From 33acb3c392471596daf773608b250b188ac38480 Mon Sep 17 00:00:00 2001 From: Dan Kortschak <90160302+efd6@users.noreply.github.com> Date: Tue, 25 Jan 2022 07:11:34 +1030 Subject: [PATCH] x-pack/winlogbeat/module/sysmon: add eventid 26 handler (#29957) --- CHANGELOG.next.asciidoc | 1 + .../module/sysmon/ingest/sysmon.yml | 7 +- .../sysmon-11-filedeletedetected.evtx | Bin 0 -> 69632 bytes ...mon-11-filedeletedetected.evtx.golden.json | 146 ++++++++++++++++++ 4 files changed, 153 insertions(+), 1 deletion(-) create mode 100644 x-pack/winlogbeat/module/sysmon/test/testdata/sysmon-11-filedeletedetected.evtx create mode 100644 x-pack/winlogbeat/module/sysmon/test/testdata/sysmon-11-filedeletedetected.evtx.golden.json diff --git a/CHANGELOG.next.asciidoc b/CHANGELOG.next.asciidoc index 27ca724a282..1efe08acb2b 100644 --- a/CHANGELOG.next.asciidoc +++ b/CHANGELOG.next.asciidoc @@ -198,6 +198,7 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d *Winlogbeat* - Add support for custom XML queries {issue}1054[1054] {pull}29330[29330] +- Add support for sysmon event ID 26; FileDeleteDetected. {issue}26280[26280] {pull}29957[29957] *Elastic Log Driver* diff --git a/x-pack/winlogbeat/module/sysmon/ingest/sysmon.yml b/x-pack/winlogbeat/module/sysmon/ingest/sysmon.yml index db28eb13cf7..2ace6b3f66d 100644 --- a/x-pack/winlogbeat/module/sysmon/ingest/sysmon.yml +++ b/x-pack/winlogbeat/module/sysmon/ingest/sysmon.yml @@ -146,6 +146,11 @@ processors: - process type: - change + "26": + category: + - file + type: + - deletion tag: Add ECS categorization fields source: |- if (ctx?.event?.code == null || params.get(ctx.event.code) == null) { @@ -237,7 +242,7 @@ processors: target_field: process.hash if: |- ctx?._temp?.hashes != null && - ["1", "23", "24", "25"].contains(ctx.event.code) + ["1", "23", "24", "25", "26"].contains(ctx.event.code) - rename: field: process.hash.imphash target_field: process.pe.imphash diff --git a/x-pack/winlogbeat/module/sysmon/test/testdata/sysmon-11-filedeletedetected.evtx b/x-pack/winlogbeat/module/sysmon/test/testdata/sysmon-11-filedeletedetected.evtx new file mode 100644 index 0000000000000000000000000000000000000000..8a0c028b129c8bc65928374648da252381ed6217 GIT binary patch literal 69632 zcmeI53w#yDy~pR|O&|%Vh_$pn%R3?DMG&dYQ{G?_xM+Ftt^Xa8 z_y0fh{m*}9XXZa!)