MISP integration

Author: qjerome

collector/manager.go

@@ -16,6 +16,7 @@ import (
 	"time"
 
 	"github.com/0xrawsec/gene/engine"
+	"github.com/0xrawsec/golang-misp/misp"
 	"github.com/0xrawsec/golang-utils/datastructs"
 	"github.com/0xrawsec/golang-utils/fsutil"
 	"github.com/0xrawsec/golang-utils/fsutil/fswalker"
@@ -38,9 +39,12 @@ const (
 )
 
 var (
-	guidRe      = regexp.MustCompile(`\{[A-F0-9]{8}-([A-F0-9]{4}-){3}[A-F0-9]{12}\}`)
-	eventHashRe = regexp.MustCompile(`[a-f0-9]{32,}`) // at least md5
+	guidRe      = regexp.MustCompile(`(?i:\{[a-f0-9]{8}-([a-f0-9]{4}-){3}[a-f0-9]{12}\})`)
+	eventHashRe = regexp.MustCompile(`(?i:[a-f0-9]{32,})`) // at least md5
 	filenameRe  = regexp.MustCompile(`[\w\s\.-]+`)
+	// MISP container related
+	mispContName    = "misp"
+	mispTextExports = []string{"md5", "sha1", "sha256", "domain", "hostname"}
 )
 
 //////////////////////// FileUpload
@@ -157,15 +161,16 @@ func KeyGen(size int) string {
 
 // ManagerConfig defines manager's configuration structure
 type ManagerConfig struct {
-	Host          string    `json:"host"`
-	Port          int       `json:"port"`
-	Logfile       string    `json:"logfile"`
-	Key           string    `json:"key"`
-	Authorized    []string  `json:"authorized"`
-	TLS           TLSConfig `json:"tls"`
-	RulesDir      string    `json:"rules-dir"`
-	DumpDir       string    `json:"dump-dir"`
-	ContainersDir string    `json:"containers-dir"`
+	Host          string          `json:"host"`
+	Port          int             `json:"port"`
+	Logfile       string          `json:"logfile"`
+	Key           string          `json:"key"`
+	Authorized    []string        `json:"authorized"`
+	TLS           TLSConfig       `json:"tls"`
+	MISP          misp.MispConfig `json:"misp"`
+	RulesDir      string          `json:"rules-dir"`
+	DumpDir       string          `json:"dump-dir"`
+	ContainersDir string          `json:"containers-dir"`
 }
 
 // Manager structure definition
@@ -179,6 +184,7 @@ type Manager struct {
 	authorized    datastructs.SyncedSet
 	logfile       logfile.LogFile
 	tls           TLSConfig
+	misp          misp.MispConfig
 	srv           *http.Server
 	stop          chan bool
 	done          bool
@@ -208,7 +214,9 @@ func NewManager(c *ManagerConfig) (*Manager, error) {
 	if err = c.TLS.Verify(); err != nil && !c.TLS.Empty() {
 		return nil, err
 	}
+
 	m.tls = c.TLS
+	m.misp = c.MISP
 
 	// Containers initialization
 	m.containersDir = c.ContainersDir
@@ -286,6 +294,24 @@ func (m *Manager) updateRules() {
 	m.rulesSha256 = hex.EncodeToString(sha256.Sum(nil))
 }
 
+func (m *Manager) updateMispContainer() {
+	c := misp.NewCon(m.misp.Proto, m.misp.Host, m.misp.APIKey)
+	mispContainer := make([]string, 0)
+	for _, expType := range mispTextExports {
+		log.Infof("Downloading %s attributes from MISP", expType)
+		exps, err := c.TextExport(expType)
+		if err != nil {
+			log.Errorf("MISP failed to export %s IDS attributes: %s", expType, err)
+			log.Errorf("Aborting MISP container update")
+			return
+		}
+		mispContainer = append(mispContainer, exps...)
+	}
+	// Update the MISP container
+	m.containers[mispContName] = mispContainer
+	m.containersSha256[mispContName] = Sha256StringArray(mispContainer)
+}
+
 // AddAuthKey adds an authorized key to access the manager
 func (m *Manager) AddAuthKey(key string) {
 	m.authorized.Add(key)
@@ -340,6 +366,16 @@ func (m *Manager) authorizationMiddleware(next http.Handler) http.Handler {
 
