+
|
+ ||||||||||||||||||||||||||||||||||
|
+ + This email was automatically generated by Fibratus {{ .Version }} + + |
+ ||||||||||||||||||||||||||||||||||
%1.ps.name process to access
+and read the memory of the Local Security And Authority Subsystem Service
+and subsequently write the %2.file.name dump file to the disk device`,
+ interpolated: `Detected an attempt by taskmgr.exe process to access
+and read the memory of the Local Security And Authority Subsystem Service
+and subsequently write the C:\Users
+eo\Temp\lsass.dump dump file to the disk device`,
+ evts: []*kevent.Kevent{
+ {
+ Type: ktypes.OpenProcess,
+ Category: ktypes.Process,
+ Name: "OpenProcess",
+ PID: 1023,
+ PS: &pstypes.PS{
+ Name: "taskmgr.exe",
+ Ppid: 345,
+ SID: "LOCAL\\tor",
+ },
+ },
+ {
+ Type: ktypes.WriteFile,
+ Category: ktypes.File,
+ Name: "WriteFile",
+ PID: 1023,
+ Kparams: kevent.Kparams{
+ kparams.FileName: {Name: kparams.FileName, Type: kparams.UnicodeString, Value: "C:\\Users\neo\\Temp\\lsass.dump"},
+ },
+ PS: &pstypes.PS{
+ Name: "taskmgr.exe",
+ Ppid: 345,
+ SID: "LOCAL\\tor",
+ },
+ },
+ },
+ },
+ {
+ original: `Detected an attempt by %ps.name process to access
+and read the memory of the Local Security And Authority Subsystem Service
+and subsequently write the %2.file.name dump file to the disk device`,
+ interpolated: `Detected an attempt by taskmgr.exe process to access
+and read the memory of the Local Security And Authority Subsystem Service
+and subsequently write the C:\Users
+eo\Temp\lsass.dump dump file to the disk device`,
+ evts: []*kevent.Kevent{
+ {
+ Type: ktypes.OpenProcess,
+ Category: ktypes.Process,
+ Name: "OpenProcess",
+ PID: 1023,
+ PS: &pstypes.PS{
+ Name: "taskmgr.exe",
+ Ppid: 345,
+ SID: "LOCAL\\tor",
+ },
+ },
+ {
+ Type: ktypes.WriteFile,
+ Category: ktypes.File,
+ Name: "WriteFile",
+ PID: 1023,
+ Kparams: kevent.Kparams{
+ kparams.FileName: {Name: kparams.FileName, Type: kparams.UnicodeString, Value: "C:\\Users\neo\\Temp\\lsass.dump"},
+ },
+ PS: &pstypes.PS{
+ Name: "taskmgr.exe",
+ Ppid: 345,
+ SID: "LOCAL\\tor",
+ },
+ },
+ },
+ },
+ }
+
+ for _, tt := range tests {
+ s := InterpolateFields(tt.original, tt.evts)
+ if tt.interpolated != s {
+ t.Errorf("expected %s interpolated string but got %s", tt.interpolated, s)
+ }
+ }
+}
+
func BenchmarkFilterRun(b *testing.B) {
b.ReportAllocs()
f := New(`ps.name = 'mimikatz.exe' or ps.name contains 'svc'`, cfg)
diff --git a/pkg/filter/filter_windows.go b/pkg/filter/filter_windows.go
index 76c940311..d71a201dd 100644
--- a/pkg/filter/filter_windows.go
+++ b/pkg/filter/filter_windows.go
@@ -28,7 +28,7 @@ import (
// New creates a new filter with the specified filter expression. The consumers must ensure
// the expression is correctly parsed before executing the filter. This is achieved by calling the
-// Compile` method after constructing the filter.
+// `Compile` method after constructing the filter.
func New(expr string, config *config.Config) Filter {
accessors := []accessor{
// general event parameters
@@ -37,6 +37,7 @@ func New(expr string, config *config.Config) Filter {
newPSAccessor(),
}
kconfig := config.Kstream
+ fconfig := config.Filters
if kconfig.EnableThreadKevents {
accessors = append(accessors, newThreadAccessor())
@@ -60,11 +61,19 @@ func New(expr string, config *config.Config) Filter {
accessors = append(accessors, newPEAccessor())
}
+ var parser *ql.Parser
+ if fconfig.HasMacros() {
+ parser = ql.NewParserWithConfig(expr, fconfig)
+ } else {
+ parser = ql.NewParser(expr)
+ }
+
return &filter{
- parser: ql.NewParser(expr),
- accessors: accessors,
- fields: make([]fields.Field, 0),
- bindings: make(map[uint16][]*ql.PatternBindingLiteral),
+ parser: parser,
+ accessors: accessors,
+ fields: make([]fields.Field, 0),
+ stringFields: make(map[fields.Field][]string),
+ bindings: make(map[uint16][]*ql.PatternBindingLiteral),
}
}
@@ -76,7 +85,7 @@ func NewFromCLI(args []string, config *config.Config) (Filter, error) {
}
filter := New(expr, config)
if err := filter.Compile(); err != nil {
- return nil, fmt.Errorf("bad filter:\n %v", err)
+ return nil, fmt.Errorf("bad filter:\n%v", err)
}
return filter, nil
}
@@ -88,10 +97,11 @@ func NewFromCLIWithAllAccessors(args []string) (Filter, error) {
return nil, nil
}
filter := &filter{
- parser: ql.NewParser(expr),
- accessors: getAccessors(),
- fields: make([]fields.Field, 0),
- bindings: make(map[uint16][]*ql.PatternBindingLiteral),
+ parser: ql.NewParser(expr),
+ accessors: getAccessors(),
+ fields: make([]fields.Field, 0),
+ stringFields: make(map[fields.Field][]string),
+ bindings: make(map[uint16][]*ql.PatternBindingLiteral),
}
if err := filter.Compile(); err != nil {
return nil, fmt.Errorf("bad filter:\n %v", err)
diff --git a/pkg/filter/funcmap.go b/pkg/filter/funcmap.go
new file mode 100644
index 000000000..d2682fca0
--- /dev/null
+++ b/pkg/filter/funcmap.go
@@ -0,0 +1,56 @@
+/*
+ * Copyright 2020-2021 by Nedim Sabic Sabic
+ * https://www.fibratus.io
+ * All Rights Reserved.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package filter
+
+import (
+ "github.com/rabbitstack/fibratus/pkg/config"
+ "github.com/rabbitstack/fibratus/pkg/filter/action"
+ "text/template"
+)
+
+// NewFuncMap returns the template func map
+// populated with some useful template functions
+// that can be used in rule actions.
+func NewFuncMap() template.FuncMap {
+ return config.FilterFuncMap()
+}
+
+// InitFuncs assigns late-bound functions to the func map.
+func InitFuncs(funcMap template.FuncMap) {
+ funcMap["emit"] = emit
+ funcMap["kill"] = kill
+}
+
+// emit sends the rule alert via all configured alert senders.
+func emit(ctx *config.ActionContext, title string, text string, args ...string) string {
+ err := action.Emit(ctx, InterpolateFields(title, ctx.Events), InterpolateFields(text, ctx.Events), args...)
+ if err != nil {
+ return err.Error()
+ }
+ return ""
+}
+
+// kill terminates a process with specified pid.
+func kill(pid uint32) string {
+ err := action.Kill(pid)
+ if err != nil {
+ return err.Error()
+ }
+ return ""
+}
diff --git a/pkg/filter/funcmap/funcmap_windows.go b/pkg/filter/funcmap/funcmap_windows.go
deleted file mode 100644
index f42dcdcba..000000000
--- a/pkg/filter/funcmap/funcmap_windows.go
+++ /dev/null
@@ -1,119 +0,0 @@
-/*
- * Copyright 2020-2021 by Nedim Sabic Sabic
- * https://www.fibratus.io
- * All Rights Reserved.
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-
-package funcmap
-
-import (
- "fmt"
- "github.com/Masterminds/sprig/v3"
- "github.com/rabbitstack/fibratus/pkg/alertsender"
- log "github.com/sirupsen/logrus"
- "strings"
- "syscall"
- "text/template"
-)
-
-// New returns the template func map
-// populated with some useful template functions
-// that can be used in filter actions. Some functions
-// are late-bound, so we merely provide a declaration.
-// The real function is attached when the filter action
-// is triggered.
-func New() template.FuncMap {
- f := sprig.TxtFuncMap()
-
- extra := template.FuncMap{
- // This is a placeholder for the functions that might be
- // late-bound to a template. By declaring them here, we
- // can still execute the template associated with the
- // filter action to ensure template syntax is correct
- "emit": func(title string, text string, args ...string) string { return "" },
- "kill": func(pid uint32) string { return "" },
- "stringify": func(in []interface{}) string {
- values := make([]string, 0)
- for _, e := range in {
- s, ok := e.(string)
- if !ok {
- continue
- }
- values = append(values, fmt.Sprintf("'%s'", s))
- }
- return fmt.Sprintf("(%s)", strings.Join(values, ", "))
- },
- }
-
- for k, v := range extra {
- f[k] = v
- }
-
- return f
-}
-
-// InitFuncs assigns late-bound functions to the func map.
-func InitFuncs(funcMap template.FuncMap) {
- funcMap["emit"] = emit
- funcMap["kill"] = kill
-}
-
-// emit sends an alert via all configured alert senders.
-func emit(title string, text string, args ...string) string {
- log.Debugf("sending alert: %s. Text: %s", title, text)
-
- senders := alertsender.FindAll()
- if len(senders) == 0 {
- return "no alertsenders registered. Alert won't be sent"
- }
-
- severity := "normal"
- tags := make([]string, 0)
- if len(args) > 0 {
- severity = args[0]
- }
- if len(args) > 1 {
- tags = args[1:]
- }
-
- for _, s := range senders {
- alert := alertsender.NewAlert(
- title,
- text,
- tags,
- alertsender.ParseSeverityFromString(severity),
- )
- if err := s.Send(alert); err != nil {
- log.Warnf("unable to emit alert from rule: %v", err)
- }
- }
- return ""
-}
-
-// kill terminates a process with specified pid.
-func kill(pid uint32) string {
- h, err := syscall.OpenProcess(syscall.PROCESS_TERMINATE, false, pid)
- if err != nil {
- return fmt.Sprintf("couldn't open pid %d for terminating: %v", pid, err)
- }
- defer func() {
- _ = syscall.CloseHandle(h)
- }()
- err = syscall.TerminateProcess(h, uint32(1))
- if err != nil {
- return fmt.Sprintf("fail to kill pid %d: %v", pid, err)
- }
- return ""
-}
diff --git a/pkg/filter/ql/ast.go b/pkg/filter/ql/ast.go
index 67c21ee70..c6fcd1239 100644
--- a/pkg/filter/ql/ast.go
+++ b/pkg/filter/ql/ast.go
@@ -213,6 +213,12 @@ func (v *ValuerEval) Eval(expr Expr) interface{} {
func (v *ValuerEval) evalBinaryExpr(expr *BinaryExpr) interface{} {
lhs := v.Eval(expr.LHS)
+ // lazy evaluation for the AND operator
+ if lhs != nil && expr.Op == and {
+ if val, ok := lhs.(bool); ok && !val {
+ return false
+ }
+ }
rhs := v.Eval(expr.RHS)
if lhs == nil && rhs != nil {
// when the LHS is nil and the RHS is a boolean, implicitly cast the
@@ -709,6 +715,12 @@ func (v *ValuerEval) evalBinaryExpr(expr *BinaryExpr) interface{} {
return false
}
return lhs == rhs
+ case ieq:
+ rhs, ok := rhs.(string)
+ if !ok {
+ return false
+ }
+ return strings.EqualFold(lhs, rhs)
case neq:
rhs, ok := rhs.(string)
if !ok {
@@ -924,12 +936,12 @@ func (v *ValuerEval) evalBinaryExpr(expr *BinaryExpr) interface{} {
ips, ok := rhs.([]net.IP)
if !ok {
// keep backward compatibility with string lists
- ips1, ok := rhs.([]string)
+ addrs, ok := rhs.([]string)
if !ok {
return false
}
- for _, ip := range ips1 {
- if net.ParseIP(ip).Equal(lhs) {
+ for _, s := range addrs {
+ if net.ParseIP(s).Equal(lhs) {
return true
}
}
@@ -1004,6 +1016,19 @@ func (v *ValuerEval) evalBinaryExpr(expr *BinaryExpr) interface{} {
}
}
return false
+ case iin:
+ rhs, ok := rhs.([]string)
+ if !ok {
+ return false
+ }
+ for _, i := range lhs {
+ for _, j := range rhs {
+ if strings.EqualFold(i, j) {
+ return true
+ }
+ }
+ }
+ return false
case startswith:
rhs, ok := rhs.([]string)
if !ok {
@@ -1088,7 +1113,7 @@ func (v *ValuerEval) evalBinaryExpr(expr *BinaryExpr) interface{} {
// the types were not comparable. If our operation was an equality operation,
// return false instead of true.
switch expr.Op {
- case eq, neq, lt, lte, gt, gte:
+ case eq, ieq, neq, lt, lte, gt, gte:
return false
}
return nil
diff --git a/pkg/filter/ql/error.go b/pkg/filter/ql/error.go
index ace1475a2..773f7b437 100644
--- a/pkg/filter/ql/error.go
+++ b/pkg/filter/ql/error.go
@@ -61,10 +61,10 @@ func findPosInLine(expr string, pos int) (int, int) {
break
}
}
- return pos - j + 2, ln
+ return pos - j - 1, ln
default:
// single line expression
- return pos + 1, 1
+ return pos, 1
}
}
}
@@ -126,7 +126,7 @@ func render(e *ParseError) string {
// Error returns the string representation of the error.
func (e *ParseError) Error() string {
if e.Message != "" {
- return fmt.Sprintf("%s at line %d, char %d", e.Message, e.Pos+1, e.Pos+1)
+ return fmt.Sprintf("%s at char %d", e.Message, e.Pos+1)
}
return render(e)
}
diff --git a/pkg/filter/ql/error_test.go b/pkg/filter/ql/error_test.go
index 914fa8745..c88cff05f 100644
--- a/pkg/filter/ql/error_test.go
+++ b/pkg/filter/ql/error_test.go
@@ -20,6 +20,7 @@ package ql
import (
"github.com/stretchr/testify/require"
+ "strings"
"testing"
)
@@ -87,17 +88,17 @@ func TestParseError(t *testing.T) {
|
╰─────────────────── expected field, string, number, bool, ip, function, pattern binding`
- e := newParseError("[", []string{"field, string, number, bool, ip, function, pattern binding"}, 142, expr)
+ e := newParseError("[", []string{"field, string, number, bool, ip, function, pattern binding"}, 145, expr)
require.Equal(t, expected, e.Error())
expr = `ps.name = 'cmd.exe' aand ps.cmdline contains 'ss'`
e = newParseError("[", []string{"operator"}, 20, expr)
- expected1 := `ps.name = 'cmd.exe' aand ps.cmdline contains 'ss'
-â•â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€^
+ expected1 := `
+ps.name = 'cmd.exe' aand ps.cmdline contains 'ss'
+â•â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€^
|
|
╰─────────────────── expected operator`
-
- require.Equal(t, expected1, e.Error())
+ require.Equal(t, strings.TrimSpace(expected1), e.Error())
}
diff --git a/pkg/filter/ql/function.go b/pkg/filter/ql/function.go
index 88d9cc5b3..0d9d21e06 100644
--- a/pkg/filter/ql/function.go
+++ b/pkg/filter/ql/function.go
@@ -60,6 +60,7 @@ var funcs = map[string]FunctionDef{
functions.SubstrFn.String(): &functions.Substr{},
functions.EntropyFn.String(): &functions.Entropy{},
functions.RegexFn.String(): functions.NewRegex(),
+ functions.IsMinidumpFn.String(): functions.IsMinidump{},
}
// FunctionDef is the interface that all function definitions have to satisfy.
diff --git a/pkg/filter/ql/functions/minidump.go b/pkg/filter/ql/functions/minidump.go
new file mode 100644
index 000000000..e15dbc162
--- /dev/null
+++ b/pkg/filter/ql/functions/minidump.go
@@ -0,0 +1,64 @@
+/*
+ * Copyright 2021-2022 by Nedim Sabic Sabic
+ * https://www.fibratus.io
+ * All Rights Reserved.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package functions
+
+import (
+ "encoding/binary"
+ "io"
+ "os"
+)
+
+// The 4-byte magic number at the start of a minidump file
+const minidumpSignature = 1347241037
+
+// IsMinidump determines if the specified file contains the minidump signature.
