernelFileNameCreate:       "NameCreate",
+		KernelFileNameDelete:       "NameDelete",
+		KernelFileCreate:           "Create",
+		KernelFileCleanup:          "Cleanup",
+		KernelFileClose:            "Close",
+		KernelFileRead:             "Read",
+		KernelFileWrite:            "Write",
+		KernelFileSetInformation:   "SetInformation",
+		KernelFileSetDelete:        "SetDelete",
+		KernelFileRename:           "Rename",
+		KernelFileDirEnum:          "DirEnum",
+		KernelFileFlush:            "Flush",
+		KernelFileQueryInformation: "QueryInformation",
+		KernelFileFSCTL:            "FSCTL",
+		KernelFileOperationEnd:     "OperationEnd",
+		KernelFileDirNotify:        "DirNotify",
+		KernelFileDeletePath:       "DeletePath",
+		KernelFileRenamePath:       "RenamePath",
+		KernelFileSetLinkPath:      "SetLinkPath",
+		KernelFileCreateNewFile:    "CreateNewFile",
+		KernelFileSetSecurity:      "SetSecurity",
+		KernelFileQuerySecurity:    "QuerySecurity",
+		KernelFileSetEA:            "SetEA",
+		KernelFileQueryEA:          "QueryEA",
+	}
+)

hids/filters.go

@@ -5,11 +5,10 @@ import (
 	"github.com/0xrawsec/whids/event"
 )
 
+//Sysmon related
 var (
 	// sysmonChannel Sysmon windows event log channel
 	sysmonChannel = "Microsoft-Windows-Sysmon/Operational"
-	// securityChannel Security windows event log channel
-	securityChannel = "Security"
 
 	// Filters definitions
 	fltAnyEvent = NewFilter([]int64{}, "")
@@ -40,11 +39,30 @@ var (
 		SysmonFileDelete,
 		SysmonFileDeleteDetected},
 		sysmonChannel)
+)
 
+// Security channel related
+var (
+	// securityChannel Security windows event log channel
+	securityChannel = "Security"
 	// Security filters
 	fltFSObjectAccess = NewFilter([]int64{SecurityAccessObject}, securityChannel)
 )
 
+// ETW Kernel File related
+var (
+	kernelFileChannel = "Microsoft-Windows-Kernel-File/Analytic"
+	/*fltKernelFile     = NewFilter([]int64{
+	KernelFileCreate,
+	KernelFileClose,
+	KernelFileRead,
+	KernelFileWrite},
+	kernelFileChannel)
+	*/
+	fltKernelFile = NewFilter([]int64{},
+		kernelFileChannel)
+)
+
 // Filter structure
 type Filter struct {
 	EventIDs *datastructs.SyncedSet

hids/hids.go

@@ -159,10 +159,11 @@ func NewHIDS(c *Config) (h *HIDS, err error) {
 	// fixing local audit policies if necessary
 	h.config.AuditConfig.Configure()
 
-	// tries to update the engine
+	// update and load engine
 	if err := h.update(true); err != nil {
 		return h, err
 	}
+
 	return h, nil
 }
 
@@ -194,26 +195,22 @@ func (h *HIDS) initHooks(advanced bool) {
 		h.preHooks.Hook(hookFileSystemAudit, fltFSObjectAccess)
 		// Must be run the last as it depends on other filters
 		h.preHooks.Hook(hookEnrichAnySysmon, fltAnySysmon)
-		// Not sastifying results with Sysmon 11.11 we should try enabling this on newer versions
-		//h.preHooks.Hook(HookDNS, fltDNS)
-		//h.preHooks.Hook(hookEnrichDNSSysmon, fltNetworkConnect)
-		// Experimental
-		//h.preHooks.Hook(hookSetValueSize, fltRegSetValue)
+		h.preHooks.Hook(hookKernelFiles, fltKernelFile)
 
 		// This hook must run before action handling as we want
 		// the gene score to be set before an eventual reporting
 		h.postHooks.Hook(hookUpdateGeneScore, fltAnyEvent)
-		// Handles actions defined in rules for any Sysmon event
-		/*if h.config.Endpoint {
-			h.postHooks.Hook(hookHandleActions, fltAnyEvent)
-		}*/
 	}
 }
 
 func (h *HIDS) update(force bool) (last error) {
+	var reloadRules, reloadContainers bool
 