 // Run starts a new thread spinning the receiver
 func (m *Manager) Run() {
+	go func() {
+		for !m.done {
+			if m.misp.Host != "" {
+				log.Infof("Starting MISP container update routine")
+				m.updateMispContainer()
+				log.Infof("MISP container update routine finished")
+			}
+			time.Sleep(time.Hour)
+		}
+	}()
 	go func() {
 		// If we fail due to server crash we properly shutdown
 		// the receiver to avoid log corruption

go.mod

@@ -3,15 +3,13 @@ module github.com/0xrawsec/whids
 require (
 	github.com/0xrawsec/gene v1.6.2
 	github.com/0xrawsec/golang-evtx v1.2.1
+	github.com/0xrawsec/golang-misp v1.0.3
 	github.com/0xrawsec/golang-utils v1.1.8
 	github.com/0xrawsec/golang-win32 v1.0.3
 	github.com/0xrawsec/mux v1.6.2
 	github.com/DataDog/zstd v1.4.1 // indirect
 	github.com/pierrec/lz4 v2.2.6+incompatible // indirect
 	github.com/segmentio/kafka-go v0.3.2 // indirect
-	golang.org/x/crypto v0.0.0-20190820162420-60c769a6c586 // indirect
-	golang.org/x/net v0.0.0-20190813141303-74dc4d7220e7 // indirect
-	golang.org/x/sys v0.0.0-20190813064441-fde4db37ae7a
-	golang.org/x/tools v0.0.0-20190821162956-65e3620a7ae7 // indirect
+	golang.org/x/sys v0.0.0-20190909082730-f460065e899a
 	golang.org/x/tools/gopls v0.1.0 // indirect
 )