+type IsMinidump struct{}
+
+func (f IsMinidump) Call(args []interface{}) (interface{}, bool) {
+ if len(args) < 1 {
+ return false, false
+ }
+ path := args[0].(string)
+
+ file, err := os.Open(path)
+ if err != nil {
+ return false, true
+ }
+ defer file.Close()
+
+ var header [4]byte
+ _, err = io.ReadFull(file, header[:])
+ if err != nil {
+ return false, true
+ }
+ isMinidumpSignature := binary.LittleEndian.Uint32(header[:]) == minidumpSignature
+ return isMinidumpSignature, true
+}
+
+func (f IsMinidump) Desc() FunctionDesc {
+ desc := FunctionDesc{
+ Name: IsMinidumpFn,
+ Args: []FunctionArgDesc{
+ {Keyword: "path", Types: []ArgType{String, Field, Func}, Required: true},
+ },
+ }
+ return desc
+}
+
+func (f IsMinidump) Name() Fn { return IsMinidumpFn }
diff --git a/pkg/filter/ql/functions/regex.go b/pkg/filter/ql/functions/regex.go
index d834b46a7..d2f0e9f9a 100644
--- a/pkg/filter/ql/functions/regex.go
+++ b/pkg/filter/ql/functions/regex.go
@@ -19,9 +19,8 @@
package functions
import (
- "regexp"
-
log "github.com/sirupsen/logrus"
+ "regexp"
)
// Regex applies single/multiple regular expressions on the provided string arguments.
@@ -34,41 +33,43 @@ func NewRegex() *Regex {
return &Regex{rxs: make(map[string]*regexp.Regexp)}
}
-func (f Regex) Call(args []interface{}) (interface{}, bool) {
+func (f *Regex) Call(args []interface{}) (interface{}, bool) {
if len(args) < 2 {
return false, false
}
s := parseString(0, args)
+ // match regular expressions
for _, arg := range args[1:] {
expr, ok := arg.(string)
if !ok {
continue
}
- rx, compiled := f.rxs[expr]
- if compiled && rx == nil {
- continue
- }
- if !compiled {
+ rx, ok := f.rxs[expr]
+ if !ok {
var err error
rx, err = regexp.Compile(expr)
if err != nil {
- log.Warnf("invalid regular expression pattern: %v", err)
- // to avoid compiling the regex ad infinitum
+ log.Warnf(
+ "invalid %q pattern in "+
+ "regex function: %v", expr, err)
f.rxs[expr] = nil
- continue
+ } else {
+ f.rxs[expr] = rx
}
- f.rxs[expr] = rx
+ }
+ if rx == nil {
+ continue
}
if rx.MatchString(s) {
return true, true
}
}
- return false, false
+ return false, true
}
-func (f Regex) Desc() FunctionDesc {
+func (f *Regex) Desc() FunctionDesc {
desc := FunctionDesc{
Name: RegexFn,
Args: []FunctionArgDesc{
@@ -84,4 +85,4 @@ func (f Regex) Desc() FunctionDesc {
return desc
}
-func (f Regex) Name() Fn { return RegexFn }
+func (f *Regex) Name() Fn { return RegexFn }
diff --git a/pkg/filter/ql/functions/regex_test.go b/pkg/filter/ql/functions/regex_test.go
index cac6a93f4..5aa72c187 100644
--- a/pkg/filter/ql/functions/regex_test.go
+++ b/pkg/filter/ql/functions/regex_test.go
@@ -33,6 +33,9 @@ func TestRegex(t *testing.T) {
res1, _ := call.Call([]interface{}{`powershell.exe`, `power.*(shell|hell).dll`, `.*hell.exe`})
assert.True(t, res1.(bool))
+ res3, _ := call.Call([]interface{}{`powershell.exe`, "[`"})
+ assert.False(t, res3.(bool))
+
for i := 0; i < 10; i++ {
res, _ := call.Call([]interface{}{`powershell.exe`, `power.*(shell|hell).dll`, `.*hell.exe`})
assert.True(t, res.(bool))
diff --git a/pkg/filter/ql/functions/types.go b/pkg/filter/ql/functions/types.go
index b6346a411..e2b1f76d2 100644
--- a/pkg/filter/ql/functions/types.go
+++ b/pkg/filter/ql/functions/types.go
@@ -52,6 +52,8 @@ const (
EntropyFn
// RegexFn represents the REGEX function
RegexFn
+ // IsMinidumpFn represents the ISMINIDUMP function
+ IsMinidumpFn
)
// ArgType is the type alias for the argument value type.
@@ -166,6 +168,8 @@ func (f Fn) String() string {
return "ENTROPY"
case RegexFn:
return "REGEX"
+ case IsMinidumpFn:
+ return "IS_MINIDUMP"
default:
return "UNDEFINED"
}
diff --git a/pkg/filter/ql/lexer.go b/pkg/filter/ql/lexer.go
index 383a0c475..961dfa81d 100644
--- a/pkg/filter/ql/lexer.go
+++ b/pkg/filter/ql/lexer.go
@@ -77,6 +77,11 @@ func (s *scanner) scan() (tok token, pos int, lit string) {
return dot, pos, ""
case '=':
return eq, pos, ""
+ case '~':
+ if ch1, _ := s.r.read(); ch1 == '=' {
+ return ieq, pos, ""
+ }
+ s.r.unread()
case '!':
if ch1, _ := s.r.read(); ch1 == '=' {
return neq, pos, ""
diff --git a/pkg/filter/ql/lexer_test.go b/pkg/filter/ql/lexer_test.go
index a9db83c5e..59f457c2b 100644
--- a/pkg/filter/ql/lexer_test.go
+++ b/pkg/filter/ql/lexer_test.go
@@ -43,6 +43,7 @@ func TestScanner(t *testing.T) {
{s: `or`, tok: or},
{s: `=`, tok: eq},
+ {s: `~=`, tok: ieq},
{s: `<>`, tok: neq},
{s: `! `, tok: illegal, lit: "!"},
{s: `<`, tok: lt},
diff --git a/pkg/filter/ql/parser.go b/pkg/filter/ql/parser.go
index 28d584cb6..d08740e20 100644
--- a/pkg/filter/ql/parser.go
+++ b/pkg/filter/ql/parser.go
@@ -21,6 +21,9 @@
package ql
import (
+ "fmt"
+ "github.com/rabbitstack/fibratus/pkg/config"
+ "github.com/rabbitstack/fibratus/pkg/util/multierror"
"net"
"strconv"
"strings"
@@ -29,6 +32,7 @@ import (
// Parser builds the binary expression tree from the filter string.
type Parser struct {
s *bufScanner
+ c *config.Filters
expr string
}
@@ -37,11 +41,15 @@ func NewParser(expr string) *Parser {
return &Parser{s: newBufScanner(strings.NewReader(expr)), expr: expr}
}
+// NewParserWithConfig builds a new parser instance with filters config.
+func NewParserWithConfig(expr string, config *config.Filters) *Parser {
+ return &Parser{s: newBufScanner(strings.NewReader(expr)), expr: expr, c: config}
+}
+
// ParseExpr parses an expression by building the binary expression tree.
func (p *Parser) ParseExpr() (Expr, error) {
var err error
root := &BinaryExpr{}
-
// parse a non-binary expression type to start. This variable will always be
// the root of the expression tree.
root.RHS, err = p.parseUnaryExpr()
@@ -65,7 +73,7 @@ func (p *Parser) ParseExpr() (Expr, error) {
// expect LPAREN after in
tok, pos, lit := p.scanIgnoreWhitespace()
p.unscan()
- if tok != lparen {
+ if tok != lparen && !p.c.IsMacroList(lit) {
return nil, newParseError(tokstr(op, lit), []string{"'('"}, pos, p.expr)
}
}
@@ -167,9 +175,26 @@ func (p *Parser) parseUnaryExpr() (Expr, error) {
if tok0, _, _ := p.scan(); tok0 == lparen {
return p.parseFunction(lit)
}
- // unscan lparen and ident tokens
- p.unscan()
+ // unscan lparen token
p.unscan()
+
+ // expand macros
+ if p.c != nil {
+ macro := p.c.GetMacro(lit)
+ if macro != nil {
+ if macro.Expr != "" {
+ p := NewParserWithConfig(macro.Expr, p.c)
+ expr, err := p.ParseExpr()
+ if err != nil {
+ return nil, multierror.WrapWithSeparator("\n", fmt.Errorf("syntax error in %q macro", lit), err)
+ }
+ return expr, nil
+ }
+ return &ListLiteral{Values: macro.List}, nil
+ }
+ // unscan ident
+ p.unscan()
+ }
case ip:
return &IPLiteral{Value: net.ParseIP(lit)}, nil
case str:
diff --git a/pkg/filter/ql/parser_test.go b/pkg/filter/ql/parser_test.go
index 2dce14d1c..840fbedc8 100644
--- a/pkg/filter/ql/parser_test.go
+++ b/pkg/filter/ql/parser_test.go
@@ -20,6 +20,7 @@ package ql
import (
"errors"
+ "github.com/rabbitstack/fibratus/pkg/config"
"testing"
)
@@ -74,3 +75,89 @@ func TestParser(t *testing.T) {
}
}
}
+
+func TestExpandMacros(t *testing.T) {
+ var tests = []struct {
+ c *config.Filters
+ expr string
+ expectedExpr string
+ err error
+ }{
+ {
+ config.FiltersWithMacros(map[string]*config.Macro{"spawn_process": {Expr: "kevt.name = 'CreateProcess'"}}),
+ "spawn_process and ps.name in ('cmd.exe', 'powershell.exe')",
+ "kevt.name = CreateProcess AND ps.name IN (cmd.exe, powershell.exe)",
+ nil,
+ },
+ {
+ config.FiltersWithMacros(map[string]*config.Macro{"span_process": {Expr: "kevt.name = 'CreateProcess'"}}),
+ "spawn_process and ps.name in ('cmd.exe', 'powershell.exe')",
+ "",
+ errors.New("expected field, string, number, bool, ip, function, pattern binding"),
+ },
+ {
+ config.FiltersWithMacros(map[string]*config.Macro{"spawn_process": {Expr: "kevt.name = 'CreateProcess'"}, "command_clients": {List: []string{"cmd.exe", "pwsh.exe"}}}),
+ "spawn_process and ps.name in command_clients",
+ "kevt.name = CreateProcess AND ps.name IN (cmd.exe, pwsh.exe)",
+ nil,
+ },
+ {
+ config.FiltersWithMacros(map[string]*config.Macro{"spawn_process": {Expr: "kevt.nnname = 'CreateProcess'"}, "command_clients": {List: []string{"cmd.exe", "pwsh.exe"}}}),
+ "spawn_process and ps.name in command_clients",
+ "",
+ errors.New("syntax error in \"spawn_process\" macro. expected field, string, number, bool, ip, function, pattern binding"),
+ },
+ {
+ config.FiltersWithMacros(map[string]*config.Macro{
+ "rename": {Expr: "kevt.name = 'RenameFile'"},
+ "remove": {Expr: "kevt.name = 'DeleteFile'"},
+ "modify": {Expr: "rename or remove"},
+ "wcm_files": {List: []string{"?:\\Users\\*\\AppData\\*\\Microsoft\\Credentials\\*"}}}),
+ "(modify) and file.name imatches wcm_files",
+ "(kevt.name = RenameFile OR kevt.name = DeleteFile) AND file.name IMATCHES (?:\\Users\\*\\AppData\\*\\Microsoft\\Credentials\\*)",
+ nil,
+ },
+ {
+ config.FiltersWithMacros(map[string]*config.Macro{
+ "rename": {Expr: "kevt.name = 'RenameFile'"},
+ "remove": {Expr: "kevt.name = 'DeleteFile'"},
+ "modify": {Expr: "rename or remove"}}),
+ "entropy(file.name) > 0.22 and ren",
+ "",
+ errors.New("expected field, string, number, bool, ip, function, pattern binding"),
+ },
+ {
+ config.FiltersWithMacros(map[string]*config.Macro{
+ "rename": {Expr: "kevt.name = 'RenameFile'"},
+ "remove": {Expr: "kevt.name = 'DeleteFile'"},
+ "modify": {Expr: "rename or remove"}}),
+ "entropy(file.name) > 0.22 and rename",
+ "entropy(file.name) > 2.2e-01 AND kevt.name = RenameFile",
+ nil,
+ },
+ {
+ config.FiltersWithMacros(map[string]*config.Macro{
+ "rename": {Expr: "kevt.name = 'RenameFile'"},
+ "remove": {Expr: "kevt.name = 'DeleteFile'"},
+ "create": {Expr: "kevt.name = 'CreateFile' and file.operation = 'create'"},
+ "modify": {Expr: "rename or remove"},
+ "change_fs": {Expr: "modify or (create)"}}),
+ "change_fs",
+ "kevt.name = RenameFile OR kevt.name = DeleteFile OR (kevt.name = CreateFile AND file.operation = create)",
+ nil,
+ },
+ }
+
+ for i, tt := range tests {
+ p := NewParserWithConfig(tt.expr, tt.c)
+ expr, err := p.ParseExpr()
+ if err == nil && tt.err != nil {
+ t.Errorf("%d. exp=%s expected error=\n%v", i, tt.expr, tt.err)
+ } else if err != nil && tt.err == nil {
+ t.Errorf("%d. exp=%s got error=\n%v", i, tt.expr, err)
+ }
+ if tt.expectedExpr != "" && expr.String() != tt.expectedExpr {
+ t.Errorf("%d. exp=%s expected expr=%v", i, expr.String(), tt.expectedExpr)
+ }
+ }
+}
diff --git a/pkg/filter/ql/token.go b/pkg/filter/ql/token.go
index be8c9a861..5783390ec 100644
--- a/pkg/filter/ql/token.go
+++ b/pkg/filter/ql/token.go
@@ -65,6 +65,7 @@ const (
fuzzynorm // fuzzynorm
ifuzzynorm // ifuzzynorm
eq // =
+ ieq // ~=
neq // !=
lt // <
lte // <=
@@ -129,6 +130,7 @@ var tokens = [...]string{
ifuzzynorm: "IFUZZYNORM",
eq: "=",
+ ieq: "~=",
neq: "!=",
lt: "<",
lte: "<=",
@@ -161,7 +163,7 @@ func (tok token) precedence() int {
return 2
case not:
return 3
- case eq, neq, lt, lte, gt, gte:
+ case eq, ieq, neq, lt, lte, gt, gte:
return 4
case in, iin, contains, icontains, startswith, istartswith, endswith, iendswith,
matches, imatches, fuzzy, ifuzzy, fuzzynorm, ifuzzynorm:
diff --git a/pkg/filter/rules.go b/pkg/filter/rules.go
index a22e1fad4..7fd30aef2 100644
--- a/pkg/filter/rules.go
+++ b/pkg/filter/rules.go
@@ -26,6 +26,9 @@ import (
"expvar"
"fmt"
fsm "github.com/qmuntal/stateless"
+ "github.com/rabbitstack/fibratus/pkg/filter/fields"
+ "sort"
+
"github.com/rabbitstack/fibratus/pkg/kevent/kparams"
"github.com/rabbitstack/fibratus/pkg/kevent/ktypes"
"github.com/rabbitstack/fibratus/pkg/util/atomic"
@@ -35,7 +38,6 @@ import (
"time"
"github.com/rabbitstack/fibratus/pkg/config"
- "github.com/rabbitstack/fibratus/pkg/filter/funcmap"
"github.com/rabbitstack/fibratus/pkg/kevent"
log "github.com/sirupsen/logrus"
)
@@ -57,7 +59,7 @@ var (
partialExpirations = expvar.NewMap("sequence.partial.expirations")
ErrInvalidFilter = func(rule, group string, err error) error {
- return fmt.Errorf("invalid filter %q in %q group: \n%v", rule, group, err)
+ return fmt.Errorf("syntax error in rule %q located in %q group: \n%v", rule, group, err)
}
ErrInvalidPatternBinding = func(rule string) error {
return fmt.Errorf("%q is the initial sequence rule and can't contain pattern bindings", rule)
@@ -103,8 +105,9 @@ type filterGroup struct {
}
type compiledFilter struct {
- filter Filter
- config *config.FilterConfig
+ filter Filter
+ buckets map[ktypes.Ktype]bool
+ config *config.FilterConfig
}
// sequenceState represents the state of the
@@ -126,7 +129,7 @@ type sequenceState struct {
fsm *fsm.StateMachine
- // rule to rule index mapping
+ // rule to rule index mapping. Indices start at 1
idxs map[fsm.State]uint16
maxSpans map[fsm.State]time.Duration
spanDeadlines map[fsm.State]*time.Timer
@@ -230,15 +233,25 @@ func (s *sequenceState) currentState() fsm.State {
}
func (s *sequenceState) addPartial(rule string, kevt *kevent.Kevent) {
- if len(s.partials[s.idxs[rule]]) > maxOutstandingPartials {
- log.Warnf("max partials encountered in sequence %s index %d. "+
+ i := s.idxs[rule]
+ if len(s.partials[i]) > maxOutstandingPartials {
+ log.Warnf("max partials encountered in sequence %s slot [%d]. "+
"Dropping incoming partial", s.name, s.idxs[rule])
return
}
if len(s.bindingIndexes) > 0 {
- log.Debugf("adding partial to slot [%d] for rule %q: %s", s.idxs[rule], rule, kevt)
+ key := kevt.PartialKey()
+ if key != 0 {
+ for _, p := range s.partials[i] {
+ if key == p.PartialKey() {
+ log.Debugf("%s event tuple already in sequence state", kevt.Name)
+ return
+ }
+ }
+ }
+ log.Debugf("adding partial to slot [%d] for rule %q: %s", i, rule, kevt)
partialsPerSequence.Add(s.name, 1)
- s.partials[s.idxs[rule]] = append(s.partials[s.idxs[rule]], kevt)
+ s.partials[i] = append(s.partials[i], kevt)
}
}
@@ -248,8 +261,7 @@ func (s *sequenceState) addMatch(idx uint16, kevt *kevent.Kevent) {
func (s *sequenceState) getPartials(rule string) map[uint16][]*kevent.Kevent {
i := s.idxs[rule] - 1
- // is this is the first rule in the sequence
- // return no partials
+ // no partials for the first rule in the sequence
if i == 0 {
return nil
}
@@ -321,9 +333,8 @@ func (s *sequenceState) expire(e *kevent.Kevent) bool {
return lhs.PID == rhs.PID
}
for _, idx := range s.idxs {
- currentPartials := s.partials[idx]
- for i, e1 := range currentPartials {
- if !canExpire(e1, e) {
+ for i := len(s.partials[idx]) - 1; i >= 0; i-- {
+ if len(s.partials[idx]) > 0 && !canExpire(s.partials[idx][i], e) {
continue
}
// if downstream rule didn't match, and it contains
@@ -335,18 +346,19 @@ func (s *sequenceState) expire(e *kevent.Kevent) bool {
matched := s.matchedRules[idx+1]
bindingIndex := s.bindingIndexes[idx+1]
if !matched && bindingIndex == idx {
- log.Debugf("removing process %s (%d) "+
- "from partials pertaining to sequence [%s]",
+ log.Debugf("removing event originated from %s (%d) "+
+ "in partials pertaining to sequence [%s]",
e.Kparams.MustGetString(kparams.ProcessName),
e.Kparams.MustGetPid(),
s.name)
+ // remove partial event from the corresponding slot
s.partials[idx] = append(
s.partials[idx][:i],
s.partials[idx][i+1:]...)
