From f4757fc522237152f38df482e0659cd465ac6187 Mon Sep 17 00:00:00 2001
From: Yamato Security <71482215+YamatoSecurity@users.noreply.github.com>
Date: Sun, 19 May 2024 14:16:15 +0900
Subject: [PATCH 1/4] Add BSOD and MSI Install rules
---
.../Application_1022-1033_MSI-Install.yaml | 37 +++++++++++
.../App_1022-1033_Info_MSI-Installed.yml | 64 +++++++++++++++++++
hayabusa/builtin/System/Sys_1001_Med_BSOD.yml | 60 +++++++++++++++++
3 files changed, 161 insertions(+)
create mode 100644 config/data_mapping/Application_1022-1033_MSI-Install.yaml
create mode 100644 hayabusa/builtin/Application/App_1022-1033_Info_MSI-Installed.yml
create mode 100644 hayabusa/builtin/System/Sys_1001_Med_BSOD.yml
diff --git a/config/data_mapping/Application_1022-1033_MSI-Install.yaml b/config/data_mapping/Application_1022-1033_MSI-Install.yaml
new file mode 100644
index 000000000..53644b617
--- /dev/null
+++ b/config/data_mapping/Application_1022-1033_MSI-Install.yaml
@@ -0,0 +1,37 @@
+Title: 'MSI Install'
+Channel: Application
+EventID: 1033
+RewriteFieldData:
+ Data[3]:
+ - '1033': 'English'
+ - '1041': 'Japanese'
+
+sample-evtx: |
+
+
+
+ 1033
+ 0
+ 4
+ 0
+ 0
+ 0x80000000000000
+
+ 9294
+
+
+ Application
+ computer
+
+
+
+ Epson Photo+
+ 3.3.0.0
+ 1033
+ 0
+ Seiko Epson Corporation
+ (NULL)
+
+ 7B41423937314134452D463636392D344538322D414646302D3343333444463736383535337D3030303061373633363232333031663565653439613432333666343761363438663639643030303030393034
+
+
\ No newline at end of file
diff --git a/hayabusa/builtin/Application/App_1022-1033_Info_MSI-Installed.yml b/hayabusa/builtin/Application/App_1022-1033_Info_MSI-Installed.yml
new file mode 100644
index 000000000..6a2fe3e5d
--- /dev/null
+++ b/hayabusa/builtin/Application/App_1022-1033_Info_MSI-Installed.yml
@@ -0,0 +1,64 @@
+author: Zach Mathis
+date: 2024/05/19
+modified: 2024/05/19
+
+title: 'MSI Install'
+details: 'App: %Data[1]% ¦ Ver: %Data[2]% ¦ Lang: %Data[3]% ¦ StatusCode: %Data[4]%'
+description: |
+ Windows Installer installed software via an MSI file.
+ %Data[1]%: Product Name
+ %Data[2]%: Product Version
+ %Data[3]%: Product Language in LCID format. (Ex: 1033 for English)
+ %Data[4]%: Installation status code. 0 means success.
+ %Data[5]%: Not sure. Could be a field not in use.
+ Binary: Not sure how to decode.
+
+id: ef118d4d-ef83-40a7-bb27-2bb3945473ee
+level: informational
+status: test
+logsource:
+ product: windows
+ service: application
+detection:
+ selection:
+ Channel: 'Application'
+ ProviderName: MsiInstaller
+ EventID:
+ - 1022
+ - 1033
+ condition: selection
+falsepositives:
+tags:
+references:
+ruletype: Hayabusa
+
+hayabusa-sample-message: 'Windows Installer installed the product. Product Name: Epson Photo+. Product Version: 3.3.0.0. Product Language: 1033. Manufacturer: Seiko Epson Corporation. Installation success or error status: 0.'
+hayabusa-sample-evtx: |
+
+
+
+ 1033
+ 0
+ 4
+ 0
+ 0
+ 0x80000000000000
+
+ 9294
+
+
+ Application
+ computer
+
+
+
+ Epson Photo+
+ 3.3.0.0
+ 1033
+ 0
+ Seiko Epson Corporation
+ (NULL)
+
+ 7B41423937314134452D463636392D344538322D414646302D3343333444463736383535337D3030303061373633363232333031663565653439613432333666343761363438663639643030303030393034
+
+
\ No newline at end of file
diff --git a/hayabusa/builtin/System/Sys_1001_Med_BSOD.yml b/hayabusa/builtin/System/Sys_1001_Med_BSOD.yml
new file mode 100644
index 000000000..962ad6b79
--- /dev/null
+++ b/hayabusa/builtin/System/Sys_1001_Med_BSOD.yml
@@ -0,0 +1,60 @@
+author: Zach Mathis
+date: 2024/05/19
+modified: 2024/05/19
+
+title: 'BSOD'
+details: 'ErrorCodes: %param1% ¦ MemoryDump: %param2%'
+description: |
+ Blue Screen Of Death. MS calls these Bug Check Errors.