go.sum

@@ -18,6 +18,10 @@ github.com/0xrawsec/golang-evtx v1.2.0 h1:SFv2zXo3Z9PWsY4yLIWcM8KkEsib2LnWsYgcC8
 github.com/0xrawsec/golang-evtx v1.2.0/go.mod h1:RD+lv9ndoM/7XwvS5XViI51yAp5PDtVVJf8FM6Muro0=
 github.com/0xrawsec/golang-evtx v1.2.1 h1:mPwUavxoQx8r1EZN3Qre9vAEzDnIiHJQ/qufpsOT4fo=
 github.com/0xrawsec/golang-evtx v1.2.1/go.mod h1:RD+lv9ndoM/7XwvS5XViI51yAp5PDtVVJf8FM6Muro0=
+github.com/0xrawsec/golang-misp v1.0.2 h1:p41LDUEVujHgh2TUuYKIBE14+n9JQen4MMiK5dV0/do=
+github.com/0xrawsec/golang-misp v1.0.2/go.mod h1:bF7MZPgPQFPtsXPvRLcIdrs09fZV7zYDRBKpLltd6oA=
+github.com/0xrawsec/golang-misp v1.0.3 h1:Y8fciKDbcRFPfmWOqlEaSOjJwe5Khx9v6FE5VDCCgNI=
+github.com/0xrawsec/golang-misp v1.0.3/go.mod h1:bF7MZPgPQFPtsXPvRLcIdrs09fZV7zYDRBKpLltd6oA=
 github.com/0xrawsec/golang-utils v1.1.0 h1:opQAwRONEfxOOl4nxhpPkXiTYgzAw0/wFATAffNjdII=
 github.com/0xrawsec/golang-utils v1.1.0/go.mod h1:DADTtCFY10qXjWmUVhhJqQIZdSweaHH4soYUDEi8mj0=
 github.com/0xrawsec/golang-utils v1.1.1 h1:HlwVs5lHl5rK2DhB1eDlf+J9hOKBHEObQCWXFcQ4GE0=
@@ -48,15 +52,23 @@ github.com/0xrawsec/mux v1.6.2 h1:cc2OyJTxRmXxsmQe2ulp0VndXV8vZIRrc1JqQzJ4BMI=
 github.com/0xrawsec/mux v1.6.2/go.mod h1:CiOvEAd+RMn8YOtCs1b5QfWe7P8G4olvTmzzNbERonY=
 github.com/DataDog/zstd v1.4.0/go.mod h1:1jcaCB/ufaK+sKp1NBhlGmpz41jOoPQ35bpF36t7BBo=
 github.com/DataDog/zstd v1.4.1/go.mod h1:1jcaCB/ufaK+sKp1NBhlGmpz41jOoPQ35bpF36t7BBo=
+github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
+github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
 github.com/eapache/go-xerial-snappy v0.0.0-20180814174437-776d5712da21/go.mod h1:+020luEh2TKB4/GOp8oxxtq0Daoen/Cii55CzbTV6DU=
 github.com/golang/snappy v0.0.1/go.mod h1:/XxbfmMg8lxefKM7IXC3fBNl/7bRcc72aCRzEWrmP2Q=
 github.com/kr/fs v0.1.0/go.mod h1:FFnZGqtBN9Gxj7eW1uZ42v5BccTP0vu6NEaFoC2HwRg=
 github.com/pierrec/lz4 v2.0.5+incompatible/go.mod h1:pdkljMzZIN41W+lC3N2tnIh5sFi+IEE17M5jbnwPHcY=
 github.com/pierrec/lz4 v2.2.6+incompatible/go.mod h1:pdkljMzZIN41W+lC3N2tnIh5sFi+IEE17M5jbnwPHcY=
 github.com/pkg/errors v0.8.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
 github.com/pkg/sftp v1.10.0/go.mod h1:NxmoDg/QLVWluQDUYG7XBZTLUpKeFa8e3aMf1BfjyHk=
+github.com/pkg/sftp v1.10.1/go.mod h1:lYOWFsE0bwd1+KfKJaKeuokY15vzFx25BLbzYYoAxZI=
+github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
 github.com/segmentio/kafka-go v0.2.2/go.mod h1:X6itGqS9L4jDletMsxZ7Dz+JFWxM6JHfPOCvTvk+EJo=
 github.com/segmentio/kafka-go v0.3.2/go.mod h1:OT5KXBPbaJJTcvokhWR2KFmm0niEx3mnccTwjmLvSi4=
+github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
+github.com/stretchr/objx v0.2.0/go.mod h1:qt09Ya8vawLte6SNmTgCsAVtYtaKzEcn8ATUoHMkEqE=
+github.com/stretchr/testify v1.3.0/go.mod h1:M5WIy9Dh21IEIfnGCwXGc5bZfKNJtfHm1UVUgZn+9EI=
+github.com/stretchr/testify v1.4.0/go.mod h1:j7eGeouHqKxXV5pUuKE4zz7dFj8WfuZ+81PSLYec5m4=
 github.com/xdg/scram v0.0.0-20180814205039-7eeb5667e42c/go.mod h1:lB8K/P019DLNhemzwFU4jHLhdvlE6uDZjXFejJXr49I=
 github.com/xdg/stringprep v1.0.0/go.mod h1:Jhud4/sHMO4oL310DaZAKk9ZaJ08SJfe+sJh0HrGL1Y=
 golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w=
@@ -68,6 +80,8 @@ golang.org/x/crypto v0.0.0-20190513172903-22d7a77e9e5f/go.mod h1:yigFU9vqHzYiE8U
 golang.org/x/crypto v0.0.0-20190621222207-cc06ce4a13d4/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
 golang.org/x/crypto v0.0.0-20190701094942-4def268fd1a4/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
 golang.org/x/crypto v0.0.0-20190820162420-60c769a6c586/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
+golang.org/x/crypto v0.0.0-20190909091759-094676da4a83/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
+golang.org/x/crypto v0.0.0-20190911031432-227b76d455e7/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
 golang.org/x/net v0.0.0-20190311183353-d8887717615a/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
 golang.org/x/net v0.0.0-20190320064053-1272bf9dcd53/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
 golang.org/x/net v0.0.0-20190326090315-15845e8f865b/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
@@ -78,7 +92,10 @@ golang.org/x/net v0.0.0-20190522155817-f3200d17e092/go.mod h1:HSz+uSET+XFnRR8LxR
 golang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
 golang.org/x/net v0.0.0-20190628185345-da137c7871d7/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
 golang.org/x/net v0.0.0-20190813141303-74dc4d7220e7/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
+golang.org/x/net v0.0.0-20190909003024-a7b16738d86b/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
+golang.org/x/net v0.0.0-20190912160710-24e19bdeb0f2/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
 golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
+golang.org/x/sync v0.0.0-20190911185100-cd5d95a43a6e/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20190321052220-f7bb7a8bee54/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20190322080309-f49334f85ddc/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
@@ -100,6 +117,14 @@ golang.org/x/sys v0.0.0-20190712062909-fae7ac547cb7 h1:LepdCS8Gf/MVejFIt8lsiexZA
 golang.org/x/sys v0.0.0-20190712062909-fae7ac547cb7/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20190813064441-fde4db37ae7a h1:aYOabOQFp6Vj6W1F80affTUvO9UxmJRx8K0gsfABByQ=
 golang.org/x/sys v0.0.0-20190813064441-fde4db37ae7a/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20190909082730-f460065e899a h1:mIzbOulag9/gXacgxKlFVwpCOWSfBT3/pDyyCwGA9as=
+golang.org/x/sys v0.0.0-20190909082730-f460065e899a/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20190910064555-bbd175535a8b h1:3S2h5FadpNr0zUUCVZjlKIEYF+KaX/OBplTGo89CYHI=
+golang.org/x/sys v0.0.0-20190910064555-bbd175535a8b/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20190911201528-7ad0cfa0b7b5 h1:SW/0nsKCUaozCUtZTakri5laocGx/5bkDSSLrFUsa5s=
+golang.org/x/sys v0.0.0-20190911201528-7ad0cfa0b7b5/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20190912141932-bc967efca4b8 h1:41hwlulw1prEMBxLQSlMSux1zxJf07B3WPsdjJlKZxE=
+golang.org/x/sys v0.0.0-20190912141932-bc967efca4b8/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
 golang.org/x/text v0.3.2/go.mod h1:bEr9sfX3Q8Zfm5fL9x+3itogRgK3+ptLWKqgva+5dAk=
 golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
@@ -120,5 +145,12 @@ golang.org/x/tools v0.0.0-20190718200317-82a3ea8a504c/go.mod h1:jcCCGcm9btYwXyDq
 golang.org/x/tools v0.0.0-20190719005602-e377ae9d6386/go.mod h1:jcCCGcm9btYwXyDqrUWc6MKQKKGJCWEQ3AfLSRIbEuI=
 golang.org/x/tools v0.0.0-20190820203921-3aeeb259764d/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
 golang.org/x/tools v0.0.0-20190821162956-65e3620a7ae7/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
+golang.org/x/tools v0.0.0-20190909194007-75be6cdcda07/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
+golang.org/x/tools v0.0.0-20190911174233-4f2ddba30aff/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
+golang.org/x/tools v0.0.0-20190911202209-63a3583f646f/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
+golang.org/x/tools v0.0.0-20190912185636-87d9f09c5d89/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
 golang.org/x/tools/gopls v0.1.0/go.mod h1:p8Q0IUu6EEeGxqmoN/g6Et3gReLCGA7PtNRdyOxcWJE=
 golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
+gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
+gopkg.in/check.v1 v1.0.0-20190902080502-41f04d3bba15/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
+gopkg.in/yaml.v2 v2.2.2/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=