>v2G&{(USTf8}N9rh80PXi;)B**>vS6}#B#&KUHyg--(VGe{j z5avLb17Qw?IS}SRm;+%BggFrAK$rtz4jeHD${OoR>YJD19^cyH%-;F=Ivjthzf!x> zm3s2em-jQtj(NxHSL}cHdiw=FmV{3!N*zd4YEOdw8>L3z_$29+i2mxZpSB(0oYj6L!S%q`F)dFr#oacnQQUfht2yLNL!9;KJB;;)AZIhOyJ>y zFDLixs-s4MD`*PuM?d*y%I<+XBN>s18W8!?9~z#MtMYxM|JCz9EZFq(7oXdI@D}_M zrYahwR^cswAh)LnB&ssCLe;8f)q&5q;+1rT`EpA}qFSk%R3pA@#}|o_d{vKR9jaBG zr^e#1T`j_qTBNDL`z-7maHLJO;8TmLL&_|CZo%=f>PmdqjD3#E#$O)ZWvfE`uk94y z9`z|Ma_G>{!AiKbR3)iObrr7Mp(QF6S9IvmeCQ=a-@Q6T&DPRaK-OZUYQwh$c$JGW zPWwWFnh9l_@TF4e=_-;m&)CDr!3pX@wOpTxuQF6dd{Mlbfn=*pii0)Dw#=HMO7Y!r zypm{gyv)eormBl@i5g^C1AcykR)JZUo}iNA(&JT9LZrVs8wbSFPwSVgE;h*;kWEX*Q`i||T`>Rfz~l5@oiDQX(Nz6#u0kdKRz?@XGg1}7lfXXC>0i0_OKMurp~`QHHx5|gzQODgW@Bpu$C@gQXZdX%k2tWkSbFX zE9c|VQ&lQ;xfv&kLwMjX{Z)xhMm-v}CX%hyNLOBNN_gtKsj3K9?1195mJa+<>$>U5 zDkF(bf!Oo^YmlO7>q`7h9w(*ITn-&-f(&sYPkpx^e!xnt_;M}C!aJFIfTp4@sXO`^ zn_Yy2?f5fVq^Oi6x>lmSc|r0VhYsaXFuWSUO>9ol8Px<+pmJ7OiA#(mBRgu;63F5;Iuvub7$=JB-I$dEh=j2m zX{?M>>I|ev5-(ggJxR^MFX1)KuNk0Dj!#G*q|QoECm|^ePQPHEiZ5;{YA{}d^!o(7 z<10m_>U20=AJ4|8fht2y#{LiSXCck$_%qvezZpau96>4PdeD}xes1G+VjWi(#EV{ zsjzI3{=stD*Ij?GpE!TMe`<5`{ED9ypKGAJUaN87MoD zV^Ub-(x4I3W}37by>;dO4pSC)8kZKQGI-8NbIwP*uHW7K7pu6mc$LERyf%Lit-@%Z z&}mw6X)q$DI?JS@jhIx4Fg#XDOYke>(h{w7xh5TdrAe2r-DR6j*P+V6hxyWsGg(8# zr6pNso@34&+;wIWjF6QctG{-nOtw;vH7Ti+kud8CpweKOtUPn@mx=v2{W(vaiTC-akjLTpc`6rYX5oJhD%YGT z4=sA)fp=<{-AW~^{V4b|@r%!d7n_6qWY}f}w5w9{RW)jtS#SwO*q@0KP=;?V#&;!n zSAy$SJ4#7)lq;vaYW&I-u#|d~8&=X;$QgP+ud`Vu=z8h+Dz%x?4OQEWdpfSP1V_Y- ztC4HWbDA`3SQdhDkh2({J8+H3&^`xwQJ^N_-2~)BA@ZgWR~!#53h*}p?{ZbK&Z`{o z<}v<0?#JPexjF%#$K%|5eT@PfV@h6ySIoovd|aaduY9B|!qxKeZ4tgN*T;%*HVY!R zi~gg6?KQUBMxgMShLt*Hy<5Ajw>;y4h|@DlJ5fC2&mxw3G2j{9%EmC12bPT+@H(2Z zkq^3A;F*g(%f>nR@6t1p(dDER)>;V5Eyk+= zmYj!k3iba|9Ld4?#oFe}@ID9mR*v*cQLIZ$8Ln4~YnSN%Wk|`AkcaOIbtxE!E0*CC zzhT+TLCN5!9DE+9uVNXZN*v7cv1N4W-{3zFU{(f4Ma;(=G3!Pi>#~iOi&a&3*fd3f~x#YKpt{jAliRFlm5%+YN zAV3esc0^`py=AfI-2v+wrXWA7y{uI2R$P<*g8NESPDd;%`Ja8|JIsCFy0eP@#QQuq ze?bo;EvbQc?`%m8H7%(^D9x7CZ0s*l^cVXM>^oq@Vg7(f+%!6C?Y{De`d$V1J0gv! zLhi=hs%WNg-@q-ARpX|RpK7!7t1=n-z~U!g4VIrsbmO-R3`Mh$pQHTgawp|)j^X!M z((*qB%TFZg!i9e*a(a6S?CMeEM6;0J;rLx__}w(^>jCo3^gYq{&+*jKL9k^=5`L|FdTfS+g<@^kQOvGbd6_&xOD%7FQaL^pn{|3tHp zpMzgi`(=UQ_ttAadOO(iClcNGjY0hHmq&l(D0ivW=FvMM4}fz(JbWW z;1{u%zeR@Ms?GQOJ=pRm65aT*|5`K)`8oLI*!e9s{Oa%h$LHS;bo^E%y7A-vgJ>4= zbMWi1^Q$%d`n_=T-NEt`iEjK_F~3nX3;8+tMcqHt8Ga}K<{JU?6Nz5@M6-~egI}7x z{4Fv3uATVKFM}HAXl z4!L*Vzv}G6#cC40o6LV|Fy*&n-bvNn%P;YAVme5AOyL&;CkNjTL@e_Lv?6Jj9h(xRYi&MKz{YQS)c!