partialsPerSequence.Add(s.name, -1)
if len(s.partials[idx]) == 0 {
- log.Infof("%q sequence expired. All partials terminated", s.name)
+ log.Infof("%q sequence expired. All partials retracted", s.name)
partialExpirations.Add(s.name, 1)
s.inExpired = true
err := s.expireTransition()
@@ -371,8 +383,22 @@ func newFilterGroup(g config.FilterGroup, filters []compiledFilter) *filterGroup
return &filterGroup{group: g, filters: filters}
}
-func newCompiledFilter(f Filter, filterConfig *config.FilterConfig) compiledFilter {
- return compiledFilter{config: filterConfig, filter: f}
+func newCompiledFilter(f Filter, filterConfig *config.FilterConfig, groupConfig config.FilterGroup) compiledFilter {
+ buckets := make(map[ktypes.Ktype]bool)
+ for name, values := range f.GetStringFields() {
+ if name == fields.KevtName {
+ for _, v := range values {
+ buckets[ktypes.KeventNameToKtype(v)] = true
+ }
+ }
+ }
+ if len(buckets) == 0 && groupConfig.Policy == config.SequencePolicy {
+ log.Warnf("%q rule in %q group doesn't have event type condition! "+
+ "This could cause runtime performance degradation. Please consider "+
+ "narrowing the scope of this rule by including the `kevt.name` condition",
+ filterConfig.Name, groupConfig.Name)
+ }
+ return compiledFilter{config: filterConfig, filter: f, buckets: buckets}
}
// run execute the filter and returns the matching partial index along with
@@ -384,6 +410,16 @@ func (f compiledFilter) run(kevt *kevent.Kevent, i uint16, partials map[uint16][
return f.filter.Run(kevt), i, kevt
}
+// isEligible determines if the filter should be evaluated by inspecting
+// the event type filter fields defined in the expression. We allow an event
+// being eligible for evaluation even when the filter doesn't contain the kevt.name
+// binary expression. However, this is considered a warning which could potentially
+// cause runtime performance degradation if the filter is evaluated against every
+// event.
+func (f compiledFilter) isEligible(ktype ktypes.Ktype) bool {
+ return len(f.buckets) == 0 || f.buckets[ktype]
+}
+
type filterGroups []*filterGroup
func (groups filterGroups) hasIncludePolicy(kevt *kevent.Kevent) bool {
@@ -418,9 +454,14 @@ func expr(c *config.FilterConfig) string {
return c.Def
}
-// Compile loads the filter groups from all files
-// and creates the filters for each filter group.
+// Compile loads macros and rule groups from all
+// indicated resources and creates the rules for
+// each filter group. It also sets up the state
+// machine transitions for sequence rule group policies.
func (r *Rules) Compile() error {
+ if err := r.config.Filters.LoadMacros(); err != nil {
+ return err
+ }
groups, err := r.config.Filters.LoadGroups()
if err != nil {
return err
@@ -430,7 +471,7 @@ func (r *Rules) Compile() error {
log.Warnf("rule group [%s] disabled", group.Name)
continue
}
- log.Infof("loading rule group [%s]", group.Name)
+ log.Infof("loading rule group [%s] with %q policy", group.Name, group.Policy)
rules := append(group.Rules, group.FromStrings...)
if group.Policy != config.SequencePolicy &&
group.Action != "" {
@@ -488,7 +529,7 @@ func (r *Rules) Compile() error {
Permit(expireTransition, sequenceExpiredState)
}
}
- filters = append(filters, newCompiledFilter(f, filterConfig))
+ filters = append(filters, newCompiledFilter(f, filterConfig, group))
filtersCount.Add(1)
}
@@ -564,6 +605,10 @@ func (r *Rules) Fire(kevt *kevent.Kevent) bool {
// the groups with exclude policies got matched
ok = r.runRules(groups, config.IncludePolicy, kevt)
if ok {
+ // transition state machine. In this case
+ // both include/sequence groups could produce
+ // a match
+ r.runRules(groups, config.SequencePolicy, kevt)
return true
}
@@ -587,9 +632,12 @@ nextGroup:
}
// if the sequence expired we'll not keep evaluating
if seqState.expire(kevt) {
- return false
+ continue
}
for i, f := range g.filters {
+ if !f.isEligible(kevt.Type) {
+ continue
+ }
if !seqState.next(i) {
continue
}
@@ -600,7 +648,7 @@ nextGroup:
err := seqState.matchTransition(rule, kevt)
if err != nil {
matchTransitionErrors.Add(1)
- log.Warnf("match transition: %v", err)
+ log.Warnf("match transition failure: %v", err)
}
seqState.addMatch(uint16(i+1), kevt)
seqState.addMatch(idx, e)
@@ -611,13 +659,16 @@ nextGroup:
log.Debugf("rule group [%s] matched", g.group.Name)
// this is the event that triggered the group match
kevt.AddMeta(kevent.RuleGroupKey, g.group.Name)
+ for k, v := range g.group.Labels {
+ kevt.AddMeta(kevent.MetadataKey(k), v)
+ }
err := runFilterAction(nil, seqState.matches, g.group, nil)
if err != nil {
log.Warnf("unable to execute %q sequence action: %v", g.group.Name, err)
}
seqState.clear()
+ return done
}
- return done
}
var andMatched bool
// process include/exclude filter groups. Each of them
@@ -648,13 +699,16 @@ nextGroup:
if ok {
includeOrFilterMatches.Add(f.config.Name, 1)
log.Debugf("rule [%s] in group [%s] matched", f.config.Name, g.group.Name)
+ // attach rule and group meta
+ kevt.AddMeta(kevent.RuleNameKey, f.config.Name)
+ kevt.AddMeta(kevent.RuleGroupKey, g.group.Name)
+ for k, v := range g.group.Labels {
+ kevt.AddMeta(kevent.MetadataKey(k), v)
+ }
err := runFilterAction(kevt, nil, g.group, f.config)
if err != nil {
log.Warnf("unable to execute %q rule action: %v", f.config.Name, err)
}
- // attach rule and group meta
- kevt.AddMeta(kevent.RuleNameKey, f.config.Name)
- kevt.AddMeta(kevent.RuleGroupKey, g.group.Name)
return true
}
case config.AndRelation:
@@ -690,17 +744,6 @@ nextGroup:
return false
}
-// ActionContext is the convenient structure
-// for grouping the event that resulted in
-// matched filter along with filter group
-// information.
-type ActionContext struct {
- Kevt *kevent.Kevent
- Kevts map[string]*kevent.Kevent
- Filter *config.FilterConfig
- Group config.FilterGroup
-}
-
// runFilterAction executes the template associated with the filter
// that has produced a match in one of the include groups.
