Skip to content

Commit

Permalink
Merge pull request #666 from Yamato-Security/add-BSOD-and-MSI-Install…
Browse files Browse the repository at this point in the history 
…-rules

Add BSOD and MSI Install rules
  • Loading branch information
@YamatoSecurity
YamatoSecurity committed May 25, 2024
2 parents d4a43e4 + 5e02754 commit 8ed76c6
Show file tree
Hide file tree
Showing 3 changed files with 337 additions and 0 deletions.
212 changes: 212 additions & 0 deletions config/data_mapping/Application_1022-1033_MSI-Install.yaml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,212 @@
Title: 'MSI Install'
Channel: Application
EventID: 1033
Provider_Name: MsiInstaller
RewriteFieldData:
Data[3]:
- '1025': "Arabic (Saudi Arabia)"
- '1026': "Bulgarian"
- '1027': "Catalan"
- '1028': "Chinese (Traditional)"
- '1029': "Czech"
- '1030': "Danish"
- '1031': "German (Germany)"
- '1032': "Greek"
- '1033': "English (US)"
- '1034': "Spanish (Traditional Sort)"
- '1035': "Finnish"
- '1036': "French (France)"
- '1037': "Hebrew"
- '1038': "Hungarian"
- '1039': "Icelandic"
- '1040': "Italian (Italy)"
- '1041': "Japanese"
- '1042': "Korean"
- '1043': "Dutch (Netherlands)"
- '1044': "Norwegian (Bokmål)"
- '1045': "Polish"
- '1046': "Portuguese (Brazil)"
- '1047': "Portuguese (Portugal)"
- '1048': "Romanian"
- '1049': "Russian"
- '1050': "Croatian"
- '1051': "Slovak"
- '1052': "Albanian"
- '1053': "Swedish"
- '1054': "Thai"
- '1055': "Turkish"
- '1056': "Urdu"
- '1057': "Indonesian"
- '1058': "Ukrainian"
- '1059': "Belarusian"
- '1060': "Slovenian"
- '1061': "Estonian"
- '1062': "Latvian"
- '1063': "Lithuanian"
- '1064': "Tajik (Cyrillic)"
- '1065': "Persian"
- '1066': "Vietnamese"
- '1067': "Armenian"
- '1068': "Azerbaijani (Latin)"
- '1069': "Basque"
- '1070': "Upper Sorbian"
- '1071': "Macedonian (FYROM)"
- '1072': "Sesotho"
- '1073': "Tsonga"
- '1074': "Tswana"
- '1075': "Venda"
- '1076': "Xhosa"
- '1077': "Zulu"
- '1078': "Afrikaans"
- '1079': "Georgian"
- '1080': "Faroese"
- '1081': "Hindi"
- '1082': "Maltese"
- '1083': "Sami (Northern)"
- '1084': "Gaelic (Scotland)"
- '1085': "Yiddish"
- '1086': "Malay (Malaysia)"
- '1087': "Kazakh"
- '1088': "Kyrgyz (Cyrillic)"
- '1089': "Swahili"
- '1090': "Turkmen"
- '1091': "Uzbek (Latin)"
- '1092': "Tatar"
- '1093': "Bengali (India)"
- '1094': "Punjabi (India)"
- '1095': "Gujarati"
- '1096': "Oriya"
- '1097': "Tamil"
- '1098': "Telugu"
- '1099': "Kannada"
- '1100': "Malayalam"
- '1101': "Assamese"
- '1102': "Marathi"
- '1103': "Sanskrit"
- '1104': "Mongolian (Cyrillic)"
- '1105': "Tibetan"
- '1106': "Welsh"
- '1107': "Khmer"
- '1108': "Lao"
- '1109': "Burmese"
- '1110': "Galician"
- '1111': "Konkani"
- '1112': "Manipuri"
- '1113': "Sindhi (India)"
- '1114': "Syriac"
- '1115': "Sinhalese"
- '1116': "Cherokee"
- '1117': "Inuktitut (Syllabics)"
- '1118': "Amharic"
- '1119': "Tamazight (Latin)"
- '1120': "Kashmiri"
- '1121': "Nepali"
- '1122': "Frisian"
- '1123': "Pashto"
- '1124': "Filipino"
- '1125': "Divehi"
- '1126': "Edo"
- '1127': "Fulfulde"
- '1128': "Hausa"
- '1129': "Ibibio"
- '1130': "Yoruba"
- '1131': "Quechua"
- '1132': "Sesotho sa Leboa"
- '1133': "Bashkir"
- '1134': "Luxembourgish"
- '1135': "Greenlandic"
- '1136': "Igbo"
- '1137': "Kanuri"
- '1138': "Oromo"
- '1139': "Tigrigna (Ethiopia)"
- '1140': "Tigrigna (Eritrea)"
- '1141': "Ganda"
- '1142': "Hawaiian"
- '1143': "Latin"
- '1144': "Somali"
- '1145': "Yi"
- '1146': "N'ko"
- '1147': "Dari"
- '1148': "Scottish Gaelic"
- '1150': "Central Atlas Tamazight (Latin)"
- '1151': "Nepal Bhasa"
- '1152': "Rhaeto-Romance"
- '1153': "Mapudungun"
- '1154': "Mongolian (Traditional)"
- '1155': "Sakha"
- '1156': "K'iche"
- '1157': "Kinyarwanda"
- '1158': "Wolof"
- '1159': "Duala"
- '1160': "Jola-Fonyi"
- '1161': "Ewe"
- '1162': "Wari"
- '1163': "Sesotho sa Leboa"
- '1164': "Kalenjin"
- '1165': "Iban"
- '1166': "Quechua (Ecuador)"
- '1167': "Garifuna"
- '1168': "Twi"
- '1169': "Pedi"
- '1170': "Hausa (Nigeria)"
- '1171': "Kikuyu"
- '1172': "Zulu (South Africa)"
- '1173': "Yoruba (Nigeria)"
- '1174': "Twi (Ghana)"
- '1175': "Kalenjin (Kenya)"
- '1176': "Iban (Malaysia)"
- '1177': "Zulu (South Africa)"
- '1178': "Afrikaans (South Africa)"
- '1179': "Somali (Somalia)"
- '1180': "Swahili (Kenya)"
- '1181': "Zulu (South Africa)"
- '1182': "Igbo (Nigeria)"
- '1183': "Cree (Canada)"
- '1184': "Inuktitut (Canada)"
- '1185': "Inuktitut (Latin)"
- '1186': "Ojibwe"
- '1187': "Dene"
- '1188': "Naskapi"
- '1189': "Danish (Denmark)"
- '1190': "Sami (Inari)"
- '1191': "Sami (Skolt)"
- '1192': "Sami (Southern)"
- '1193': "Sami (Lule)"
- '1194': "Sami (Ume)"
- '1195': "Sami (Pite)"
- '1196': "Sami (Enontekiö)"
- '1197': "Sami (Kildin)"
- '1198': "Sami (Ter)"
- '1199': "Sami (Akkala)"