tools/whids/hookdefs.go

@@ -714,7 +714,7 @@ func hookSetValueSize(e *evtx.GoEvtxMap) {
 	}
 }
 
-func hookNetwork(e *evtx.GoEvtxMap) {
+/*func hookNetwork(e *evtx.GoEvtxMap) {
 	// Default value
 	e.Set(&pathSysmonCommandLine, "?")
 	if guid, err := e.GetString(&pathSysmonProcessGUID); err == nil {
@@ -723,7 +723,7 @@ func hookNetwork(e *evtx.GoEvtxMap) {
 			e.Set(&pathSysmonCommandLine, pt.CommandLine)
 		}
 	}
-}
+}*/
 
 func hookEnrichAnySysmon(e *evtx.GoEvtxMap) {
 	eventID := e.EventID()
@@ -762,14 +762,25 @@ func hookEnrichAnySysmon(e *evtx.GoEvtxMap) {
 				}
 			}
 		}
+		break
 
 	default:
+		hasComLine := true
 		// Default Values for the fields
 		e.Set(&pathSysmonUser, "?")
 		e.Set(&pathSysmonIntegrityLevel, "?")
 
+		if _, err := e.GetString(&pathSysmonCommandLine); err != nil {
+			e.Set(&pathSysmonCommandLine, "?")
+			hasComLine = false
+		}
+
 		if guid, err := e.GetString(&pathSysmonProcessGUID); err == nil {
 			if track := processTracker.GetByGuid(guid); track != nil {
+				// if event does not have command line
+				if !hasComLine {
+					e.Set(&pathSysmonCommandLine, track.CommandLine)
+				}
 				e.Set(&pathSysmonUser, track.User)
 				e.Set(&pathSysmonIntegrityLevel, track.IntegrityLevel)
 			}
@@ -980,57 +991,28 @@ func hookDumpFile(e *evtx.GoEvtxMap) {
 		dumpEventAndCompress(e, guid)
 