+ param1 will contain various error codes for debugging:
+ example: 0x0000009f (0x0000000000000003, 0xffffe682fdfaf570, 0xfffff800666c4750, 0xffffe6831844f050)
+ - 0x0000009f is the Bug Check Code (a.k.a. Stop Code) meaning DRIVER_POWER_STATE_FAILURE
+ - 0x0000000000000003 indicates the type of inconsistency. In this case, 0x3 means the system is transitioning from a sleep state (S4 or S5) to an awake state (S0).
+ - 0xffffe682fdfaf570 is a pointer to the DEVICE_OBJECT structure representing the device that is being enumerated.
+ - 0xfffff800666c4750 is a pointer to the IRP (I/O Request Packet) that was pending for the device object.
+ - 0xffffe6831844f050 is a pointer to the NTSTATUS code indicating the cause of the failure.
+ param2 is the path to a memory dump (ex: C:\WINDOWS\MEMORY.DMP)
+ param3 is the report ID (ex: cf65ecb3-8a81-4a04-89ae-8d1fff1aecf8)
+
+id: 082fbbf5-bb05-468c-ad9c-ef2a383bb293
+level: medium
+status: test
+logsource:
+ product: windows
+ service: system
+detection:
+ selection:
+ Channel: 'System'
+ ProviderName: Microsoft-Windows-WER-SystemErrorReporting
+ EventID: 1001
+ condition: selection
+falsepositives:
+tags:
+references:
+ruletype: Hayabusa
+
+hayabusa-sample-message: 'The computer has rebooted from a bugcheck. The bugcheck was: 0x0000009f (0x0000000000000003, 0xffffe682fdfaf570, 0xfffff800666c4750, 0xffffe6831844f050). A dump was saved in: C:\WINDOWS\MEMORY.DMP. Report Id: cf65ecb3-8a81-4a04-89ae-8d1fff1aecf8.'
+hayabusa-sample-evtx: |
+
+
+
+ 1001
+ 0
+ 2
+ 0
+ 0
+ 0x80000000000000
+
+ 18305
+
+
+ System
+ computer
+
+
+
+ 0x0000009f (0x0000000000000003, 0xffffe682fdfaf570, 0xfffff800666c4750, 0xffffe6831844f050)
+ C:\WINDOWS\MEMORY.DMP
+ cf65ecb3-8a81-4a04-89ae-8d1fff1aecf8
+
+
\ No newline at end of file
From 130bdae88cd49fb969df7a4b227fa7995283673f Mon Sep 17 00:00:00 2001
From: Yamato Security <71482215+YamatoSecurity@users.noreply.github.com>
Date: Mon, 20 May 2024 07:35:16 +0900
Subject: [PATCH 2/4] add provider name
---
config/data_mapping/Application_1022-1033_MSI-Install.yaml | 1 +
1 file changed, 1 insertion(+)
diff --git a/config/data_mapping/Application_1022-1033_MSI-Install.yaml b/config/data_mapping/Application_1022-1033_MSI-Install.yaml
index 53644b617..9843eb4ae 100644
--- a/config/data_mapping/Application_1022-1033_MSI-Install.yaml
+++ b/config/data_mapping/Application_1022-1033_MSI-Install.yaml
@@ -1,6 +1,7 @@
Title: 'MSI Install'
Channel: Application
EventID: 1033
+Provider_Name: MsiInstaller
RewriteFieldData:
Data[3]:
- '1033': 'English'
From 2dee5159b5fe20adceebc04d9b36c3d31605280a Mon Sep 17 00:00:00 2001
From: Yamato Security <71482215+YamatoSecurity@users.noreply.github.com>
Date: Mon, 20 May 2024 07:35:35 +0900
Subject: [PATCH 3/4] add provider name
---
.../Application/App_1022-1033_Info_MSI-Installed.yml | 7 ++++---
1 file changed, 4 insertions(+), 3 deletions(-)
diff --git a/hayabusa/builtin/Application/App_1022-1033_Info_MSI-Installed.yml b/hayabusa/builtin/Application/App_1022-1033_Info_MSI-Installed.yml
index 6a2fe3e5d..503b7f182 100644
--- a/hayabusa/builtin/Application/App_1022-1033_Info_MSI-Installed.yml
+++ b/hayabusa/builtin/Application/App_1022-1033_Info_MSI-Installed.yml
@@ -3,14 +3,15 @@ date: 2024/05/19
modified: 2024/05/19
title: 'MSI Install'
-details: 'App: %Data[1]% ¦ Ver: %Data[2]% ¦ Lang: %Data[3]% ¦ StatusCode: %Data[4]%'
+details: 'App: %Data[1]% ¦ Ver: %Data[2]% ¦ Lang: %Data[3]% ¦ StatusCode: %Data[4]% ¦ Vendor: %Data[5]%'
description: |
Windows Installer installed software via an MSI file.