_2)%I~K6_g=KF z*fLGN|I6w-D)OhVeEf<#*8XY*4x6~uEAX}uVKTgbV)W(Zc>f9PJEJcdAKigSr8Y#z zFq*j1L@!yoa0L{LpZ?2HwY%0?&xs?i)h8?P)KpUg=4DTp`9LWB;3 zt6Ok=iSo>X%nHQca6>F5?S<{$?bx>%ySeCYKkcR=(mn1*BzoD6XcnV(V~?A4F*-C4?|2nCpAxE|y+rPw zr>`jgc@@5&fd7n6WaUz_3g$M-7&<|h)p_=#pAKL@|4`|x(d@6>BQ zA22_W=*3So3;8+tO}3Z64#RK7woL)^6Nz5@M6-~egWs8Ue#@o)yZwU80DanPb9we&6oGi`pJzYx83lQs!^%M&kH}%Ead0l zcY*M`2kfpi{MNj-#YcYQT>4Q&qWI5ohphXDS5Wru#PFkN7Nh*6A4PgDuu>cDW;=AR zh%$RwDa72@k%zvo!#OJrm)zI=%1Z&tViRzV@ir%(%^ybV*zeGLyDYCJjBE1q^(Qm8iXQO|) z%GmG2S^X~$wq6&Bmi;EEOygIiUJ%Xtfc^GvzeJq9URY)LO-&l?BfqgO^@2zg|0Dep zPhhFQ*;o=%G>cJw&UztT*9)y!M`{VGf!SDns|`JZTz!z6?(?+Q3s)O1yL{y`$E98n ziC$bpvl!)KuNR7Yv0kvqcCQ!gq)*&hVG4St3t^c}dIh~{=<9AnEnx4f&chf_F-B^t z(1$-A_Bs!J+l8i9Fk>=OFKmbHUSsUH{@GJ~^eaoXUx{A#OeA{QuV~f>>~|h~3Rm*& zaE!eiex#)*mP(&Ah8)>Wy%Y8QwT9=2AN$Gk6E6NpBzo}_&H4b(li-iscxIyg)r|EE zTaGY>))TVyL32=U{T?rybcFFTu5`;WH|oQ&uyV9S+w}NuCF;ax{Njeru`n}INIRrG zj==ukj6Lo@dx($z<@?&d>^-p8HZMRVdfB6B7Nhof{mNy3dUzqrzfyev-Jcztlk((( zAAEQCt512%3+Tb;5^q9ukRO_9&Xgs69$O1YfR>?D-LyTa?#%{|qKK7%sOK z?)I^L;5J`IBwAeJ(ad?jGjfIFO`=(hat{+ z)c(E0pXI}Hq+d}q3;8+5n{u~;8QWbfhc_91ZLjY5wtxKG#+yW<8m%!lkDq!ax%cm@|a>HBZ^n_CU9|MivE(n$C5ZIS53 zOEim7UUq*oFVcJS@P#-_a8GCATNc1GPRyD3d9cf3-K)rl+U2ULXt}Ttlp0$z@j0Tw z=K{{e=WL9F6roS@A~U+NnDHdE=RL6H+wkJ{!-P|P^gq{Y{}Vl~ArigpSv2bd_S_8r zy7(=T=*3wy>jRuez;C&6?&)~Pu@h&> zKXFDu#&?c_EWnrtpEOtl4>b+3L1Qt-T4emt7}_Q6llALojD4;;*H8Pj+CkC%P9o9E zK1H(_wNHD$6Wc&+3wg&MO4}z3wTrZr=uPx*Qx=-tS+3hub)YNVIrGufX+7^m&M8G0Mwc zZ}jdsMj^SeoyPs=48PUqwErkrej?F}pJ*2HbBtqjKL3pU=64!?3%69f;^H1&4EJpd+`x`l{hvOJ*Lw8_4kMuUObzOy?8E)uTw2xz~GhE`o z?qqRVr4pVQ?;uas_na5>dBgSI?S66{9_c>bArif~ie`O)>nX?8Z`f19 zEZHYQA7L)05M^W3g8Fc#^fdfmgfR+wn$hSZEKo~3`v{*HlCgV_eSX^A#vVr{SNYz4 ziS8#9iC*?7n#HI++VA(+c3~UF>L--C47W_3?HM?W*?L|K{RI8R7YvtGBmLy!=Kn>a z7Z=eiM!DGAFMj)ftESJk`~NQ*u46{~$<@vOi$pK3qFEo{8v1`P|BrRNhw63+{mebE z#V;9qJY%Mx_GsO|M*Dw}=w*+hS&Z7_(fa>fHJ&`kWi$4C&uvBKX(=!GHjk-9xBsK( zF^NPcm$&h(fhs&fKs1X{F3x@h`#dJ;SLj-WvTG$#8Oc+sf_%t{^FF?8IIX|XPfl*@ zh>AonPNG?ia5_WVZiM||`Bza#@YcfCVg)apcKe^GkDtY*Mipw zy^ipBHB!fJXQONu;%+`0<=I-BIG^~C5)o(Q#(IbQ4TfLM%%J&+L@$1#*}n|G@gSIY z1b(__M)(C($fM zIfd;zSs|Y5&vW&7uXW;&uYGr(8Yk^L+V%a$p09c%E+bgKBNDyrSu~4Ldp>@@qwo9W zzH+1CwA)usZhl83dT|oXVw6+pcY^UdXuXQxVY}z6#-5jV{HNOPTYr|@JT;MM*>jxg z|Iw~^`@d#%Y1Rkqxp(KO9g_Ac_YW9;C-3`l!2Cp_7eCP~ zn4($8&%v+K&hH_^@6V5aCt!Xe(JFmi|KGjUqqttdo87_{GEdGD4K=*9Q+#W{Jw7Zef|Dj0rL}yUi?I}ke`F!U^~A@ z4ZnT`*WMFs`4fr4@5O#yfuVW3iu$XQ{VG&F{MkPYQ2EoX;%Sb|cc2U^JOe5;q&|nd6H4 zVbhNpyUzcXpLTt#%e*g<=w;WUSs$?L4)~y>jVlzNb?g?