Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

ETW Threat-Intelligence API events #427

Merged
merged 9 commits into from
Sep 28, 2023
Merged

ETW Threat-Intelligence API events #427

merged 9 commits into from
Sep 28, 2023

Conversation

jdu2600
Copy link
Contributor

@jdu2600 jdu2600 commented Sep 22, 2023
edited
Loading

Change Summary

This PR adds multiple new API event variants, including new call_stack fields.

Sample values for new fields

"api": {
    "behaviors": [
        "cross-process"
    ],
    "metadata": {
        "target_address_name": "Unbacked"
    },
    "name": "VirtualAllocEx",
    "parameters": {
        "address": 2904525045760,
        "allocation_type": "COMMIT|RESERVE",
        "protection": "R-X",
        "size": 16
    },
    "summary": "VirtualAllocEx( charmap.exe, NULL, 0x10, COMMIT|RESERVE, R-X )"
}
"api": {
    "behaviors": [
        "hook_api",
        "cross-process"
    ],
    "metadata": {
        "target_address_name": "ntdll.dll",
        "target_address_path": "c:\\windows\\system32\\ntdll.dll"
    },
    "name": "VirtualProtectEx",
    "parameters": {
        "address": 140706538901504,
        "protection": "RWX",
        "protection_old": "R-X",
        "size": 17
    },
    "summary": "VirtualProtectEx( charmap.exe, ntdll.dll, 0x11, RWX, R-X )"
}
"api": {
    "behaviors": [
        "cross-process"
    ],
    "metadata": {
        "target_address_name": "Unbacked"
    },
    "name": "MapViewOfFile2",
    "parameters": {
        "address": 2904641306624,
        "allocation_type": "0x0",
        "protection": "R-X",
        "size": 18
    },
    "summary": "MapViewOfFile2( charmap.exe, 0x12, R-X )"
}
"api": {
    "behaviors": [
        "hook_api"
    ],
    "metadata": {
        "target_address_name": "amsi.dll",
        "target_address_path": "c:\\windows\\system32\\amsi.dll"
    },
    "name": "WriteProcessMemory",
    "parameters": {
        "address": 140706238576736,
        "size": 1
    },
    "summary": "WriteProcessMemory( Self, amsi.dll!AmsiScanBuffer, 0x1 )"
}
"api": {
    "behaviors": [
        "execute_shellcode",
        "hardware_breakpoint_set",
        "cross-process"
    ],
    "metadata": {
        "target_address_name": "Unbacked"
    },
    "name": "SetThreadContext",
    "parameters": {
        "context_flags": 1048607,
        "r8": 8,
        "r9": 9,
        "rax": 10,
        "rbp": 3,
        "rbx": 11,
        "rcx": 2883351609344,
        "rdi": 5,
        "rdx": 13,
        "rip": 140706538588528,
        "rsi": 4,
        "rsp": 2
    },
    "summary": "SetThreadContext( charmap.exe, [ Flags:ALL RIP:ntdll.dll!DbgPrint RSP:Data RBP:Data RAX:Data RCX:Unbacked RDX:Data RBX:Data RSI:Data RDI:Data R8:Data R9:Data ] )"
}
"api": {
    "behaviors": [
        "cross-process"
    ],
    "metadata": {
        "target_address_name": "Unknown"
    },
    "name": "Wow64SetThreadContext",
    "parameters": {
        "context_flags": 65543,
        "eax": 10,
        "ebp": 3,
        "ebx": 11,
        "ecx": 12,
        "edi": 5,
        "edx": 0,
        "eip": 1,
        "esi": 4,
        "esp": 2
    },
    "summary": "Wow64SetThreadContext( charmap.exe, [ Flags:FULL EIP:Data ESP:Data EBP:Data EAX:Data ECX:Data EDX:NULL EBX:Data ESI:Data EDI:Data ] )"
}
"api": {
    "behaviors": [
        "native_api",
        "cross-process"
    ],
    "metadata": {
        "target_address_name": "unity.dll",
        "target_address_path": "c:\\program files\\vmware\\vmware tools\\plugins\\vmusr\\unity.dll"
    },
    "name": "NtQueueApcThread",
    "parameters": {
        "argument1": 2583984274656,
        "argument2": 4105953215,
        "argument3": 31058890,
        "procedure": 140705553857280
    },
    "summary": "NtQueueApcThread( vmtoolsd.exe, unity.dll, Data, Data, Data )"
},
"call_stack": [
    {
        "allocation_private_bytes": 4096,
        "protection_provenance": "dabapi.dll",
        "symbol_info": "c:\\windows\\system32\\ntdll.dll!ZwProtectVirtualMemory+0x14"
    },
    {
        "symbol_info": "c:\\windows\\system32\\kernelbase.dll!VirtualProtect+0x36"
    },
    {
        "allocation_private_bytes": 8192,
        "callsite_leading_bytes": "c048895424204c8bc9488d0d801f0000418d500248ff15052a00000f1f4400004883c438c3cccccccccccccccccccccc4883ec2048b880bf1acaf87f0000ffd0",
        "callsite_trailing_bytes": "4883c420c3ec48498363e800498d4320ba2500000049c743e004000000440fb7ca4c8d05d0320000ba2b000000498943d848ff15f82a00000f1f4400004883c4",
        "protection": "RWX",
        "protection_provenance": "eventstests.exe",
        "symbol_info": "c:\\windows\\system32\\dabapi.dll!DabApiBufferFree+0x10"
    },
    {
        "symbol_info": "Unknown"
    }
],
"call_stack_final_user_module": {
    "code_signature": [
        {
            "exists": true,
            "status": "trusted",
            "subject_name": "Microsoft Windows",
            "trusted": true
        }
    ],
    "hash": {
        "sha256": "0386c57d59ee1292bb74d9878358da7a0ba00e5b56ed52fd6171b9e6d29d85aa"
    },
    "name": "dabapi.dll",
    "path": "c:\\windows\\system32\\dabapi.dll",
    "protection_provenance": "eventstests.exe"
},