func runFilterAction(
@@ -712,35 +755,43 @@ func runFilterAction(
if (filter != nil && filter.Action == "") && group.Action == "" {
return nil
}
- var action []byte
+ var actionBlock []byte
var err error
if group.Policy == config.SequencePolicy {
- action, err = base64.StdEncoding.DecodeString(group.Action)
+ actionBlock, err = base64.StdEncoding.DecodeString(group.Action)
} else {
if filter == nil {
panic("filter shouldn't be nil")
}
- action, err = base64.StdEncoding.DecodeString(filter.Action)
+ actionBlock, err = base64.StdEncoding.DecodeString(filter.Action)
}
if err != nil {
return fmt.Errorf("corrupted filter/group action: %v", err)
}
- fmap := funcmap.New()
- funcmap.InitFuncs(fmap)
- tmpl, err := template.New(group.Name).Funcs(fmap).Parse(string(action))
- if err != nil {
- return err
+ events := make([]*kevent.Kevent, 0)
+ matches := make(map[string]*kevent.Kevent, len(kevts))
+ if kevt != nil {
+ events = append(events, kevt)
+ } else {
+ for k, kevt := range kevts {
+ events = append(events, kevt)
+ matches["k"+strconv.Itoa(int(k))] = kevt
+ }
+ sort.Slice(events, func(i, j int) bool { return events[i].Timestamp.Before(events[j].Timestamp) })
}
- matches := make(map[string]*kevent.Kevent, len(kevts))
- for k, v := range kevts {
- matches["k"+strconv.Itoa(int(k))] = v
+ fmap := NewFuncMap()
+ InitFuncs(fmap)
+ tmpl, err := template.New(group.Name).Funcs(fmap).Parse(string(actionBlock))
+ if err != nil {
+ return err
}
- ctx := &ActionContext{
+ ctx := &config.ActionContext{
Kevt: kevt,
Kevts: matches,
+ Events: events,
Filter: filter,
Group: group,
}
diff --git a/pkg/filter/rules_test.go b/pkg/filter/rules_test.go
index 3f3e3f9b1..94470213e 100644
--- a/pkg/filter/rules_test.go
+++ b/pkg/filter/rules_test.go
@@ -22,6 +22,7 @@ import (
"github.com/rabbitstack/fibratus/pkg/fs"
log "github.com/sirupsen/logrus"
"net"
+ "sync"
"testing"
"time"
@@ -37,6 +38,7 @@ import (
type mockSender struct{}
+var mu sync.Mutex
var emitAlert *alertsender.Alert
func (s *mockSender) Send(a alertsender.Alert) error {
@@ -44,6 +46,10 @@ func (s *mockSender) Send(a alertsender.Alert) error {
return nil
}
+func (s *mockSender) Type() alertsender.Type {
+ return alertsender.None
+}
+
func makeSender(config alertsender.Config) (alertsender.Sender, error) {
return &mockSender{}, nil
}
@@ -56,10 +62,11 @@ func fireRules(t *testing.T, c *config.Config) bool {
rules := NewRules(c)
kevt := &kevent.Kevent{
- Type: ktypes.Recv,
- Name: "Recv",
- Tid: 2484,
- PID: 859,
+ Type: ktypes.Recv,
+ Name: "Recv",
+ Tid: 2484,
+ PID: 859,
+ Category: ktypes.Net,
Kparams: kevent.Kparams{
kparams.NetDport: {Name: kparams.NetDport, Type: kparams.Uint16, Value: uint16(443)},
kparams.NetSport: {Name: kparams.NetSport, Type: kparams.Uint16, Value: uint16(43123)},
@@ -284,10 +291,11 @@ func TestSimpleSequencePolicy(t *testing.T) {
}
kevt2 := &kevent.Kevent{
- Type: ktypes.CreateFile,
- Name: "CreateFile",
- Tid: 2484,
- PID: 859,
+ Type: ktypes.CreateFile,
+ Name: "CreateFile",
+ Tid: 2484,
+ PID: 859,
+ Category: ktypes.File,
PS: &types.PS{
Name: "cmd.exe",
Exe: "C:\\Windows\\system32\\svchost.exe",
@@ -320,10 +328,11 @@ func TestSimpleSequencePolicyWithMaxSpanReached(t *testing.T) {
}
kevt2 := &kevent.Kevent{
- Type: ktypes.CreateFile,
- Name: "CreateFile",
- Tid: 2484,
- PID: 859,
+ Type: ktypes.CreateFile,
+ Name: "CreateFile",
+ Tid: 2484,
+ PID: 859,
+ Category: ktypes.File,
PS: &types.PS{
Name: "cmd.exe",
Exe: "C:\\Windows\\system32\\svchost.exe",
@@ -365,10 +374,11 @@ func TestSimpleSequencePolicyWithMaxSpanNotReached(t *testing.T) {
}
kevt2 := &kevent.Kevent{
- Type: ktypes.CreateFile,
- Name: "CreateFile",
- Tid: 2484,
- PID: 859,
+ Type: ktypes.CreateFile,
+ Name: "CreateFile",
+ Tid: 2484,
+ PID: 859,
+ Category: ktypes.File,
PS: &types.PS{
Name: "cmd.exe",
Exe: "C:\\Windows\\system32\\svchost.exe",
@@ -402,10 +412,11 @@ func TestSimpleSequencePolicyPatternBindings(t *testing.T) {
}
kevt2 := &kevent.Kevent{
- Type: ktypes.CreateFile,
- Name: "CreateFile",
- Tid: 2484,
- PID: 859,
+ Type: ktypes.CreateFile,
+ Name: "CreateFile",
+ Tid: 2484,
+ PID: 859,
+ Category: ktypes.File,
PS: &types.PS{
Name: "cmd.exe",
Exe: "C:\\Windows\\system32\\svchost.exe",
@@ -441,11 +452,12 @@ func TestSequenceComplexPatternBindings(t *testing.T) {
}
kevt2 := &kevent.Kevent{
- Seq: 2,
- Type: ktypes.CreateFile,
- Name: "CreateFile",
- Tid: 2484,
- PID: 2243,
+ Seq: 2,
+ Type: ktypes.CreateFile,
+ Name: "CreateFile",
+ Tid: 2484,
+ PID: 2243,
+ Category: ktypes.File,
PS: &types.PS{
Name: "firefox.exe",
Exe: "C:\\Program Files\\Mozilla Firefox\\firefox.exe",
@@ -511,8 +523,12 @@ func TestSequenceComplexPatternBindings(t *testing.T) {
// register alert sender
require.NoError(t, alertsender.LoadAll([]alertsender.Config{{Type: alertsender.Noop}}))
+ mu.Lock()
+ defer mu.Unlock()
require.True(t, rules.Fire(kevt4))
+ time.Sleep(time.Millisecond * 25)
+
// check the format of the generated alert
require.NotNil(t, emitAlert)
assert.Equal(t, "Phishing dropper outbound communication", emitAlert.Title)
@@ -536,10 +552,11 @@ func TestFilterActionEmitAlert(t *testing.T) {
require.NoError(t, rules.Compile())
kevt := &kevent.Kevent{
- Type: ktypes.Recv,
- Name: "Recv",
- Tid: 2484,
- PID: 859,
+ Type: ktypes.Recv,
+ Name: "Recv",
+ Tid: 2484,
+ PID: 859,
+ Category: ktypes.Net,
PS: &types.PS{
Name: "cmd.exe",
},
@@ -551,9 +568,10 @@ func TestFilterActionEmitAlert(t *testing.T) {
},
Metadata: make(map[kevent.MetadataKey]string),
}
-
+ mu.Lock()
+ defer mu.Unlock()
require.True(t, rules.Fire(kevt))
-
+ time.Sleep(time.Millisecond * 25)
require.NotNil(t, emitAlert)
assert.Equal(t, "Test alert", emitAlert.Title)
assert.Equal(t, "cmd.exe process received data on port 443", emitAlert.Text)
@@ -562,6 +580,52 @@ func TestFilterActionEmitAlert(t *testing.T) {
emitAlert = nil
}
+func TestIsKtypeEligible(t *testing.T) {
+ rules := NewRules(newConfig("_fixtures/sequence_policy_simple_pattern_bindings.yml"))
+ require.NoError(t, rules.Compile())
+ log.SetLevel(log.DebugLevel)
+
+ kevt1 := &kevent.Kevent{
+ Type: ktypes.CreateProcess,
+ Name: "CreateProcess",
+ Tid: 2484,
+ PID: 859,
+ PS: &types.PS{
+ Name: "cmd.exe",
+ Exe: "C:\\Windows\\system32\\svchost.exe",
+ },
+ Kparams: kevent.Kparams{
+ kparams.ProcessID: {Name: kparams.ProcessID, Type: kparams.Uint32, Value: uint32(4143)},
+ },
+ Metadata: map[kevent.MetadataKey]string{"foo": "bar", "fooz": "barzz"},
+ }
+
+ kevt2 := &kevent.Kevent{
+ Type: ktypes.CreateFile,
+ Name: "CreateFile",
+ Tid: 2484,
+ PID: 859,
+ PS: &types.PS{
+ Name: "cmd.exe",
+ Exe: "C:\\Windows\\system32\\svchost.exe",
+ },
+ Kparams: kevent.Kparams{
+ kparams.FileName: {Name: kparams.FileName, Type: kparams.UnicodeString, Value: "C:\\Temp\\dropper"},
+ },
+ Metadata: map[kevent.MetadataKey]string{"foo": "bar", "fooz": "barzz"},
+ }
+
+ groups := rules.sequenceGroups
+ for _, g := range groups {
+ for _, f := range g.filters {
+ if f.config.Name == "spawn command shell" {
+ assert.False(t, f.isEligible(kevt2.Type))
+ assert.True(t, f.isEligible(kevt1.Type))
+ }
+ }
+ }
+}
+
func BenchmarkChainRun(b *testing.B) {
b.ReportAllocs()
@@ -570,10 +634,11 @@ func BenchmarkChainRun(b *testing.B) {
kevts := []*kevent.Kevent{
{
- Type: ktypes.Connect,
- Name: "Recv",
- Tid: 2484,
- PID: 859,
+ Type: ktypes.Connect,
+ Name: "Recv",
+ Tid: 2484,
+ PID: 859,
+ Category: ktypes.Net,
PS: &types.PS{
Name: "cmd.exe",
},
diff --git a/pkg/handle/key.go b/pkg/handle/key.go
index b88704c02..5e5b7853a 100644
--- a/pkg/handle/key.go
+++ b/pkg/handle/key.go
@@ -30,14 +30,15 @@ import (
"github.com/rabbitstack/fibratus/pkg/syscall/security"
)
+var (
+ hklmPrefixes = []string{"\\REGISTRY\\MACHINE", "\\Registry\\Machine", "\\Registry\\MACHINE"}
+ hkcrPrefixes = []string{"\\REGISTRY\\MACHINE\\SOFTWARE\\CLASSES", "\\Registry\\Machine\\Software\\Classes"}
+ hkuPrefixes = []string{"\\REGISTRY\\USER", "\\Registry\\User"}
+)
+
const (
- hklmPrefixUppercase = "\\REGISTRY\\MACHINE"
- hklmPrefixCapitalized = "\\Registry\\Machine"
- hkcrPrefixUppercase = "\\REGISTRY\\MACHINE\\SOFTWARE\\CLASSES"
- hkcrPrefixCapitalized = "\\Registry\\Machine\\Software\\Classes"
- hkuPrefixUppercase = "\\REGISTRY\\USER"
- hkuPrefixCapitalized = "\\Registry\\User"
- // hive represents an application hive. Application hives are loaded by user-mode processes via RegLoadAppKey to store application-specific state data.
+ // hive represents an application hive. Application hives are loaded by user-mode processes
+ // via RegLoadAppKey to store application-specific state data.
hive = "\\REGISTRY\\A"
)
@@ -52,12 +53,15 @@ var (
// FormatKey produces a root,key tuple from registry native key name.
func FormatKey(key string) (registry.Key, string) {
- if strings.HasPrefix(key, hklmPrefixUppercase) || strings.HasPrefix(key, hklmPrefixCapitalized) {
- return registry.LocalMachine, subkey(key, hklmPrefixUppercase)
+ for _, p := range hklmPrefixes {
+ if strings.HasPrefix(key, p) {
+ return registry.LocalMachine, subkey(key, p)
+ }
}
-
- if strings.HasPrefix(key, hkcrPrefixUppercase) || strings.HasPrefix(key, hkcrPrefixCapitalized) {
- return registry.ClassesRoot, subkey(key, hkcrPrefixUppercase)
+ for _, p := range hkcrPrefixes {
+ if strings.HasPrefix(key, p) {
+ return registry.ClassesRoot, subkey(key, p)
+ }
}
once.Do(func() { initKeys() })
@@ -65,9 +69,10 @@ func FormatKey(key string) (registry.Key, string) {
if root, k := findSIDKey(key); root != registry.InvalidKey {
return root, k
}
-
- if strings.HasPrefix(key, hkuPrefixUppercase) || strings.HasPrefix(key, hkuPrefixCapitalized) {
- return registry.Users, subkey(key, hkuPrefixUppercase)
+ for _, p := range hkuPrefixes {
+ if strings.HasPrefix(key, p) {
+ return registry.Users, subkey(key, p)
+ }
}
if strings.HasPrefix(key, hive) {
@@ -88,7 +93,7 @@ func initKeys() {
mux.Lock()
defer mux.Unlock()
for _, sid := range sids {
- user := hkuPrefixUppercase + "\\" + sid
+ user := "\\REGISTRY\\USER\\" + sid
keys = append(keys, user, user+"\\_Classes")
}
}
diff --git a/pkg/handle/object_test.go b/pkg/handle/object_test.go
index 4312d5fe9..db2926e44 100644
--- a/pkg/handle/object_test.go
+++ b/pkg/handle/object_test.go
@@ -40,7 +40,7 @@ var (
)
func createNamedPipe(name *uint16, openMode uint32, pipeMode uint32, maxInstances uint32, outBufSize uint32, inBufSize uint32, defaultTimeout uint32, sa *syscall.SecurityAttributes) (handle syscall.Handle, err error) {
- r0, _, e1 := syscall.Syscall9(procCreateNamedPipeW.Addr(), 8, uintptr(unsafe.Pointer(name)), uintptr(openMode), uintptr(pipeMode), uintptr(maxInstances), uintptr(outBufSize), uintptr(inBufSize), uintptr(defaultTimeout), uintptr(unsafe.Pointer(sa)), 0)
+ r0, _, e1 := syscall.SyscallN(procCreateNamedPipeW.Addr(), uintptr(unsafe.Pointer(name)), uintptr(openMode), uintptr(pipeMode), uintptr(maxInstances), uintptr(outBufSize), uintptr(inBufSize), uintptr(defaultTimeout), uintptr(unsafe.Pointer(sa)), 0)
handle = syscall.Handle(r0)
if handle == syscall.InvalidHandle {
if e1 != 0 {
diff --git a/pkg/handle/snapshotter.go b/pkg/handle/snapshotter.go
index 5e433eb7f..518a83dfc 100644
--- a/pkg/handle/snapshotter.go
+++ b/pkg/handle/snapshotter.go
@@ -54,6 +54,13 @@ var (
currentPid = uint32(os.Getpid())
)
+const (
+ // maxProcHandles determines the maximum number of handles the handle snapshotter can store
+ maxProcHandles = 70000
+ // maxHandlesPerProc determines the maximum number of handles a particular process state can store
+ maxHandlesPerProc = 800
+)
+
// CreateCallback defines the function that is triggered when new handle is conceived
type CreateCallback func(pid uint32, handle htypes.Handle)
@@ -195,6 +202,11 @@ func (s *snapshotter) FindHandles(pid uint32) ([]htypes.Handle, error) {
// the type and the name of each allocated handle
handles := make([]htypes.Handle, 0)
count := snapshot.NumberOfHandles
+ if count > maxHandlesPerProc {
+ log.Warnf("maximum handle table size reached for %d pid. "+
+ "Shrinking table size from %d to %d handles", pid, count, maxHandlesPerProc)
+ count = maxHandlesPerProc
+ }
sysHandles := (*[1 << 30]object.ProcessHandleTableEntryInfo)(unsafe.Pointer(&snapshot.Handles[0]))[:count:count]
for _, sh := range sysHandles {
@@ -224,6 +236,10 @@ func (s *snapshotter) initSnapshot() {
} else if err == nil {
sysHandleInfo := (*object.SystemHandleInformationEx)(unsafe.Pointer(&buf[0]))
count := int(sysHandleInfo.NumberOfHandles)
+ if count > maxProcHandles {
+ log.Warnf("handle snapshotter size exceeded. Shrinking from %d to %d handles", count, maxProcHandles)
+ count = maxProcHandles
+ }
sysHandles := (*[1 << 30]object.SystemHandleTableEntryInfoEx)(unsafe.Pointer(&sysHandleInfo.Handles[0]))[:count:count]
// iterate through available handles to get extended info
@@ -344,6 +360,10 @@ func (s *snapshotter) housekeeping() {
} else if err == nil {
sysHandleInfo := (*object.SystemHandleInformationEx)(unsafe.Pointer(&buf[0]))
count := int(sysHandleInfo.NumberOfHandles)
+ if count > maxProcHandles {
+ log.Warnf("handle snapshotter size exceeded. Shrinking from %d to %d handles", count, maxProcHandles)
+ count = maxProcHandles
+ }
sysHandles := (*[1 << 30]object.SystemHandleTableEntryInfoEx)(unsafe.Pointer(&sysHandleInfo.Handles[0]))[:count:count]
s.Lock()
diff --git a/pkg/kevent/formatter_windows.go b/pkg/kevent/formatter_windows.go
index b4358a905..4c2c465b9 100644
--- a/pkg/kevent/formatter_windows.go
+++ b/pkg/kevent/formatter_windows.go
@@ -20,7 +20,6 @@ package kevent
import (
"strconv"
- "strings"
)
// Format applies the template on the provided kernel event.
@@ -66,7 +65,7 @@ func (f *Formatter) Format(kevt *Kevent) []byte {
// expand all parameters into the map so we can ask
// for specific parameter names in the template
for _, kpar := range kevt.Kparams {
- values[".Kparams."+strings.Title(kpar.Name)] = kpar.String()
+ values[".Kparams."+caser.String(kpar.Name)] = kpar.String()
}
}
diff --git a/pkg/kevent/kevent_windows.go b/pkg/kevent/kevent_windows.go
index b4b1b3966..1c2b68813 100644
--- a/pkg/kevent/kevent_windows.go
+++ b/pkg/kevent/kevent_windows.go
@@ -18,14 +18,257 @@
package kevent
-import "github.com/rabbitstack/fibratus/pkg/kevent/ktypes"
+import (
+ "encoding/binary"
+ "fmt"
+ "github.com/rabbitstack/fibratus/pkg/kevent/kparams"
+ "github.com/rabbitstack/fibratus/pkg/kevent/ktypes"
+ "hash/fnv"
+ "strings"
+)
// IsNetworkTCP determines whether the kevent pertains to network TCP events.
func (kevt Kevent) IsNetworkTCP() bool {
- return kevt.Type != ktypes.RecvUDPv4 && kevt.Type != ktypes.RecvUDPv6 && kevt.Type != ktypes.SendUDPv4 && kevt.Type != ktypes.SendUDPv6
+ return kevt.Category == ktypes.Net && kevt.Type != ktypes.RecvUDPv4 && kevt.Type != ktypes.RecvUDPv6 && kevt.Type != ktypes.SendUDPv4 && kevt.Type != ktypes.SendUDPv6
}
// IsNetworkUDP determines whether the kevent pertains to network UDP events.
func (kevt Kevent) IsNetworkUDP() bool {
return kevt.Type == ktypes.RecvUDPv4 || kevt.Type == ktypes.RecvUDPv6 || kevt.Type == ktypes.SendUDPv4 || kevt.Type == ktypes.SendUDPv6
}
+
+// PartialKey computes the unique hash of the event
+// that can be employed to determine if the event
+// from the given process and source has been processed
+// in the rule sequences.