%Data[1]%: Product Name
%Data[2]%: Product Version
%Data[3]%: Product Language in LCID format. (Ex: 1033 for English)
%Data[4]%: Installation status code. 0 means success.
- %Data[5]%: Not sure. Could be a field not in use.
+ %Data[5]%: Vendor
+ %Data[6]%: Not sure.
Binary: Not sure how to decode.
id: ef118d4d-ef83-40a7-bb27-2bb3945473ee
@@ -22,7 +23,7 @@ logsource:
detection:
selection:
Channel: 'Application'
- ProviderName: MsiInstaller
+ Provider_Name: MsiInstaller
EventID:
- 1022
- 1033
From 5e027548407c9aa3f7ee916ab5306fde5d16d73d Mon Sep 17 00:00:00 2001
From: Yamato Security <71482215+YamatoSecurity@users.noreply.github.com>
Date: Sat, 25 May 2024 12:25:36 +0900
Subject: [PATCH 4/4] add languages
---
.../Application_1022-1033_MSI-Install.yaml | 178 +++++++++++++++++-
1 file changed, 176 insertions(+), 2 deletions(-)
diff --git a/config/data_mapping/Application_1022-1033_MSI-Install.yaml b/config/data_mapping/Application_1022-1033_MSI-Install.yaml
index 9843eb4ae..d87bf9209 100644
--- a/config/data_mapping/Application_1022-1033_MSI-Install.yaml
+++ b/config/data_mapping/Application_1022-1033_MSI-Install.yaml
@@ -4,8 +4,182 @@ EventID: 1033
Provider_Name: MsiInstaller
RewriteFieldData:
Data[3]:
- - '1033': 'English'
- - '1041': 'Japanese'
+ - '1025': "Arabic (Saudi Arabia)"
+ - '1026': "Bulgarian"
+ - '1027': "Catalan"
+ - '1028': "Chinese (Traditional)"
+ - '1029': "Czech"
+ - '1030': "Danish"
+ - '1031': "German (Germany)"
+ - '1032': "Greek"
+ - '1033': "English (US)"
+ - '1034': "Spanish (Traditional Sort)"
+ - '1035': "Finnish"
+ - '1036': "French (France)"
+ - '1037': "Hebrew"
+ - '1038': "Hungarian"
+ - '1039': "Icelandic"
+ - '1040': "Italian (Italy)"
+ - '1041': "Japanese"
+ - '1042': "Korean"
+ - '1043': "Dutch (Netherlands)"
+ - '1044': "Norwegian (Bokmål)"
+ - '1045': "Polish"
+ - '1046': "Portuguese (Brazil)"
+ - '1047': "Portuguese (Portugal)"
+ - '1048': "Romanian"
+ - '1049': "Russian"
+ - '1050': "Croatian"
+ - '1051': "Slovak"
+ - '1052': "Albanian"
+ - '1053': "Swedish"
+ - '1054': "Thai"
+ - '1055': "Turkish"
+ - '1056': "Urdu"
+ - '1057': "Indonesian"
+ - '1058': "Ukrainian"
+ - '1059': "Belarusian"
+ - '1060': "Slovenian"
+ - '1061': "Estonian"
+ - '1062': "Latvian"
+ - '1063': "Lithuanian"
+ - '1064': "Tajik (Cyrillic)"
+ - '1065': "Persian"
+ - '1066': "Vietnamese"
+ - '1067': "Armenian"
+ - '1068': "Azerbaijani (Latin)"
+ - '1069': "Basque"
+ - '1070': "Upper Sorbian"
+ - '1071': "Macedonian (FYROM)"
+ - '1072': "Sesotho"
+ - '1073': "Tsonga"
+ - '1074': "Tswana"
+ - '1075': "Venda"
+ - '1076': "Xhosa"
+ - '1077': "Zulu"
+ - '1078': "Afrikaans"
+ - '1079': "Georgian"
+ - '1080': "Faroese"
+ - '1081': "Hindi"
+ - '1082': "Maltese"
+ - '1083': "Sami (Northern)"
+ - '1084': "Gaelic (Scotland)"
+ - '1085': "Yiddish"
+ - '1086': "Malay (Malaysia)"