sample-evtx: |
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="MsiInstaller" />
<EventID Qualifiers="0">1033</EventID>
<Version>0</Version>
<Level>4</Level>
<Task>0</Task>
<Opcode>0</Opcode>
<Keywords>0x80000000000000</Keywords>
<TimeCreated SystemTime="2021-01-15T02:14:12.8708371Z" />
<EventRecordID>9294</EventRecordID>
<Correlation />
<Execution ProcessID="0" ThreadID="0" />
<Channel>Application</Channel>
<Computer>computer</Computer>
<Security UserID="S-1-5-21-3619236619-1337548381-1329840446-1001" />
</System>
<EventData>
<Data>Epson Photo+</Data>
<Data>3.3.0.0</Data>
<Data>1033</Data>
<Data>0</Data>
<Data>Seiko Epson Corporation</Data>
<Data>(NULL)</Data>
<Data />
<Binary>7B41423937314134452D463636392D344538322D414646302D3343333444463736383535337D3030303061373633363232333031663565653439613432333666343761363438663639643030303030393034</Binary>
</EventData>
</Event>
65 changes: 65 additions & 0 deletions hayabusa/builtin/Application/App_1022-1033_Info_MSI-Installed.yml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,65 @@
author: Zach Mathis
date: 2024/05/19
modified: 2024/05/19

title: 'MSI Install'
details: 'App: %Data[1]% ¦ Ver: %Data[2]% ¦ Lang: %Data[3]% ¦ StatusCode: %Data[4]% ¦ Vendor: %Data[5]%'
description: |
Windows Installer installed software via an MSI file.
%Data[1]%: Product Name
%Data[2]%: Product Version
%Data[3]%: Product Language in LCID format. (Ex: 1033 for English)
%Data[4]%: Installation status code. 0 means success.
%Data[5]%: Vendor
%Data[6]%: Not sure.
Binary: Not sure how to decode.
id: ef118d4d-ef83-40a7-bb27-2bb3945473ee
level: informational
status: test
logsource:
product: windows
service: application
detection:
selection:
Channel: 'Application'
Provider_Name: MsiInstaller
EventID:
- 1022
- 1033
condition: selection
falsepositives:
tags:
references:
ruletype: Hayabusa