+func (kevt Kevent) PartialKey() uint64 {
+ switch kevt.Type {
+ case ktypes.WriteFile, ktypes.ReadFile:
+ b := make([]byte, 12)
+ object, _ := kevt.Kparams.GetUint64(kparams.FileObject)
+
+ binary.LittleEndian.PutUint32(b, kevt.PID)
+ binary.LittleEndian.PutUint64(b, object)
+
+ return fnvHash(b)
+ case ktypes.CreateFile:
+ file, _ := kevt.Kparams.GetString(kparams.FileName)
+ b := make([]byte, 4+len(file))
+
+ binary.LittleEndian.PutUint32(b, kevt.PID)
+ b = append(b, []byte(file)...)
+
+ return fnvHash(b)
+ case ktypes.OpenProcess:
+ b := make([]byte, 8)
+ pid, _ := kevt.Kparams.GetUint32(kparams.ProcessID)
+ access, _ := kevt.Kparams.GetUint32(kparams.DesiredAccess)
+
+ binary.LittleEndian.PutUint32(b, kevt.PID)
+ binary.LittleEndian.PutUint32(b, pid)
+ binary.LittleEndian.PutUint32(b, access)
+ return fnvHash(b)
+ case ktypes.OpenThread:
+ b := make([]byte, 8)
+ tid, _ := kevt.Kparams.GetUint32(kparams.ThreadID)
+ access, _ := kevt.Kparams.GetUint32(kparams.DesiredAccess)
+
+ binary.LittleEndian.PutUint32(b, kevt.PID)
+ binary.LittleEndian.PutUint32(b, tid)
+ binary.LittleEndian.PutUint32(b, access)
+ return fnvHash(b)
+ case ktypes.AcceptTCPv4, ktypes.RecvTCPv4, ktypes.RecvUDPv4:
+ b := make([]byte, 10)
+
+ ip, _ := kevt.Kparams.GetIP(kparams.NetSIP)
+ port, _ := kevt.Kparams.GetUint16(kparams.NetSport)
+
+ binary.LittleEndian.PutUint32(b, kevt.PID)
+ binary.LittleEndian.PutUint32(b, binary.BigEndian.Uint32(ip.To4()))
+ binary.LittleEndian.PutUint16(b, port)
+ return fnvHash(b)
+ case ktypes.AcceptTCPv6, ktypes.RecvTCPv6, ktypes.RecvUDPv6:
+ b := make([]byte, 22)
+
+ ip, _ := kevt.Kparams.GetIP(kparams.NetSIP)
+ port, _ := kevt.Kparams.GetUint16(kparams.NetSport)
+
+ binary.LittleEndian.PutUint32(b, kevt.PID)
+ binary.LittleEndian.PutUint64(b, binary.BigEndian.Uint64(ip.To16()[0:8]))
+ binary.LittleEndian.PutUint64(b, binary.BigEndian.Uint64(ip.To16()[8:16]))
+ binary.LittleEndian.PutUint16(b, port)
+ return fnvHash(b)
+ case ktypes.ConnectTCPv4, ktypes.SendTCPv4, ktypes.SendUDPv4:
+ b := make([]byte, 10)
+
+ ip, _ := kevt.Kparams.GetIP(kparams.NetDIP)
+ port, _ := kevt.Kparams.GetUint16(kparams.NetDport)
+
+ binary.LittleEndian.PutUint32(b, kevt.PID)
+ binary.LittleEndian.PutUint32(b, binary.BigEndian.Uint32(ip.To4()))
+ binary.LittleEndian.PutUint16(b, port)
+ return fnvHash(b)
+ case ktypes.ConnectTCPv6, ktypes.SendTCPv6, ktypes.SendUDPv6:
+ b := make([]byte, 22)
+
+ ip, _ := kevt.Kparams.GetIP(kparams.NetDIP)
+ port, _ := kevt.Kparams.GetUint16(kparams.NetDport)
+
+ binary.LittleEndian.PutUint32(b, kevt.PID)
+ binary.LittleEndian.PutUint64(b, binary.BigEndian.Uint64(ip.To16()[0:8]))
+ binary.LittleEndian.PutUint64(b, binary.BigEndian.Uint64(ip.To16()[8:16]))
+ binary.LittleEndian.PutUint16(b, port)
+ return fnvHash(b)
+ case ktypes.RegOpenKey, ktypes.RegQueryKey, ktypes.RegQueryValue,
+ ktypes.RegDeleteKey, ktypes.RegDeleteValue, ktypes.RegSetValue:
+ key, _ := kevt.Kparams.GetString(kparams.RegKeyName)
+ b := make([]byte, 4+len(key))
+
+ binary.LittleEndian.PutUint32(b, kevt.PID)
+ b = append(b, key...)
+ return fnvHash(b)
+ }
+ return 0
+}
+
+// Summary returns a brief summary of this event. Various important substrings
+// in the summary text are highlighted by surrounding them inside HTML tags.
+func (kevt *Kevent) Summary() string {
+ switch kevt.Type {
+ case ktypes.CreateProcess:
+ exe := kevt.Kparams.MustGetString(kparams.Exe)
+ sid := kevt.Kparams.MustGetString(kparams.UserSID)
+ return printSummary(kevt, fmt.Sprintf("spawned %s process as %s user", exe, sid))
+ case ktypes.TerminateProcess:
+ exe := kevt.Kparams.MustGetString(kparams.Exe)
+ sid := kevt.Kparams.MustGetString(kparams.UserSID)
+ return printSummary(kevt, fmt.Sprintf("terminated %s process as %s user", exe, sid))
+ case ktypes.OpenProcess:
+ access, _ := kevt.Kparams.GetStringSlice(kparams.DesiredAccessNames)
+ exe, _ := kevt.Kparams.GetString(kparams.Exe)
+ return printSummary(kevt, fmt.Sprintf("opened %s process object with %s access right(s)",
+ exe, strings.Join(access, "|")))
+ case ktypes.CreateThread:
+ tid, _ := kevt.Kparams.GetTid()
+ addr, _ := kevt.Kparams.GetHex(kparams.ThreadEntrypoint)
+ return printSummary(kevt, fmt.Sprintf("spawned a new thread with %d id at %s address",
+ tid, addr))
+ case ktypes.TerminateThread:
+ tid, _ := kevt.Kparams.GetTid()
+ addr, _ := kevt.Kparams.GetHex(kparams.ThreadEntrypoint)
+ return printSummary(kevt, fmt.Sprintf("terminated a thread with %d id at %s address",
+ tid, addr))
+ case ktypes.OpenThread:
+ access, _ := kevt.Kparams.GetStringSlice(kparams.DesiredAccessNames)
+ exe, _ := kevt.Kparams.GetString(kparams.Exe)
+ return printSummary(kevt, fmt.Sprintf("opened %s process' thread object with %s access right(s)",
+ exe, strings.Join(access, "|")))
+ case ktypes.LoadImage:
+ filename, _ := kevt.Kparams.GetString(kparams.FileName)
+ return printSummary(kevt, fmt.Sprintf("loaded %s module", filename))
+ case ktypes.UnloadImage:
+ filename, _ := kevt.Kparams.GetString(kparams.FileName)
+ return printSummary(kevt, fmt.Sprintf("unloaded %s module", filename))
+ case ktypes.CreateFile:
+ op := kevt.Kparams.MustGetFileOperation()
+ filename := kevt.Kparams.MustGetString(kparams.FileName)
+ return printSummary(kevt, fmt.Sprintf("%sed a file %s", op, filename))
+ case ktypes.ReadFile:
+ filename, _ := kevt.Kparams.GetString(kparams.FileName)
+ size, _ := kevt.Kparams.GetUint32(kparams.FileIoSize)
+ return printSummary(kevt, fmt.Sprintf("read %d bytes from %s file", size, filename))
+ case ktypes.WriteFile:
+ filename, _ := kevt.Kparams.GetString(kparams.FileName)
+ size, _ := kevt.Kparams.GetUint32(kparams.FileIoSize)
+ return printSummary(kevt, fmt.Sprintf("wrote %d bytes to %s file", size, filename))
+ case ktypes.SetFileInformation:
+ filename, _ := kevt.Kparams.GetString(kparams.FileName)
+ class, _ := kevt.Kparams.GetString(kparams.FileInfoClass)
+ return printSummary(kevt, fmt.Sprintf("set %s information class on %s file", class, filename))
+ case ktypes.DeleteFile:
+ filename, _ := kevt.Kparams.GetString(kparams.FileName)
+ return printSummary(kevt, fmt.Sprintf("deleted %s file", filename))
+ case ktypes.RenameFile:
+ filename, _ := kevt.Kparams.GetString(kparams.FileName)
+ return printSummary(kevt, fmt.Sprintf("renamed %s file", filename))
+ case ktypes.CloseFile:
+ filename, _ := kevt.Kparams.GetString(kparams.FileName)
+ return printSummary(kevt, fmt.Sprintf("closed %s file", filename))
+ case ktypes.EnumDirectory:
+ filename, _ := kevt.Kparams.GetString(kparams.FileName)
+ return printSummary(kevt, fmt.Sprintf("enumerated %s directory", filename))
+ case ktypes.RegCreateKey:
+ key, _ := kevt.Kparams.GetString(kparams.RegKeyName)
+ return printSummary(kevt, fmt.Sprintf("created %s key", key))
+ case ktypes.RegOpenKey:
+ key, _ := kevt.Kparams.GetString(kparams.RegKeyName)
+ return printSummary(kevt, fmt.Sprintf("opened %s key", key))
+ case ktypes.RegDeleteKey:
+ key, _ := kevt.Kparams.GetString(kparams.RegKeyName)
+ return printSummary(kevt, fmt.Sprintf("deleted %s key", key))
+ case ktypes.RegQueryKey:
+ key, _ := kevt.Kparams.GetString(kparams.RegKeyName)
+ return printSummary(kevt, fmt.Sprintf("queried %s key", key))
+ case ktypes.RegSetValue:
+ key, _ := kevt.Kparams.GetString(kparams.RegKeyName)
+ val, err := kevt.Kparams.GetString(kparams.RegValue)
+ if err != nil {
+ return printSummary(kevt, fmt.Sprintf("set %s value", key))
+ }
+ return printSummary(kevt, fmt.Sprintf("set %s payload in %s value", val, key))
+ case ktypes.RegDeleteValue:
+ key, _ := kevt.Kparams.GetString(kparams.RegKeyName)
+ return printSummary(kevt, fmt.Sprintf("deleted %s value", key))
+ case ktypes.RegQueryValue:
+ key, _ := kevt.Kparams.GetString(kparams.RegKeyName)
+ return printSummary(kevt, fmt.Sprintf("queried %s value", key))
+ case ktypes.AcceptTCPv4, ktypes.AcceptTCPv6:
+ ip, _ := kevt.Kparams.GetIP(kparams.NetSIP)
+ port, _ := kevt.Kparams.GetUint16(kparams.NetSport)
+ return printSummary(kevt, fmt.Sprintf("accepted connection from %v and %d port", ip, port))
+ case ktypes.ConnectTCPv4, ktypes.ConnectTCPv6:
+ ip, _ := kevt.Kparams.GetIP(kparams.NetDIP)
+ port, _ := kevt.Kparams.GetUint16(kparams.NetDport)
+ return printSummary(kevt, fmt.Sprintf("connected to %v and %d port", ip, port))
+ case ktypes.SendTCPv4, ktypes.SendTCPv6, ktypes.SendUDPv4, ktypes.SendUDPv6:
+ ip, _ := kevt.Kparams.GetIP(kparams.NetDIP)
+ port, _ := kevt.Kparams.GetUint16(kparams.NetDport)
+ size, _ := kevt.Kparams.GetUint32(kparams.NetSize)
+ return printSummary(kevt, fmt.Sprintf("sent %d bytes to %v and %d port",
+ size, ip, port))
+ case ktypes.RecvTCPv4, ktypes.RecvTCPv6, ktypes.RecvUDPv4, ktypes.RecvUDPv6:
+ ip, _ := kevt.Kparams.GetIP(kparams.NetSIP)
+ port, _ := kevt.Kparams.GetUint16(kparams.NetSport)
+ size, _ := kevt.Kparams.GetUint32(kparams.NetSize)
+ return printSummary(kevt, fmt.Sprintf("received %d bytes from %v and %d port",
+ size, ip, port))
+ case ktypes.CreateHandle:
+ handleType, _ := kevt.Kparams.GetString(kparams.HandleObjectTypeName)
+ handleName, _ := kevt.Kparams.GetString(kparams.HandleObjectName)
+ return printSummary(kevt, fmt.Sprintf("created %s handle of %s type",
+ handleName, handleType))
+ case ktypes.CloseHandle:
+ handleType, _ := kevt.Kparams.GetString(kparams.HandleObjectTypeName)
+ handleName, _ := kevt.Kparams.GetString(kparams.HandleObjectName)
+ return printSummary(kevt, fmt.Sprintf("closed %s handle of %s type",
+ handleName, handleType))
+ case ktypes.LoadDriver:
+ driver, _ := kevt.Kparams.GetString(kparams.ImageFilename)
+ return printSummary(kevt, fmt.Sprintf("loaded %s driver", driver))
+ }
+ return ""
+}
+
+func printSummary(kevt *Kevent, text string) string {
+ ps := kevt.PS
+ if ps != nil {
+ return fmt.Sprintf("%s %s", ps.Name, text)
+ }
+ return fmt.Sprintf("process with %d id %s", kevt.PID, text)
+}
+
+func fnvHash(b []byte) uint64 {
+ h := fnv.New64()
+ _, _ = h.Write(b)
+ return h.Sum64()
+}
diff --git a/pkg/kevent/kevent_windows_test.go b/pkg/kevent/kevent_windows_test.go
index ae2031d7d..bb2d9cf96 100644
--- a/pkg/kevent/kevent_windows_test.go
+++ b/pkg/kevent/kevent_windows_test.go
@@ -19,17 +19,69 @@
package kevent
import (
+ "github.com/rabbitstack/fibratus/pkg/fs"
+ "github.com/rabbitstack/fibratus/pkg/kevent/kparams"
"github.com/rabbitstack/fibratus/pkg/kevent/ktypes"
+ pstypes "github.com/rabbitstack/fibratus/pkg/ps/types"
"github.com/stretchr/testify/assert"
+ "github.com/stretchr/testify/require"
"testing"
+ "time"
)
func TestKeventIsNetworkTCP(t *testing.T) {
- assert.True(t, Kevent{Type: ktypes.AcceptTCPv4}.IsNetworkTCP())
- assert.False(t, Kevent{Type: ktypes.SendUDPv6}.IsNetworkTCP())
+ assert.True(t, Kevent{Type: ktypes.AcceptTCPv4, Category: ktypes.Net}.IsNetworkTCP())
+ assert.False(t, Kevent{Type: ktypes.SendUDPv6, Category: ktypes.Net}.IsNetworkTCP())
}
func TestKeventIsNetworkUDP(t *testing.T) {
assert.True(t, Kevent{Type: ktypes.RecvUDPv4}.IsNetworkUDP())
assert.False(t, Kevent{Type: ktypes.SendTCPv6}.IsNetworkUDP())
}
+
+func TestKeventSummary(t *testing.T) {
+ kevt := &Kevent{
+ Type: ktypes.CreateFile,
+ Tid: 2484,
+ PID: 859,
+ CPU: 1,
+ Seq: 2,
+ Name: "CreateFile",
+ Timestamp: time.Now(),
+ Category: ktypes.File,
+ Host: "archrabbit",
+ Description: "Creates or opens a new file, directory, I/O device, pipe, console",
+ Kparams: Kparams{
+ kparams.FileObject: {Name: kparams.FileObject, Type: kparams.Uint64, Value: uint64(12456738026482168384)},
+ kparams.FileName: {Name: kparams.FileName, Type: kparams.UnicodeString, Value: "C:\\Windows\\system32\\user32.dll"},
+ kparams.FileType: {Name: kparams.FileType, Type: kparams.AnsiString, Value: "file"},
+ kparams.FileOperation: {Name: kparams.FileOperation, Type: kparams.Enum, Value: fs.FileDisposition(1)},
+ },
+ PS: &pstypes.PS{
+ PID: 2436,
+ Ppid: 6304,
+ Parent: &pstypes.PS{
+ PID: 2034,
+ Name: "explorer.exe",
+ Exe: `C:\Windows\System32\explorer.exe`,
+ Cwd: `C:\Windows\System32`,
+ SID: "admin\\SYSTEM",
+ Parent: &pstypes.PS{
+ PID: 2345,
+ Name: "winlogon.exe",
+ },
+ },
+ Name: "firefox.exe",
+ Exe: `C:\Program Files\Mozilla Firefox\firefox.exe`,
+ Comm: `C:\Program Files\Mozilla Firefox\firefox.exe -contentproc --channel="6304.3.1055809391\1014207667" -childID 1 -isForBrowser -prefsHandle 2584 -prefMapHandle 2580 -prefsLen 70 -prefMapSize 216993 -parentBuildID 20200107212822 -greomni "C:\Program Files\Mozilla Firefox\omni.ja" -appomni "C:\Program Files\Mozilla Firefox\browser\omni.ja" -appdir "C:\Program Files\Mozilla Firefox\browser" - 6304 "\\.\pipe\gecko-crash-server-pipe.6304" 2596 tab`,
+ Cwd: `C:\Program Files\Mozilla Firefox\`,
+ SID: "archrabbit\\SYSTEM",
+ Args: []string{"-contentproc", `--channel=6304.3.1055809391\1014207667`, "-childID", "1", "-isForBrowser", "-prefsHandle", "2584", "-prefMapHandle", "2580", "-prefsLen", "70", "-prefMapSize", "216993", "-parentBuildID"},
+ SessionID: 4,
+ },
+ }
+
+ require.Equal(t, "firefox.exe opened a file C:\\Windows\\system32\\user32.dll", kevt.Summary())
+ kevt.PS = nil
+ require.Equal(t, "process with 859 id opened a file C:\\Windows\\system32\\user32.dll", kevt.Summary())
+}
diff --git a/pkg/kevent/kparam.go b/pkg/kevent/kparam.go
index d5a22eaf9..1eecb9709 100644
--- a/pkg/kevent/kparam.go
+++ b/pkg/kevent/kparam.go
@@ -20,6 +20,8 @@ package kevent
import (
"fmt"
+ "golang.org/x/text/cases"
+ "golang.org/x/text/language"
"net"
"reflect"
"sort"
@@ -30,6 +32,8 @@ import (
"github.com/rabbitstack/fibratus/pkg/kevent/kparams"
)
+var caser = cases.Title(language.English)
+
// ParamCaseStyle is the type definition for parameter name case style
type ParamCaseStyle uint8
@@ -545,7 +549,7 @@ func (kpars Kparams) String() string {
case DotCase:
sb.WriteString(strings.Replace(kpar.Name, "_", ".", -1) + ParamKVDelimiter + kpar.String())
case PascalCase:
- sb.WriteString(strings.Replace(strings.Title(strings.Replace(kpar.Name, "_", " ", -1)), " ", "", -1) + ParamKVDelimiter + kpar.String())
+ sb.WriteString(strings.Replace(caser.String(strings.Replace(kpar.Name, "_", " ", -1)), " ", "", -1) + ParamKVDelimiter + kpar.String())
case CamelCase:
}
if i != len(pars)-1 {
diff --git a/pkg/kevent/kparam_windows.go b/pkg/kevent/kparam_windows.go
index bbee9b742..2e25be32c 100644
--- a/pkg/kevent/kparam_windows.go
+++ b/pkg/kevent/kparam_windows.go
@@ -128,4 +128,17 @@ func (k Kparam) String() string {
}
}
+// MustGetFileOperation returns the file operation involved in the I/O request.