-	reloadRules := h.needsRulesUpdate()
-	reloadContainers := h.needsIoCsUpdate()
+	// check that we are connected to any manager
+	if h.config.IsForwardingEnabled() {
+		reloadRules = h.needsRulesUpdate()
+		reloadContainers = h.needsIoCsUpdate()
+	}
 
 	// check if we need rule update
 	if reloadRules {
@@ -309,7 +306,8 @@ func (h *HIDS) needsRulesUpdate() bool {
 	var oldSha256, sha256 string
 	_, rulesSha256Path := h.config.RulesConfig.RulesPaths()
 
-	if h.forwarder.Local {
+	// Don't need update if not connected to a manager
+	if h.config.IsForwardingEnabled() {
 		return false
 	}
 
@@ -326,6 +324,11 @@ func (h *HIDS) needsRulesUpdate() bool {
 func (h *HIDS) needsIoCsUpdate() bool {
 	var localSha256, remoteSha256 string
 
+	// Don't need update if not connected to a manager
+	if h.config.IsForwardingEnabled() {
+		return false
+	}
+
 	container := api.IoCContainerName
 	_, locContSha256Path := h.containerPaths(container)
 

hids/hookdefs.go

@@ -294,7 +294,7 @@ func hookUpdateGeneScore(h *HIDS, e *event.EdrEvent) {
 		return
 	}
 
-	if t := processTrackFromEvent(h, e); t != nil {
+	if t := processTrackFromEvent(h, e); !t.IsZero() {
 		if d := e.GetDetection(); d != nil {
 			t.ThreatScore.Update(d)
 		}
@@ -684,3 +684,48 @@ func hookClipboardEvents(h *HIDS, e *event.EdrEvent) {
 		}
 	}
 }
+
+var (
+	pathKernelFileFileObject = engine.Path("/Event/EventData/FileObject")
+	pathKernelFileFileName   = engine.Path("/Event/EventData/FileName")
+)
+
+func hookKernelFiles(h *HIDS, e *event.EdrEvent) {
+
+	// Enrich all events with Sysmon Info
+	pt := h.processTracker.GetByPID(int64(e.Event.System.Execution.ProcessID))
+
+	// We enrich event with other data
+	e.SetIfOr(pathSysmonProcessGUID, pt.ProcessGUID, !pt.IsZero(), "?")
+	e.SetIfOr(pathSysmonImage, pt.Image, !pt.IsZero(), "?")
+	e.SetIfOr(pathSysmonCommandLine, pt.CommandLine, !pt.IsZero(), "?")
+	// put hashes in ImageHashes field to avoid confusion in analyst's mind
+	// not to think it is file content hashes
+	e.SetIfOr(pathImageHashes, pt.hashes, !pt.IsZero(), "?")
+	e.SetIfOr(pathSysmonProcessId, toString(pt.PID), !pt.IsZero(), toString(-1))
+	e.SetIfOr(pathSysmonIntegrityLevel, pt.IntegrityLevel, !pt.IsZero(), "?")
+	e.SetIfOr(pathSysmonUser, pt.User, !pt.IsZero(), "?")
+	e.SetIfOr(pathServices, pt.Services, !pt.IsZero(), "?")
+	e.Set(pathSysmonEventType, KernelFileOperations[e.EventID()])
+
+	if e.EventID() == KernelFileCreate {
+		// We track file
+		h.processTracker.AddKernelFile(KernelFileFromEvent(e))
+	} else {
+		var fo uint64
+		var ok bool
+
+		// We correlate with the filename
+		if fo, ok = e.GetUint(pathKernelFileFileObject); ok {
+			fileName := "?"
+			if kf, ok := h.processTracker.GetKernelFile(fo); ok {
+				fileName = kf.FileName
+			}
+			e.Set(pathKernelFileFileName, fileName)
+		}
+		// We delete entry in tracking structure
+		if e.EventID() == KernelFileClose {
+			h.processTracker.DelKernelFile(fo)
+		}
+	}
+}

hids/paths.go

@@ -72,6 +72,7 @@ var (
 	pathSysmonTargetImage       = engine.Path("/Event/EventData/TargetImage")
 
 	// EventID 12,13,14: Registry
+	pathSysmonEventType    = engine.Path("/Event/EventData/EventType")
 	pathSysmonTargetObject = engine.Path("/Event/EventData/TargetObject")
 	pathSysmonDetails      = engine.Path("/Event/EventData/Details")