Sample document

{
    "@timestamp": "2023-09-20T14:01:30.6016331Z",
    "Target": {
        "process": {
            "pid": 5428
        }
    },
    "agent": {
        "id": "aaaaaaaa-aaaa-aaaa-aaaa-aaaaaaaaaaaa",
        "type": "endpoint",
        "version": "8.11.0-SNAPSHOT"
    },
    "data_stream": {
        "dataset": "endpoint.events.api",
        "namespace": "default",
        "type": "logs"
    },
    "ecs": {
        "version": "1.11.0"
    },
    "elastic": {
        "agent": {
            "id": "aaaaaaaa-aaaa-aaaa-aaaa-aaaaaaaaaaaa"
        }
    },
    "event": {
        "category": [
            "api",
            "intrusion_detection"
        ],
        "created": "2023-09-20T14:01:30.6016331Z",
        "dataset": "endpoint.events.api",
        "id": "NEfuwt0urn1z3O7D+++++/6U",
        "kind": "event",
        "module": "endpoint",
        "outcome": "success",
        "provider": "Microsoft-Windows-Threat-Intelligence",
        "sequence": 3802,
        "type": [
            "info"
        ]
    },
    "host": {
        "architecture": "x86_64",
        "hostname": "windows-dev",
        "id": "dabadaba-0000-0000-0000-000000000000",
        "ip": [
            "192.168.75.128",
            "fe80::8003:a9e5:4336:bc29",
            "169.254.191.140",
            "fe80::8c94:4fc1:a1f0:42d9",
            "127.0.0.1",
            "::1"
        ],
        "mac": [
            "00-0c-29-be-32-ae",
            "88-66-5a-21-26-26"
        ],
        "name": "windows-dev",
        "os": {
            "Ext": {
                "variant": "Windows 10 Pro"
            },
            "family": "windows",
            "full": "Windows 10 Pro 22H2 (10.0.19045.3448)",
            "kernel": "22H2 (10.0.19045.3448)",
            "name": "Windows",
            "platform": "windows",
            "type": "windows",
            "version": "22H2 (10.0.19045.3448)"
        }
    },
    "message": "Endpoint API event - NtQueueApcThread",
    "process": {
        "Ext": {
            "ancestry": [
                "YWFhYWFhYWEtYWFhYS1hYWFhLWFhYWEtYWFhYWFhYWFhYWFhLTAtMTY5NDc0OTI4Ny40NjgwMjkyMDA="
            ],
            "api": {
                "behaviors": [
                    "native_api",
                    "cross-process"
                ],
                "metadata": {
                    "target_address_name": "unity.dll",
                    "target_address_path": "c:\\program files\\vmware\\vmware tools\\plugins\\vmusr\\unity.dll"
                },
                "name": "NtQueueApcThread",
                "parameters": {
                    "argument1": 2583984274656,
                    "argument2": 4105953215,
                    "argument3": 31058890,
                    "procedure": 140705553857280
                },
                "summary": "NtQueueApcThread( vmtoolsd.exe, unity.dll, Data, Data, Data )"
            },
            "token": {
                "integrity_level_name": "system"
            }
        },
        "command_line": "",
        "entity_id": "YWFhYWFhYWEtYWFhYS1hYWFhLWFhYWEtYWFhYWFhYWFhYWFhLTQtMTY5NDc0OTI4Ny40NjgwMjkyMDA=",
        "name": "System",
        "pid": 4,
        "thread": {
            "id": 0
        }
    },
    "user": {
        "domain": "NT AUTHORITY",
        "id": "S-1-5-18",
        "name": "SYSTEM"
    }
}