+func (kpars Kparams) MustGetFileOperation() string {
+ op, err := kpars.Get(kparams.FileOperation)
+ if err != nil {
+ panic(err)
+ }
+ disposition, ok := op.(fs.FileDisposition)
+ if !ok {
+ panic("couldn't type assert to file operation enum")
+ }
+ return disposition.String()
+}
+
func joinSID(account, domain string) string { return fmt.Sprintf("%s\\%s", domain, account) }
diff --git a/pkg/kevent/ktypes/ktypes_windows.go b/pkg/kevent/ktypes/ktypes_windows.go
index c2be6b8f1..6f9cae79a 100644
--- a/pkg/kevent/ktypes/ktypes_windows.go
+++ b/pkg/kevent/ktypes/ktypes_windows.go
@@ -247,7 +247,7 @@ func (k Ktype) String() string {
case LoadDriver:
return "LoadDriver"
default:
- return string(k[:])
+ return ""
}
}
diff --git a/pkg/kevent/marshaller_test.go b/pkg/kevent/marshaller_test.go
index 46eee6d86..ef724b749 100644
--- a/pkg/kevent/marshaller_test.go
+++ b/pkg/kevent/marshaller_test.go
@@ -20,7 +20,7 @@ package kevent
import (
"encoding/json"
- "io/ioutil"
+ "os"
"testing"
"time"
@@ -215,7 +215,7 @@ func TestKeventMarshalJSON(t *testing.T) {
}
func TestUnmarshalHugeHandles(t *testing.T) {
- b, err := ioutil.ReadFile("_fixtures\\handles.json")
+ b, err := os.ReadFile("_fixtures\\handles.json")
require.NoError(t, err)
handles := make([]htypes.Handle, 0)
err = json.Unmarshal(b, &handles)
diff --git a/pkg/outputs/eventlog/template.go b/pkg/kevent/template.go
similarity index 74%
rename from pkg/outputs/eventlog/template.go
rename to pkg/kevent/template.go
index c9e8b6436..81c2ed1f6 100644
--- a/pkg/outputs/eventlog/template.go
+++ b/pkg/kevent/template.go
@@ -16,23 +16,21 @@
* limitations under the License.
*/
-package eventlog
+package kevent
import (
"bytes"
"fmt"
-
- "github.com/rabbitstack/fibratus/pkg/kevent"
+ "text/template"
)
-// Template is the default Go template used for producing the eventlog messages.
+// Template is the default Go template used for formatting events in textual format.
var Template = `Name: {{ .Kevt.Name }}
Sequence: {{ .Kevt.Seq }}
+Description: {{ .Kevt.Description }}
Process ID: {{ .Kevt.PID }}
Thread ID: {{ .Kevt.Tid }}
-Cpu: {{ .Kevt.CPU }}
Params: {{ .Kevt.Kparams }}
-Category: {{ .Kevt.Category }}
{{- if .Kevt.PS }}
@@ -119,10 +117,26 @@ Resources:
{{- end }}
`
-func (e *evtlog) renderTemplate(kevt *kevent.Kevent) ([]byte, error) {
+// RenderDefaultTemplate returns the event string representation
+// after applying the default Go template.
+func (kevt *Kevent) RenderDefaultTemplate() ([]byte, error) {
+ tmpl, err := template.New("event").Parse(Template)
+ if err != nil {
+ return nil, err
+ }
+ return renderTemplate(kevt, tmpl)
+}
+
+// RenderCustomTemplate returns the event string representation
+// after applying the given Go template.
+func (kevt *Kevent) RenderCustomTemplate(tmpl *template.Template) ([]byte, error) {
+ return renderTemplate(kevt, tmpl)
+}
+
+func renderTemplate(kevt *Kevent, tmpl *template.Template) ([]byte, error) {
var writer bytes.Buffer
data := struct {
- Kevt *kevent.Kevent
+ Kevt *Kevent
SerializeHandles bool
SerializeThreads bool
SerializeImages bool
@@ -130,15 +144,15 @@ func (e *evtlog) renderTemplate(kevt *kevent.Kevent) ([]byte, error) {
SerializePE bool
}{
kevt,
- kevent.SerializeHandles,
- kevent.SerializeThreads,
- kevent.SerializeImages,
- kevent.SerializeEnvs,
- kevent.SerializePE,
+ SerializeHandles,
+ SerializeThreads,
+ SerializeImages,
+ SerializeEnvs,
+ SerializePE,
}
- err := e.tmpl.Execute(&writer, data)
+ err := tmpl.Execute(&writer, data)
if err != nil {
- return nil, fmt.Errorf("unable to render eventlog template: %v", err)
+ return nil, fmt.Errorf("unable to render event template: %v", err)
}
return writer.Bytes(), nil
}
diff --git a/pkg/kstream/interceptors/ps_windows.go b/pkg/kstream/interceptors/ps_windows.go
index c3eab695a..df2a655be 100644
--- a/pkg/kstream/interceptors/ps_windows.go
+++ b/pkg/kstream/interceptors/ps_windows.go
@@ -20,6 +20,7 @@ package interceptors
import (
"expvar"
+ "github.com/rabbitstack/fibratus/pkg/util/cmdline"
"os"
"path/filepath"
"regexp"
@@ -78,34 +79,35 @@ func (ps psInterceptor) Intercept(kevt *kevent.Kevent) (*kevent.Kevent, bool, er
case ktypes.CreateProcess,
ktypes.TerminateProcess,
ktypes.EnumProcess:
- cmdline, err := kevt.Kparams.GetString(kparams.Comm)
+ cmndline, err := kevt.Kparams.GetString(kparams.Comm)
if err != nil {
return kevt, true, err
}
- // if leading/trailing quotes are found, get rid of them
- if len(cmdline) > 0 && cmdline[0] == '"' && cmdline[len(cmdline)-1] == '"' {
- cmdline = cmdline[1 : len(cmdline)-1]
+ // if leading/trailing quotes are found in the executable path, get rid of them
+ args := cmdline.Split(cmndline)
+ if len(args) > 0 {
+ cmndline = cmdline.CleanExe(args)
}
// expand all variations of the SystemRoot env variable
- if systemRootRegexp.MatchString(cmdline) {
- cmdline = systemRootRegexp.ReplaceAllString(cmdline, os.Getenv("SystemRoot"))
+ if systemRootRegexp.MatchString(cmndline) {
+ cmndline = systemRootRegexp.ReplaceAllString(cmndline, os.Getenv("SystemRoot"))
}
// some system processes are reported without the path in the command line,
// but we can expand the path from the SystemRoot environment variable
- if !driveRegexp.MatchString(cmdline) {
+ if !driveRegexp.MatchString(cmndline) {
proc, _ := kevt.Kparams.GetString(kparams.ProcessName)
_, ok := sysProcs[proc]
if ok {
- cmdline = filepath.Join(os.Getenv("SystemRoot"), "System32", cmdline)
+ cmndline = filepath.Join(os.Getenv("SystemRoot"), "System32", cmndline)
}
}
// append executable path parameter
- i := strings.Index(strings.ToLower(cmdline), ".exe")
+ i := strings.Index(strings.ToLower(cmndline), ".exe")
if i > 0 {
- exe := cmdline[0 : i+4]
+ exe := cmndline[0 : i+4]
kevt.Kparams.Append(kparams.Exe, kparams.UnicodeString, exe)
}
- _ = kevt.Kparams.SetValue(kparams.Comm, cmdline)
+ _ = kevt.Kparams.SetValue(kparams.Comm, cmndline)
// convert hexadecimal PID values to integers
pid, err := kevt.Kparams.GetHexAsUint32(kparams.ProcessID)
diff --git a/pkg/kstream/kstreamc_windows.go b/pkg/kstream/kstreamc_windows.go
index 0d0e2c577..64ad420a2 100644
--- a/pkg/kstream/kstreamc_windows.go
+++ b/pkg/kstream/kstreamc_windows.go
@@ -403,16 +403,16 @@ func (k *kstreamConsumer) processKevent(evt *etw.EventRecord) error {
kevt.Release()
return nil
}
+ // increment sequence
+ if !kevt.Type.Dropped(false) {
+ k.sequencer.Increment()
+ }
// run rules. In case of rule groups with sequence policy
// the last event matching the group is forwarded to the
// outputs
if rulesFired := k.rules.Fire(kevt); !rulesFired {
return nil
}
- // increment sequence
- if !kevt.Type.Dropped(false) {
- k.sequencer.Increment()
- }
if k.eventCallback != nil {
return k.eventCallback(kevt)
}
diff --git a/pkg/outputs/amqp/_fixtures/garagemq/amqp/methods_generated.go b/pkg/outputs/amqp/_fixtures/garagemq/amqp/methods_generated.go
index ae563d707..5d801beea 100644
--- a/pkg/outputs/amqp/_fixtures/garagemq/amqp/methods_generated.go
+++ b/pkg/outputs/amqp/_fixtures/garagemq/amqp/methods_generated.go
@@ -4458,12 +4458,11 @@ ReadMethod reads method from frame's payload
Method frames carry the high-level protocol commands (which we call "methods").
One method frame carries one command. The method frame payload has this format:
- 0 2 4
- +----------+-----------+-------------- - -
- | class-id | method-id | arguments...
- +----------+-----------+-------------- - -
- short short ...
-
+ 0 2 4
+ +----------+-----------+-------------- - -
+ | class-id | method-id | arguments...
+ +----------+-----------+-------------- - -
+ short short ...
*/
func ReadMethod(reader io.Reader, protoVersion string) (Method, error) {
classID, err := ReadShort(reader)
diff --git a/pkg/outputs/amqp/_fixtures/garagemq/amqp/readers_writers.go b/pkg/outputs/amqp/_fixtures/garagemq/amqp/readers_writers.go
index 22e8b2ddd..a81962f64 100644
--- a/pkg/outputs/amqp/_fixtures/garagemq/amqp/readers_writers.go
+++ b/pkg/outputs/amqp/_fixtures/garagemq/amqp/readers_writers.go
@@ -36,11 +36,11 @@ ReadFrame reads and parses raw data from conn reader and returns amqp frame
All frames consist of a header (7 octets), a payload of arbitrary size, and a
'frame-end' octet that detects malformed frames:
- 0 1 3 7 size+7 size+8
- +------+---------+-------------+ +------------+ +-----------+
- | type | channel | size | | payload | | frame-end |
- +------+---------+-------------+ +------------+ +-----------+
- octet short long size octets octet
+ 0 1 3 7 size+7 size+8
+ +------+---------+-------------+ +------------+ +-----------+
+ | type | channel | size | | payload | | frame-end |
+ +------+---------+-------------+ +------------+ +-----------+
+ octet short long size octets octet
To read a frame, we:
1. Read the header and check the frame type and channel.
@@ -807,11 +807,11 @@ follows it with a content header and zero or more content body frames.
A content header frame has this format:
- 0 2 4 12 14
- +----------+--------+-----------+----------------+------------- - -
- | class-id | weight | body size | property flags | property list...
- +----------+--------+-----------+----------------+------------- - -
- short short long long short remainder...
+ 0 2 4 12 14
+ +----------+--------+-----------+----------------+------------- - -
+ | class-id | weight | body size | property flags | property list...
+ +----------+--------+-----------+----------------+------------- - -
+ short short long long short remainder...