 		switch e.EventID() {
-		case 1:
-			if cl, err := e.GetString(&pathSysmonCommandLine); err == nil {
-				if cwd, err := e.GetString(&pathSysmonCurrentDirectory); err == nil {
-					if argv, err := utils.ArgvFromCommandLine(cl); err == nil {
-						if len(argv) > 1 {
-							for _, arg := range argv[1:] {
-								if fsutil.IsFile(arg) && !utils.IsPipePath(arg) {
-									if err = dumpFileAndCompress(arg, dumpPath); err != nil {
-										log.Errorf("Error dumping file from EventID=%d \"%s\": %s", e.EventID(), arg, err)
-									}
-								}
-								// try to dump a path relative to CWD
-								relarg := filepath.Join(cwd, arg)
-								if fsutil.IsFile(relarg) && !utils.IsPipePath(relarg) {
-									if err = dumpFileAndCompress(relarg, dumpPath); err != nil {
-										log.Errorf("Error dumping file from EventID=%d \"%s\": %s", e.EventID(), relarg, err)
-									}
-								}
-							}
-						}
-					}
-				}
-			}
-			if im, err := e.GetString(&pathSysmonImage); err == nil {
-				if err = dumpFileAndCompress(im, dumpPath); err != nil {
-					log.Errorf("Error dumping file from EventID=%d \"%s\": %s", e.EventID(), im, err)
-				}
-			}
-			if pim, err := e.GetString(&pathSysmonParentImage); err == nil {
-				if err = dumpFileAndCompress(pim, dumpPath); err != nil {
-					log.Errorf("Error dumping file from EventID=%d \"%s\": %s", e.EventID(), pim, err)
-				}
-			}
+
 		case 2, 11, 15:
 			if target, err := e.GetString(&pathSysmonTargetFilename); err == nil {
 				if err = dumpFileAndCompress(target, dumpPath); err != nil {
 					log.Errorf("Error dumping file from EventID=%d \"%s\": %s", e.EventID(), target, err)
 				}
 			}
+
 		case 6:
 			if im, err := e.GetString(&pathSysmonImageLoaded); err == nil {
 				if err = dumpFileAndCompress(im, dumpPath); err != nil {
 					log.Errorf("Error dumping file from EventID=%d \"%s\": %s", e.EventID(), im, err)
 				}
 			}
+
 		case 10:
 			if sim, err := e.GetString(&pathSysmonSourceImage); err == nil {
 				if err = dumpFileAndCompress(sim, dumpPath); err != nil {
 					log.Errorf("Error dumping file from EventID=%d \"%s\": %s", e.EventID(), sim, err)
 				}
 			}
+
 		case 13, 20:
 			// for event ID 13
 			path := &pathSysmonDetails
@@ -1049,6 +1031,40 @@ func hookDumpFile(e *evtx.GoEvtxMap) {
 					}
 				}
 			}
+
+		default:
+			if cl, err := e.GetString(&pathSysmonCommandLine); err == nil {
+				if cwd, err := e.GetString(&pathSysmonCurrentDirectory); err == nil {
+					if argv, err := utils.ArgvFromCommandLine(cl); err == nil {
+						if len(argv) > 1 {
+							for _, arg := range argv[1:] {
+								if fsutil.IsFile(arg) && !utils.IsPipePath(arg) {
+									if err = dumpFileAndCompress(arg, dumpPath); err != nil {
+										log.Errorf("Error dumping file from EventID=%d \"%s\": %s", e.EventID(), arg, err)
+									}
+								}
+								// try to dump a path relative to CWD
+								relarg := filepath.Join(cwd, arg)
+								if fsutil.IsFile(relarg) && !utils.IsPipePath(relarg) {
+									if err = dumpFileAndCompress(relarg, dumpPath); err != nil {
+										log.Errorf("Error dumping file from EventID=%d \"%s\": %s", e.EventID(), relarg, err)
+									}
+								}
+							}
+						}
+					}
+				}
+			}
+			if im, err := e.GetString(&pathSysmonImage); err == nil {
+				if err = dumpFileAndCompress(im, dumpPath); err != nil {
+					log.Errorf("Error dumping file from EventID=%d \"%s\": %s", e.EventID(), im, err)
+				}
+			}
+			if pim, err := e.GetString(&pathSysmonParentImage); err == nil {
+				if err = dumpFileAndCompress(pim, dumpPath); err != nil {
+					log.Errorf("Error dumping file from EventID=%d \"%s\": %s", e.EventID(), pim, err)
+				}
+			}
 		}
 	}()
 }

tools/whids/whids.go

@@ -298,7 +298,8 @@ func (h *HIDS) initHooks(advanced bool) {
 		h.preHooks.Hook(hookEnrichServices, fltAnySysmon)
 		// Not needed anymore enrich sysmon embeds necessary information
 		//h.preHooks.Hook(hookProcessAccess, fltProcessAccess)
-		h.preHooks.Hook(hookNetwork, fltNetworkConnect)
+		// should be treated by hookEnrichAnySysmon
+		//h.preHooks.Hook(hookNetwork, fltNetworkConnect)
 		h.preHooks.Hook(hookEnrichAnySysmon, fltAnySysmon)
 		//h.preHooks.Hook(hookSetValueSize, fltRegSetValue)