*jAb0ydE`vqo57tvjoZWD z_LFy!iysq-lHg;OQ!%sW4+DFlGC?e6zPDQgAwNrZ>3fo4EL+ojt$fu`B zOA1dXAy_@@vGM zN~X2$3EBr^u|h#B{z~z_4)-|A@ofk0at1`~{?PAuZPPcf)A+qR;rH^4Jxxo@er6Az zB9nop-hjxuvx@#S4Bz(Fdh#P(+Rq}fC@=Byb1saimPy?2hNN}*A<gf5yT*2W=5vf{k>7S6FEwMmAzu5AoBQ zlw-Y4&$ym?T1`o0XGxh`Y2p6Q*7t4cfBYwaMq5~Qac zvfV|y%s2LU+ekm{ahc2gyGZo1N71Yg*yE*WBfH(t^<-V3cF)*SS@)xoSkbb+QvA$4 z;9Fq0-r+0POcy^R61}*JW_^I`>Am7-dP4Zb^);jQszA#TA)JfV$_mhznAf=qStdLb zycq3~{$?v|a=fw2sk{92H*WK`MWUBoie`PlE`6N0U1<1SF?`jp{A<6s@e_#_Kcy0; zS?!n2XqHqDP)all`8mc7qvowmF#NKvZ~k?#{6wM~zcndJiDn@`2fwI!Pv;qaNovHN zVEKte@t<$biY|YmS;+5j{3aTH!*`$lR;Ck@}RU*6;+U$^op5}k1sESFnQSVglwz_)krFQVEv7Z`rKJ~g;5 zSpO;#o#pduXq&e7Q%W=o`8oV+6u(ayeq}Egt_YT&NIY;#ZRNi5i2D9e?sr63{x~mD zGzkklsg-zjY8FY3@#7eCP~mpMzhUz5Go# z{C13we=1mhBGHZCxw!um%|d<-e$UwX%`p64x%=&>gXJd@z4(b{AwLH{y)FsnzZPK> zu?q8Sx#{N{Fy6?Y`SlU~+^dtVI~B!;31=YiAL2OUzX2nb9r({N&PmWK7h{%uRto2E YMn7reNO5zySVNdN!< literal 0 HcmV?d00001 diff --git a/x-pack/winlogbeat/module/sysmon/test/testdata/sysmon-11-filedeletedetected.evtx.golden.json b/x-pack/winlogbeat/module/sysmon/test/testdata/sysmon-11-filedeletedetected.evtx.golden.json new file mode 100644 index 00000000000..be766c23f9b --- /dev/null +++ b/x-pack/winlogbeat/module/sysmon/test/testdata/sysmon-11-filedeletedetected.evtx.golden.json @@ -0,0 +1,146 @@ +[ + { + "@timestamp": "2022-01-24T05:12:34.328Z", + "event": { + "category": [ + "file" + ], + "code": "26", + "kind": "event", + "module": "sysmon", + "provider": "Microsoft-Windows-Sysmon", + "type": [ + "deletion" + ] + }, + "file": { + "directory": "C:\\Windows\\ServiceState\\EventLog\\Data", + "extension": "dat", + "name": "lastalive1.dat", + "path": "C:\\Windows\\ServiceState\\EventLog\\Data\\lastalive1.dat" + }, + "host": { + "name": "vagrant" + }, + "log": { + "level": "information" + }, + "process": { + "entity_id": "{63a74932-a2b4-61ee-1b00-000000000700}", + "executable": "C:\\Windows\\System32\\svchost.exe", + "hash": { + "sha256": "a94808e7c66973b122f66ec6611019c745a9602f8e944f53635cab58aef35a79" + }, + "name": "svchost.exe", + "pid": 