*/
func ReadContentHeader(r io.Reader, protoVersion string) (*ContentHeader, error) {
var err error
diff --git a/pkg/outputs/elasticsearch/elasticsearch_test.go b/pkg/outputs/elasticsearch/elasticsearch_test.go
index c3105b501..935b6e4c7 100644
--- a/pkg/outputs/elasticsearch/elasticsearch_test.go
+++ b/pkg/outputs/elasticsearch/elasticsearch_test.go
@@ -21,7 +21,7 @@ package elasticsearch
import (
"bytes"
"encoding/json"
- "io/ioutil"
+ "io"
"net/http"
"net/http/httptest"
"strings"
@@ -88,7 +88,7 @@ func TestElasticsearchConnectUnsupportedVersion(t *testing.T) {
func TestElasticsearchPublish(t *testing.T) {
srv := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
if strings.Contains(r.URL.Path, "_bulk") {
- body, err := ioutil.ReadAll(r.Body)
+ body, err := io.ReadAll(r.Body)
if err != nil {
http.Error(w, err.Error(), http.StatusInternalServerError)
return
diff --git a/pkg/outputs/eventlog/config.go b/pkg/outputs/eventlog/config.go
index b1e62b90b..418e088fb 100644
--- a/pkg/outputs/eventlog/config.go
+++ b/pkg/outputs/eventlog/config.go
@@ -20,6 +20,7 @@ package eventlog
import (
"fmt"
+ "github.com/rabbitstack/fibratus/pkg/kevent"
"text/template"
"github.com/spf13/pflag"
@@ -72,7 +73,7 @@ type Config struct {
func (c Config) parseTemplate() (*template.Template, error) {
if c.Template == "" {
// use built-in template
- return template.New("evtlog").Parse(Template)
+ return template.New("evtlog").Parse(kevent.Template)
}
return template.New("evtlog").Parse(c.Template)
}
diff --git a/pkg/outputs/eventlog/eventlog.go b/pkg/outputs/eventlog/eventlog.go
index f60ae9ef0..6f27656b1 100644
--- a/pkg/outputs/eventlog/eventlog.go
+++ b/pkg/outputs/eventlog/eventlog.go
@@ -112,7 +112,7 @@ func (e *evtlog) Publish(batch *kevent.Batch) error {
}
func (e *evtlog) publish(kevt *kevent.Kevent) error {
- buf, err := e.renderTemplate(kevt)
+ buf, err := kevt.RenderCustomTemplate(e.tmpl)
if err != nil {
return err
}
diff --git a/pkg/outputs/http/http.go b/pkg/outputs/http/http.go
index fb4a4ae49..c4a47d473 100644
--- a/pkg/outputs/http/http.go
+++ b/pkg/outputs/http/http.go
@@ -23,7 +23,7 @@ import (
"compress/gzip"
"context"
"fmt"
- "io/ioutil"
+ "io"
"net/http"
"net/url"
@@ -116,7 +116,7 @@ func (h *_http) Publish(batch *kevent.Batch) error {
defer resp.Body.Close()
if resp.StatusCode < 200 || resp.StatusCode >= 300 {
- body, err := ioutil.ReadAll(resp.Body)
+ body, err := io.ReadAll(resp.Body)
if err != nil {
return err
}
diff --git a/pkg/outputs/http/http_test.go b/pkg/outputs/http/http_test.go
index 0328f3137..57bb7c73c 100644
--- a/pkg/outputs/http/http_test.go
+++ b/pkg/outputs/http/http_test.go
@@ -22,7 +22,7 @@ import (
"compress/gzip"
"encoding/json"
"github.com/rabbitstack/fibratus/pkg/outputs"
- "io/ioutil"
+ "io"
"log"
"net"
"net/http"
@@ -49,7 +49,7 @@ func TestHttpPublish(t *testing.T) {
mux := http.NewServeMux()
mux.HandleFunc("/intake", func(w http.ResponseWriter, r *http.Request) {
- body, err := ioutil.ReadAll(r.Body)
+ body, err := io.ReadAll(r.Body)
if err != nil {
http.Error(w, err.Error(), http.StatusInternalServerError)
return
@@ -109,7 +109,7 @@ func TestHttpGzipPublish(t *testing.T) {
http.Error(w, err.Error(), http.StatusInternalServerError)
return
}
- body, err := ioutil.ReadAll(gr)
+ body, err := io.ReadAll(gr)
if err != nil {
http.Error(w, err.Error(), http.StatusInternalServerError)
return
diff --git a/pkg/ps/snapshotter_windows_test.go b/pkg/ps/snapshotter_windows_test.go
index 485838cec..858e26937 100644
--- a/pkg/ps/snapshotter_windows_test.go
+++ b/pkg/ps/snapshotter_windows_test.go
@@ -63,7 +63,7 @@ func TestSnapshotterWrite(t *testing.T) {
assert.Equal(t, `C:\Users\admin\AppData\Roaming\Spotify\Spotify.exe --type=crashpad-handler /prefetch:7 --max-uploads=5 --max-db-size=20 --max-db-age=5 --monitor-self-annotation=ptype=crashpad-handler "--metrics-dir=C:\Users\admin\AppData\Local\Spotify\User Data" --url=https://crashdump.spotify.com:443/ --annotation=platform=win32 --annotation=product=spotify --annotation=version=1.1.4.197 --initial-client-data=0x5a4,0x5a0,0x5a8,0x59c,0x5ac,0x6edcbf60,0x6edcbf70,0x6edcbf7c`, ps.Comm)
assert.Equal(t, `C:\Users\admin\AppData\Roaming\Spotify\Spotify.exe --parent`, ps.Exe)
assert.Equal(t, `admin\SYSTEM`, ps.SID)
- assert.Len(t, ps.Args, 14)
+ assert.Len(t, ps.Args, 13)
assert.Equal(t, "--type=crashpad-handler", ps.Args[1])
assert.Equal(t, "ps", filepath.Base(ps.Cwd))
assert.True(t, len(ps.Envs) > 0)
diff --git a/pkg/ps/types/types_windows.go b/pkg/ps/types/types_windows.go
index 2b4f4dd10..6a41ab440 100644
--- a/pkg/ps/types/types_windows.go
+++ b/pkg/ps/types/types_windows.go
@@ -20,8 +20,8 @@ package types
import (
"fmt"
+ "github.com/rabbitstack/fibratus/pkg/util/cmdline"
"path/filepath"
- "strings"
"sync"
htypes "github.com/rabbitstack/fibratus/pkg/handle/types"
@@ -74,7 +74,7 @@ func (ps *PS) String() string {
Pid: %d
Ppid: %d
Name: %s
- Comm: %s
+ Cmdline: %s
Exe: %s
Cwd: %s
SID: %s
@@ -95,7 +95,18 @@ func (ps *PS) String() string {
)
}
-// Thread stores several metadata about a thread that's executing in process's address space.
+// Ancestors returns all ancestors of this process. The string slice contains
+// the process image name followed by the process id.
+func (ps *PS) Ancestors() []string {
+ ancestors := make([]string, 0)
+ walk := func(proc *PS) {
+ ancestors = append(ancestors, fmt.Sprintf("%s (%d)", proc.Name, proc.PID))
+ }
+ Walk(walk, ps)
+ return ancestors
+}
+
+// Thread stores metadata about a thread that's executing in process's address space.
type Thread struct {
// Tid is the unique identifier of thread inside the process.
Tid uint32
@@ -151,7 +162,7 @@ func FromKevent(pid, ppid uint32, name, comm, exe, sid string, sessionID uint8)
Name: name,
Comm: comm,
Exe: exe,
- Args: splitArgs(comm),
+ Args: cmdline.Split(comm),
SID: sid,
SessionID: sessionID,
Threads: make(map[uint32]Thread),
@@ -196,7 +207,7 @@ func NewPS(pid, ppid uint32, exe, cwd, comm string, thread Thread, envs map[stri
Exe: exe,
Comm: comm,
Cwd: cwd,
- Args: splitArgs(comm),
+ Args: cmdline.Split(comm),
Threads: map[uint32]Thread{thread.Tid: thread},
Modules: make([]Module, 0),
Handles: make([]htypes.Handle, 0),
@@ -219,8 +230,6 @@ func NewFromKcap(buf []byte) (*PS, error) {
return &ps, nil
}
-func splitArgs(cmdline string) []string { return strings.Fields(cmdline) }
-
// AddThread adds a thread to process's state descriptor.
func (ps *PS) AddThread(thread Thread) {
ps.mu.Lock()
diff --git a/pkg/ps/types/types_windows_test.go b/pkg/ps/types/types_windows_test.go
index 4c0796980..94f47b06f 100644
--- a/pkg/ps/types/types_windows_test.go
+++ b/pkg/ps/types/types_windows_test.go
@@ -69,6 +69,6 @@ func TestPSArgs(t *testing.T) {
"",
"C:\\Users\\admin\\AppData\\Roaming\\Spotify\\Spotify.exe --type=crashpad-handler /prefetch:7 --max-uploads=5 --max-db-size=20 --max-db-age=5 --monitor-self-annotation=ptype=crashpad-handler \"--metrics-dir=C:\\Users\\admin\\AppData\\Local\\Spotify\\User Data\" --url=https://crashdump.spotify.com:443/ --annotation=platform=win32 --annotation=product=spotify",
Thread{}, nil)
- require.Len(t, ps.Args, 12)
+ require.Len(t, ps.Args, 11)
require.Equal(t, "/prefetch:7", ps.Args[2])
}
diff --git a/pkg/syscall/security/privileges.go b/pkg/syscall/security/privileges.go
index a249222f5..f5ff06aef 100644
--- a/pkg/syscall/security/privileges.go
+++ b/pkg/syscall/security/privileges.go
@@ -73,7 +73,7 @@ func lookupPrivilegeValue(systemName string, name string, luid *int64) (err erro
}
func lookupPrivilegeValueW(systemName *uint16, name *uint16, luid *int64) (err error) {
- r1, _, e1 := syscall.Syscall(procLookupPrivilegeValueW.Addr(), 3, uintptr(unsafe.Pointer(systemName)), uintptr(unsafe.Pointer(name)), uintptr(unsafe.Pointer(luid)))
+ r1, _, e1 := syscall.SyscallN(procLookupPrivilegeValueW.Addr(), uintptr(unsafe.Pointer(systemName)), uintptr(unsafe.Pointer(name)), uintptr(unsafe.Pointer(luid)))
if r1 == 0 {
if e1 != 0 {
err = error(e1)
@@ -91,7 +91,7 @@ func adjustTokenPrivileges(token syscall.Token, releaseAll bool, input *byte, ou
} else {
_p0 = 0
}
- r0, _, e1 := syscall.Syscall6(procAdjustTokenPrivileges.Addr(), 6, uintptr(token), uintptr(_p0), uintptr(unsafe.Pointer(input)), uintptr(outputSize), uintptr(unsafe.Pointer(output)), uintptr(unsafe.Pointer(requiredSize)))
+ r0, _, e1 := syscall.SyscallN(procAdjustTokenPrivileges.Addr(), uintptr(token), uintptr(_p0), uintptr(unsafe.Pointer(input)), uintptr(outputSize), uintptr(unsafe.Pointer(output)), uintptr(unsafe.Pointer(requiredSize)))
success = r0 != 0
if true {
if e1 != 0 {
diff --git a/pkg/util/cmdline/cmdline.go b/pkg/util/cmdline/cmdline.go
new file mode 100644
index 000000000..b4000012a
--- /dev/null
+++ b/pkg/util/cmdline/cmdline.go
@@ -0,0 +1,42 @@
+/*
+ * Copyright 2022-2023 by Nedim Sabic Sabic
+ * https://www.fibratus.io
+ * All Rights Reserved.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package cmdline
+
+import (
+ "regexp"
+ "strings"
+)
+
+// splitRegexp declares the regular expression for splitting the string
+// by white spaces if the string is not inside a double quote.
+var splitRegexp = regexp.MustCompile(`("[^"]+?"\S*|\S+)`)
+
+// Split returns a slice of strings where each element is
+// a single argument in the process command line.
+func Split(cmdline string) []string { return splitRegexp.FindAllString(cmdline, -1) }
+
+// CleanExe removes the quotes from the executable path and rejoins
+// the rest of the command line arguments.
+func CleanExe(args []string) string {
+ exe := args[0]
+ if exe[0] == '"' && exe[len(exe)-1] == '"' {
+ return strings.Join(append([]string{exe[1 : len(exe)-1]}, args[1:]...), " ")
+ }
+ return strings.Join(args, " ")
+}
diff --git a/pkg/util/cmdline/cmdline_test.go b/pkg/util/cmdline/cmdline_test.go
new file mode 100644
index 000000000..a74e4ead4
--- /dev/null
+++ b/pkg/util/cmdline/cmdline_test.go
@@ -0,0 +1,33 @@
+/*
+ * Copyright 2021-2022 by Nedim Sabic Sabic
+ * https://www.fibratus.io
+ * All Rights Reserved.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package cmdline
+
+import (
+ "github.com/stretchr/testify/assert"
+ "github.com/stretchr/testify/require"
+ "testing"
+)
+
+func TestSplit(t *testing.T) {
+ cmdline := `svchost.exe "-k host" arg1 arg2`
+ args := Split(cmdline)
+ require.Len(t, args, 4)
+ assert.Equal(t, "svchost.exe", args[0])
+ assert.Equal(t, `"-k host"`, args[1])
+}
diff --git a/pkg/util/fasttemplate/template.go b/pkg/util/fasttemplate/template.go
index f02024db5..e215c84be 100644
--- a/pkg/util/fasttemplate/template.go
+++ b/pkg/util/fasttemplate/template.go
@@ -151,9 +151,9 @@ func (t *Template) ExecuteFunc(w io.Writer, f TagFunc) (int64, error) {
// values from the map m and writes the result to the given writer w.
//
// Substitution map m may contain values with the following types:
-// * []byte - the fastest value type
-// * string - convenient value type
-// * TagFunc - flexible value type
+// - []byte - the fastest value type
+// - string - convenient value type
+// - TagFunc - flexible value type
//
// Returns the number of bytes written to w.
func (t *Template) Execute(w io.Writer, m map[string]interface{}) (int64, error) {
@@ -182,9 +182,9 @@ func (t *Template) ExecuteFuncString(f TagFunc) []byte {
// values from the map m and returns the result.
//
// Substitution map m may contain values with the following types:
-// * []byte - the fastest value type
-// * string - convenient value type
-// * TagFunc - flexible value type
+// - []byte - the fastest value type
+// - string - convenient value type
+// - TagFunc - flexible value type
//
// This function is optimized for frozen templates.
// Use ExecuteString for constantly changing templates.
diff --git a/pkg/util/log/logger.go b/pkg/util/log/logger.go
index e34bb3d84..faefc6cd2 100644
--- a/pkg/util/log/logger.go
+++ b/pkg/util/log/logger.go
@@ -25,7 +25,7 @@ import (
"github.com/rabbitstack/fibratus/pkg/util/log/rotate"
fs "github.com/rifflock/lfshook"
"github.com/sirupsen/logrus"
- "io/ioutil"
+ "io"
"os"
"path/filepath"
)
@@ -82,7 +82,7 @@ func InitFromConfig(c Config) error {
// disable writing to stdout
if !c.LogStdout {
- logrus.SetOutput(ioutil.Discard)
+ logrus.SetOutput(io.Discard)
}
// initialize log rotate hook
diff --git a/pkg/util/multierror/multierror.go b/pkg/util/multierror/multierror.go
index 308cf10b7..f53565a2b 100644
--- a/pkg/util/multierror/multierror.go
+++ b/pkg/util/multierror/multierror.go
@@ -18,6 +18,8 @@ import (
"strings"
)
+var sep = ", "
+
// Wrap takes a slice of errors and returns a single error that encapsulates
// those underlying errors. If the slice is nil or empty it returns nil.
// If the slice only contains a single element, that error is returned directly.
@@ -27,6 +29,13 @@ func Wrap(errs ...error) error {
return multiError(errs).flatten()
}
+// WrapWithSeparator same as Wrap but uses a custom separator when joining
+// error messages.