+ - '1087': "Kazakh"
+ - '1088': "Kyrgyz (Cyrillic)"
+ - '1089': "Swahili"
+ - '1090': "Turkmen"
+ - '1091': "Uzbek (Latin)"
+ - '1092': "Tatar"
+ - '1093': "Bengali (India)"
+ - '1094': "Punjabi (India)"
+ - '1095': "Gujarati"
+ - '1096': "Oriya"
+ - '1097': "Tamil"
+ - '1098': "Telugu"
+ - '1099': "Kannada"
+ - '1100': "Malayalam"
+ - '1101': "Assamese"
+ - '1102': "Marathi"
+ - '1103': "Sanskrit"
+ - '1104': "Mongolian (Cyrillic)"
+ - '1105': "Tibetan"
+ - '1106': "Welsh"
+ - '1107': "Khmer"
+ - '1108': "Lao"
+ - '1109': "Burmese"
+ - '1110': "Galician"
+ - '1111': "Konkani"
+ - '1112': "Manipuri"
+ - '1113': "Sindhi (India)"
+ - '1114': "Syriac"
+ - '1115': "Sinhalese"
+ - '1116': "Cherokee"
+ - '1117': "Inuktitut (Syllabics)"
+ - '1118': "Amharic"
+ - '1119': "Tamazight (Latin)"
+ - '1120': "Kashmiri"
+ - '1121': "Nepali"
+ - '1122': "Frisian"
+ - '1123': "Pashto"
+ - '1124': "Filipino"
+ - '1125': "Divehi"
+ - '1126': "Edo"
+ - '1127': "Fulfulde"
+ - '1128': "Hausa"
+ - '1129': "Ibibio"
+ - '1130': "Yoruba"
+ - '1131': "Quechua"
+ - '1132': "Sesotho sa Leboa"
+ - '1133': "Bashkir"
+ - '1134': "Luxembourgish"
+ - '1135': "Greenlandic"
+ - '1136': "Igbo"
+ - '1137': "Kanuri"
+ - '1138': "Oromo"
+ - '1139': "Tigrigna (Ethiopia)"
+ - '1140': "Tigrigna (Eritrea)"
+ - '1141': "Ganda"
+ - '1142': "Hawaiian"
+ - '1143': "Latin"
+ - '1144': "Somali"
+ - '1145': "Yi"
+ - '1146': "N'ko"
+ - '1147': "Dari"
+ - '1148': "Scottish Gaelic"
+ - '1150': "Central Atlas Tamazight (Latin)"
+ - '1151': "Nepal Bhasa"
+ - '1152': "Rhaeto-Romance"
+ - '1153': "Mapudungun"
+ - '1154': "Mongolian (Traditional)"
+ - '1155': "Sakha"
+ - '1156': "K'iche"
+ - '1157': "Kinyarwanda"
+ - '1158': "Wolof"
+ - '1159': "Duala"
+ - '1160': "Jola-Fonyi"
+ - '1161': "Ewe"
+ - '1162': "Wari"
+ - '1163': "Sesotho sa Leboa"
+ - '1164': "Kalenjin"
+ - '1165': "Iban"
+ - '1166': "Quechua (Ecuador)"
+ - '1167': "Garifuna"
+ - '1168': "Twi"
+ - '1169': "Pedi"
+ - '1170': "Hausa (Nigeria)"
+ - '1171': "Kikuyu"
+ - '1172': "Zulu (South Africa)"
+ - '1173': "Yoruba (Nigeria)"
+ - '1174': "Twi (Ghana)"
+ - '1175': "Kalenjin (Kenya)"
+ - '1176': "Iban (Malaysia)"
+ - '1177': "Zulu (South Africa)"
+ - '1178': "Afrikaans (South Africa)"
+ - '1179': "Somali (Somalia)"
+ - '1180': "Swahili (Kenya)"
+ - '1181': "Zulu (South Africa)"
+ - '1182': "Igbo (Nigeria)"
+ - '1183': "Cree (Canada)"
+ - '1184': "Inuktitut (Canada)"
+ - '1185': "Inuktitut (Latin)"
+ - '1186': "Ojibwe"
+ - '1187': "Dene"
+ - '1188': "Naskapi"
+ - '1189': "Danish (Denmark)"
+ - '1190': "Sami (Inari)"
+ - '1191': "Sami (Skolt)"
+ - '1192': "Sami (Southern)"
+ - '1193': "Sami (Lule)"
+ - '1194': "Sami (Ume)"
+ - '1195': "Sami (Pite)"
+ - '1196': "Sami (Enontekiö)"
+ - '1197': "Sami (Kildin)"
+ - '1198': "Sami (Ter)"
+ - '1199': "Sami (Akkala)"
+
+
sample-evtx: |