hayabusa-sample-message: 'Windows Installer installed the product. Product Name: Epson Photo+. Product Version: 3.3.0.0. Product Language: 1033. Manufacturer: Seiko Epson Corporation. Installation success or error status: 0.'
hayabusa-sample-evtx: |
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="MsiInstaller" />
<EventID Qualifiers="0">1033</EventID>
<Version>0</Version>
<Level>4</Level>
<Task>0</Task>
<Opcode>0</Opcode>
<Keywords>0x80000000000000</Keywords>
<TimeCreated SystemTime="2021-01-15T02:14:12.8708371Z" />
<EventRecordID>9294</EventRecordID>
<Correlation />
<Execution ProcessID="0" ThreadID="0" />
<Channel>Application</Channel>
<Computer>computer</Computer>
<Security UserID="S-1-5-21-3619236619-1337548381-1329840446-1001" />
</System>
<EventData>
<Data>Epson Photo+</Data>
<Data>3.3.0.0</Data>
<Data>1033</Data>
<Data>0</Data>
<Data>Seiko Epson Corporation</Data>
<Data>(NULL)</Data>
<Data />
<Binary>7B41423937314134452D463636392D344538322D414646302D3343333444463736383535337D3030303061373633363232333031663565653439613432333666343761363438663639643030303030393034</Binary>
</EventData>
</Event>
60 changes: 60 additions & 0 deletions hayabusa/builtin/System/Sys_1001_Med_BSOD.yml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,60 @@
author: Zach Mathis
date: 2024/05/19
modified: 2024/05/19

title: 'BSOD'
details: 'ErrorCodes: %param1% ¦ MemoryDump: %param2%'
description: |
Blue Screen Of Death. MS calls these Bug Check Errors.
param1 will contain various error codes for debugging:
example: 0x0000009f (0x0000000000000003, 0xffffe682fdfaf570, 0xfffff800666c4750, 0xffffe6831844f050)
- 0x0000009f is the Bug Check Code (a.k.a. Stop Code) meaning DRIVER_POWER_STATE_FAILURE
- 0x0000000000000003 indicates the type of inconsistency. In this case, 0x3 means the system is transitioning from a sleep state (S4 or S5) to an awake state (S0).
- 0xffffe682fdfaf570 is a pointer to the DEVICE_OBJECT structure representing the device that is being enumerated.
- 0xfffff800666c4750 is a pointer to the IRP (I/O Request Packet) that was pending for the device object.
- 0xffffe6831844f050 is a pointer to the NTSTATUS code indicating the cause of the failure.
param2 is the path to a memory dump (ex: C:\WINDOWS\MEMORY.DMP)
param3 is the report ID (ex: cf65ecb3-8a81-4a04-89ae-8d1fff1aecf8)
id: 082fbbf5-bb05-468c-ad9c-ef2a383bb293
level: medium
status: test
logsource:
product: windows
service: system
detection:
selection:
Channel: 'System'
ProviderName: Microsoft-Windows-WER-SystemErrorReporting
EventID: 1001
condition: selection
falsepositives:
tags:
references:
ruletype: Hayabusa

hayabusa-sample-message: 'The computer has rebooted from a bugcheck. The bugcheck was: 0x0000009f (0x0000000000000003, 0xffffe682fdfaf570, 0xfffff800666c4750, 0xffffe6831844f050). A dump was saved in: C:\WINDOWS\MEMORY.DMP. Report Id: cf65ecb3-8a81-4a04-89ae-8d1fff1aecf8.'
hayabusa-sample-evtx: |
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="Microsoft-Windows-WER-SystemErrorReporting" Guid="{ABCE23E7-DE45-4366-8631-84FA6C525952}" EventSourceName="BugCheck" />
<EventID Qualifiers="16384">1001</EventID>
<Version>0</Version>
<Level>2</Level>
<Task>0</Task>
<Opcode>0</Opcode>
<Keywords>0x80000000000000</Keywords>
<TimeCreated SystemTime="2021-07-12T03:31:41.5408058Z" />
<EventRecordID>18305</EventRecordID>
<Correlation />
<Execution ProcessID="0" ThreadID="0" />
<Channel>System</Channel>
<Computer>computer</Computer>
<Security />
</System>
<EventData>
<Data Name="param1">0x0000009f (0x0000000000000003, 0xffffe682fdfaf570, 0xfffff800666c4750, 0xffffe6831844f050)</Data>
<Data Name="param2">C:\WINDOWS\MEMORY.DMP</Data>
<Data Name="param3">cf65ecb3-8a81-4a04-89ae-8d1fff1aecf8</Data>
</EventData>
</Event>

0 comments on commit 8ed76c6

Please sign in to comment.