Release Target

8.11.0

Q/A

  • I ran make after making the schema changes, and committed all changes

@jdu2600 jdu2600 requested a review from a team as a code owner September 22, 2023 07:34
@jdu2600 jdu2600 changed the title Etwti events ETW Threat-Intelligence API events Sep 22, 2023
@elasticmachine
Copy link
Contributor

elasticmachine commented Sep 22, 2023
edited
Loading

💚 Build Succeeded

the below badges are clickable and redirect to their specific view in the CI or DOCS
Pipeline View Test View Changes Artifacts preview preview

Expand to view the summary

Build stats

  • Start Time: 2023-09-28T18:50:45.076+0000

  • Duration: 7 min 13 sec

🤖 GitHub comments

Expand to view the GitHub comments

To re-run your PR in the CI, just comment with:

  • /test : Re-trigger the build.

@jdu2600 jdu2600 marked this pull request as draft September 22, 2023 14:06
@jdu2600 jdu2600 marked this pull request as ready for review September 22, 2023 14:44
@gogochan
Copy link
Collaborator

@jdu2600 , would it be possible for you pull in main so that we can validate some pipeline testing on Buildkite?

@gogochan
Copy link
Collaborator

Thanks!!!
https://buildkite.com/elastic/endpoint-package/builds/43#018abff5-8718-49db-a793-83e21212d454
image

@gabriellandau
Copy link
Contributor

I added an example document. Tests are passing. Ready for review.

@kevinlog
Copy link
Contributor

checked it out and tried it - sample document streams and package installs without issue:

image

image

@gabriellandau gabriellandau merged commit 87dda17 into main Sep 28, 2023
@gabriellandau gabriellandau deleted the etwti_events branch September 28, 2023 19:55
@elasticmachine
Copy link
Contributor

Package endpoint - 8.11.0 containing this change is available at https://epr.elastic.co/search?package=endpoint

@jdu2600
Copy link
Contributor Author

jdu2600 commented Oct 2, 2023

@ferullo - Is there anything else that I should do on the documentation front?

@ferullo
Copy link
Contributor

ferullo commented Oct 2, 2023

If you're referring to custom documentation, no don't worry about it. I'll follow up and add those files after 8.11 is branched.

@jdu2600 jdu2600 mentioned this pull request Oct 3, 2023
Closed
@jdu2600 jdu2600 mentioned this pull request Nov 3, 2023
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@kevinlog kevinlog kevinlog approved these changes

@ashokaditya ashokaditya Awaiting requested review from ashokaditya ashokaditya is a code owner automatically assigned from elastic/security-defend-workflows

@dasansol92 dasansol92 Awaiting requested review from dasansol92 dasansol92 is a code owner automatically assigned from elastic/security-defend-workflows

Assignees
No one assigned
Labels
v8.11.0
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
6 participants
@jdu2600 @elasticmachine @gogochan @gabriellandau @kevinlog @ferullo