1264 + }, + "related": { + "hash": "a94808e7c66973b122f66ec6611019c745a9602f8e944f53635cab58aef35a79", + "user": "LOCAL SERVICE" + }, + "rule": { + "name": "-" + }, + "sysmon": { + "file": { + "is_executable": false + } + }, + "user": { + "domain": "NT AUTHORITY", + "id": "S-1-5-18", + "name": "LOCAL SERVICE" + }, + "winlog": { + "api": "wineventlog", + "channel": "Microsoft-Windows-Sysmon/Operational", + "computer_name": "vagrant", + "event_id": "26", + "process": { + "pid": 2764, + "thread": { + "id": 3792 + } + }, + "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", + "provider_name": "Microsoft-Windows-Sysmon", + "record_id": 456, + "user": { + "identifier": "S-1-5-18" + }, + "version": 5 + } + }, + { + "@timestamp": "2022-01-24T05:12:51.031Z", + "event": { + "category": [ + "file" + ], + "code": "26", + "kind": "event", + "module": "sysmon", + "provider": "Microsoft-Windows-Sysmon", + "type": [ + "deletion" + ] + }, + "file": { + "directory": "C:\\ProgramData\\Microsoft\\Windows\\DeviceMetadataCache", + "extension": "000", + "name": "OLDCACHE.000", + "path": "C:\\ProgramData\\Microsoft\\Windows\\DeviceMetadataCache\\OLDCACHE.000" + }, + "host": { + "name": "vagrant" + }, + "log": { + "level": "information" + }, + "process": { + "entity_id": "{63a74932-3523-61ee-af00-000000000700}", + "executable": "C:\\Windows\\system32\\svchost.exe", + "hash": { + "sha256": "d78fbf654d84ddf2cb4fe221f7d8b61e0decdee48a4687915e6e4a2296e2418b" + }, + "name": "svchost.exe", + "pid": 1364 + }, + "related": { + "hash": "d78fbf654d84ddf2cb4fe221f7d8b61e0decdee48a4687915e6e4a2296e2418b", + "user": "SYSTEM" + }, + "rule": { + "name": "-" + }, + "sysmon": { + "file": { + "is_executable": false + } + }, + "user": { + "domain": "NT AUTHORITY", + "id": "S-1-5-18", + "name": "SYSTEM" + }, + "winlog": { + "api": "wineventlog", + "channel": "Microsoft-Windows-Sysmon/Operational", + "computer_name": "vagrant", + "event_id": "26", + "process": { + "pid": 2764, + "thread": { + "id": 3792 + } + }, + "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", + "provider_name": "Microsoft-Windows-Sysmon", + "record_id": 457, + "user": { + "identifier": "S-1-5-18" + }, + "version": 5 + } + } +] \ No newline at end of file