+func WrapWithSeparator(s string, errs ...error) error {
+ sep = s
+ return multiError(errs).flatten()
+}
+
// multiError bundles several errors together into a single error.
type multiError []error
@@ -53,5 +62,5 @@ func (errors multiError) Error() string {
}
parts = append(parts, err.Error())
}
- return strings.Join(parts, ", ")
+ return strings.Join(parts, sep)
}
diff --git a/pkg/util/rest/rest.go b/pkg/util/rest/rest.go
index c712326c0..507d35478 100644
--- a/pkg/util/rest/rest.go
+++ b/pkg/util/rest/rest.go
@@ -22,7 +22,7 @@ import (
"context"
"errors"
"github.com/rabbitstack/fibratus/pkg/api"
- "io/ioutil"
+ "io"
"net"
"net/http"
"path"
@@ -103,10 +103,7 @@ func request(method string, options ...Option) ([]byte, error) {
}
scheme := "http://"
- addr := opts.addr
- if strings.HasPrefix(addr, `npipe:///`) {
- addr = strings.TrimPrefix(addr, `npipe:///`)
- }
+ addr := strings.TrimPrefix(opts.addr, `npipe:///`)
ctx, cancel := context.WithTimeout(context.Background(), time.Second*10)
defer cancel()
@@ -121,7 +118,7 @@ func request(method string, options ...Option) ([]byte, error) {
}
defer resp.Body.Close()
- body, err := ioutil.ReadAll(resp.Body)
+ body, err := io.ReadAll(resp.Body)
if err != nil {
return nil, err
}
diff --git a/pkg/util/tls/tls.go b/pkg/util/tls/tls.go
index fb878a30c..3ec823842 100644
--- a/pkg/util/tls/tls.go
+++ b/pkg/util/tls/tls.go
@@ -22,7 +22,7 @@ import (
"crypto/tls"
"crypto/x509"
"fmt"
- "io/ioutil"
+ "os"
)
// MakeConfig builds a TLS config from the certificate, private/public key and the CA cert files.
@@ -48,7 +48,7 @@ func MakeConfig(certFile, keyFile, caFile string, insecureSkipVerify bool) (*tls
// load certificate issuing authority
if caFile != "" {
cpool := x509.NewCertPool()
- caCert, err := ioutil.ReadFile(caFile)
+ caCert, err := os.ReadFile(caFile)
if err != nil {
return nil, err
}
diff --git a/pkg/util/version/version.go b/pkg/util/version/version.go
index dfa533d66..d1e2e4cb1 100644
--- a/pkg/util/version/version.go
+++ b/pkg/util/version/version.go
@@ -46,6 +46,9 @@ var version string
// Set initializes the version string as global variable.
func Set(v string) { version = v }
+// Get returns the version string.
+func Get() string { return version }
+
// ProductToken returns a tag to be poked in User Agent headers.
func ProductToken() string { return fmt.Sprintf("fibratus/%s", version) }
diff --git a/pkg/yara/scanner_test.go b/pkg/yara/scanner_test.go
index 55493408c..c8788d023 100644
--- a/pkg/yara/scanner_test.go
+++ b/pkg/yara/scanner_test.go
@@ -22,13 +22,13 @@
package yara
import (
+ "github.com/hillu/go-yara/v4"
"os"
"path/filepath"
"syscall"
"testing"
"time"
- "github.com/hillu/go-yara/v4"
"github.com/rabbitstack/fibratus/pkg/kevent"
"github.com/rabbitstack/fibratus/pkg/kevent/ktypes"
@@ -55,6 +55,10 @@ func (s *mockSender) Send(a alertsender.Alert) error {
return nil
}
+func (s *mockSender) Type() alertsender.Type {
+ return alertsender.Noop
+}
+
func makeSender(config alertsender.Config) (alertsender.Sender, error) {
return &mockSender{}, nil
}
diff --git a/rules/README.md b/rules/README.md
new file mode 100644
index 000000000..feaace27b
--- /dev/null
+++ b/rules/README.md
@@ -0,0 +1,40 @@
+# Detection Rules
+
+This directory contains a catalog of detection rules modelled around the prominent [MITRE ATT&CK](https://attack.mitre.org/) framework. The goal is to provide a direct mapping of tactics, techniques, and subtechniques for each rule. The following sections introduce the general structure, design guidelines, and best practices to keep in mind when creating new rules.
+
+## Structure
+
+Detection rules are organized as `yaml` files whose names adhere to the `tactic-name_technique-name.yml` nomenclature. Every `yaml` file may contain a number of different rules grouped under a specific [rule policy](https://www.fibratus.io/#/filters/rules). Each rule in the group represents a particular adversary subtechnique. If the technique doesn't break down into individual subtechniques, it is expressed as a sole rule in the group. Let's suppose we want to detect unusual accesses to Windows Credentials history which is backed by the [Windows Credentials Manager](https://attack.mitre.org/techniques/T1555/004/) MITRE subtechnique. Since the subtechnique pertains to `Credentials from Password Stores` technique living under the `Credential Access` tactic, we would have created the `credential_access_credentials_from_password_stores.yml` file to store the rule definitions.
+
+Next, we declare the `Credentials access from Windows Credential Manager` group using the [rule specification](https://www.fibratus.io/#/filters/rules?id=defining-rules) idiom, and define the rule that fires when an unusual process accesses a file matching the `?:\\Users\\*\\AppData\\*\\Microsoft\\Protect` wildcard expression. Similarly, we can append additional rules to supervise Windows Credential Manager or Windows Vault file accesses. All of the above rules can be expressed with the `include` rule policy and the `CreateFile` selector. Check [here](credential_access_credentials_from_password_stores.yml) for the end result.
+
+## Guidelines
+
+### Stick to naming nomenclature
+
+It is highly recommended to name the rule files after the pattern explained in the above section. This facilitates the organization and searching through the detection rules catalog.
+
+### Include descriptions and labels
+
+Rule groups should have a meaningful description. Individual rules inside the group should ideally have a description too.
+For example, the `Spearphishing attachment execution of files written by Microsoft Office processes` group has the following description that has been borrowed verbatim from the MITRE knowledge base.
+
+> Adversaries may send spearphishing emails with a malicious attachment in an
+attempt to gain access to victim systems. Spearphishing attachment is a specific
+variant of spearphishing. Spearphishing attachment is different from other forms
+of spearphishing in that it employs the use of malware attached to an email.
+
+Additionally, there should exist labels attached to every rule group describing the MITRE tactic, technique, and subtechnique. This information is used when rendering email rule alert templates.
+
+### Sequence policies should have the event type condition
+
+Sequence rule groups may have multiple rules each targeting different event types. If the rule definition lacks the event type condition, the rule engine needs to execute every single rule for the incoming event. To alleviate the pressure on the rule engine, all rules should
+have the event type condition. In fact, if a rule is declared without the event type condition, you'll get a warning message in Fibratus logs informing about unwanted side effects.
+
+### Sequence policies with early binding index condition
+
+When writing detections that employ various event types or event multiple data sources, relationships between events are connected via [binding patterns](https://www.fibratus.io/#/filters/rules?id=stateful-event-tracking). The rule engine can lazily evaluate binary expressions comprising a rule. If the binding patterns are the first condition in downstream sequence rule groups, the rule engine will not keep on evaluating every single binary expression in the rule and thus will benefit the overall runtime performance.
+
+### Prefer macros over raw conditions
+
+Fibratus comes with a macro library to promote the reusability and modularization of rule conditions and lists. Before trying to spell out a raw rule condition, explore the library to check if there's already a macro you can pull into the rule. If there's no such macro, you can consider creating it. Future detection engineers and rule writers could profit from those macros.
\ No newline at end of file
diff --git a/rules/credential_access_credentials_from_password_stores.yml b/rules/credential_access_credentials_from_password_stores.yml
new file mode 100644
index 000000000..ec87331d3
--- /dev/null
+++ b/rules/credential_access_credentials_from_password_stores.yml
@@ -0,0 +1,151 @@
+- group: Credentials access from Windows Credential Manager
+ description: |
+ Adversaries may acquire credentials from the Windows Credential Manager.
+ The Credential Manager stores credentials for signing into websites,
+ applications, and/or devices that request authentication through NTLM
+ or Kerberos in Credential Lockers.
+ labels:
+ tactic.id: TA0006
+ tactic.name: Credential Access
+ tactic.ref: https://attack.mitre.org/tactics/TA0006/
+ technique.id: T1555
+ technique.name: Credentials from Password Stores
+ technique.ref: https://attack.mitre.org/techniques/T1555/
+ subtechnique.id: T1555.004
+ subtechnique.name: Windows Credential Manager
+ subtechnique.ref: https://attack.mitre.org/techniques/T1555/004/
+ selector:
+ type: CreateFile
+ rules:
+ - name: Unusual process accessing Windows Credential history
+ description: |
+ Detects unusual accesses to the Windows Credential history file.
+ The CREDHIST file contains all previous password-linked master key hashes used by
+ DPAPI to protect secrets on the device. Adversaries may obtain credentials
+ from the Windows Credentials Manager.
+ condition: >
+ file.operation = 'open'
+ and
+ file.name imatches '?:\\Users\\*\\AppData\\*\\Microsoft\\Protect'
+ and
+ not
+ ps.exe imatches
+ (
+ '?:\\Program Files\\*',
+ '?:\\Windows\\System32\\lsass.exe',
+ '?:\\Windows\\System32\\svchost.exe',
+ '?:\\Windows\\ccmcache\\*.exe'
+ )
+ action: >
+ {{
+ emit . "Unusual access to Windows Credential history files" ""
+ }}
+ - name: Suspicious access to Windows Credential Manager files
+ description: |
+ Identifies suspicious processes trying to acquire credentials from the Windows Credential Manager.
+ condition: >
+ file.operation = 'open'
+ and
+ file.name imatches
+ (
+ '?:\\Users\\*\\AppData\\*\\Microsoft\\Credentials\\*',
+ '?:\\Windows\\System32\\config\\systemprofile\\AppData\\*\\Microsoft\\Credentials\\*'
+ )
+ and
+ not
+ ps.exe imatches
+ (
+ '?:\\Program Files\\*',
+ '?:\\Program Files(x86)\\*'
+ )
+ action: >
+ {{
+ emit . "Suspicious access to Windows Credential Manager files" ""
+ }}
+ - name: Suspicious access to Windows Vault files
+ description: |
+ Identifies attempts from adversaries to acquire credentials from Vault files.
+ condition: >
+ file.operation = 'open'
+ and
+ file.name imatches
+ (
+ '?:\\Users\\*\\AppData\\*\\Microsoft\\Vault\\*\\*',
+ '?:\\ProgramData\\Microsoft\\Vault\\*'
+ )
+ and
+ file.extension in
+ (
+ '.vcrd',
+ '.vpol'
+ )
+ and
+ not
+ ps.exe imatches
+ (
+ '?:\\Program Files\\*',
+ '?:\\Program Files(x86)\\*',
+ '?:\\Windows\\System32\\lsass.exe',
+ '?:\\Windows\\System32\\svchost.exe'
+ )
+ action: >
+ {{
+ emit . "Suspicious access to Windows Vault files" ""
+ }}
+
+- group: Credentials discovery from Windows Credential Manager through built-in tools
+ description: |
+ Adversaries may acquire credentials from the Windows Credential Manager
+ by employing external tools such as VaultCmd that can be used to enumerate
+ credentials stored in the Credential Locker through a command-line interface.
+ The Credential Manager stores credentials for signing into websites,
+ applications, and/or devices that request authentication through NTLM
+ or Kerberos in Credential Lockers. dversaries may also obtain credentials from credential backups.
+ Credential backups and restorations may be performed by running rundll32.exe builtin binary.
+ labels:
+ tactic.id: TA0006
+ tactic.name: Credential Access
+ tactic.ref: https://attack.mitre.org/tactics/TA0006/
+ technique.id: T1555
+ technique.name: Credentials from Password Stores
+ technique.ref: https://attack.mitre.org/techniques/T1555/
+ subtechnique.id: T1555.004
+ subtechnique.name: Windows Credential Manager
+ subtechnique.ref: https://attack.mitre.org/techniques/T1555/004/
+ selector:
+ type: CreateProcess
+ rules:
+ - name: Enumerate credentials from Windows Credentials Manager via VaultCmd.exe
+ description: |
+ Detects the usage of the VaultCmd tool to list Windows Credentials.
+ VaultCmd creates, displays and deletes stored credentials.
+ condition: >
+ ps.sibling.name ~= 'VaultCmd.exe'
+ and
+ ps.sibling.args
+ in
+ (
+ '"/listcreds:Windows Credentials"',
+ '"/listcreds:Web Credentials"'
+ )
+ action: >
+ {{
+ emit
+ .
+ "Credential discovery via VaultCmd.exe"
+ "`%ps.exe` executed the `VaultCmd` tool to enumerate Windows Credentials"
+ }}
+ - name: Credentials access from credential backups
+ description: |
+ Detects an attempt to obtain credentials from credential backups.
+ condition: >
+ ps.sibling.name ~= 'rundll32.exe'
+ and
+ (ps.sibling.args iin ('keymgr.dll') and ps.sibling.args iin ('KRShowKeyMgr'))
+ action: >
+ {{
+ emit
+ .
+ "Credential access from credential backups"
+ "`%ps.exe` executed the `rundll32.exe` binary to obtain credentials from credentials backups"
+ }}
diff --git a/rules/credential_access_os_credential_dumping.yml b/rules/credential_access_os_credential_dumping.yml
new file mode 100644
index 000000000..aa6ba2da8
--- /dev/null
+++ b/rules/credential_access_os_credential_dumping.yml
@@ -0,0 +1,127 @@
+- group: Access to Security Account Manager database file
+ description: |
+ Adversaries may attempt to extract credential material from
+ the Security Account Manager (SAM) database. The SAM is a database
+ file that contains local accounts for the host.
+ labels:
+ tactic.id: TA0006
+ tactic.name: Credential Access
+ tactic.ref: https://attack.mitre.org/tactics/TA0006/
+ technique.id: T1003
+ technique.name: OS Credential Dumping
+ technique.ref: https://attack.mitre.org/techniques/T1003/
+ subtechnique.id: T1003.002
+ subtechnique.name: Security Account Manager
+ subtechnique.ref: https://attack.mitre.org/techniques/T1003/002/
+ selector:
+ type: CreateFile
+ rules:
+ - name: File access to SAM database
+ condition: >
+ file.name imatches
+ (
+ '?:\\WINDOWS\\SYSTEM32\\CONFIG\\SAM',
+ '\\Device\\HarddiskVolumeShadowCopy*\\WINDOWS\\SYSTEM32\\CONFIG\\SAM',
+ '\\??\\GLOBALROOT\\Device\\HarddiskVolumeShadowCopy*\\WINDOWS\\SYSTEM32\\CONFIG\\SAM'
+ )
+ and
+ not
+ ps.exe imatches
+ (
+ '?:\\Program Files\\*',
+ '?:\\Program Files (x86)\\*',
+ '?:\\Windows\\System32\\lsass.exe'
+ )
+ action: >
+ {{
+ emit . "File access to SAM database" ""
+ }}
+
+- group: Access to Security Account Manager database through registry
+ description: |
+ Adversaries may attempt to extract credential material from the
+ Security Account Manager (SAM) database through registry.
+ labels:
+ tactic.id: TA0006
+ tactic.name: Credential Access
+ tactic.ref: https://attack.mitre.org/tactics/TA0006/
+ technique.id: T1003
+ technique.name: OS Credential Dumping
+ technique.ref: https://attack.mitre.org/techniques/T1003/
+ subtechnique.id: T1003.002
+ subtechnique.name: Security Account Manager
+ subtechnique.ref: https://attack.mitre.org/techniques/T1003/002/
+ selector:
+ category: registry
+ rules:
+ - name: Potential SAM database dump through registry
+ condition: >
+ (query_registry or open_registry)
+ and
+ registry.key.name imatches
+ (
+ 'HKEY_LOCAL_MACHINE\\SAM\\SAM\\Domains\\Account\\*',
+ 'HKEY_LOCAL_MACHINE\\SAM\\*',
+ 'HKEY_LOCAL_MACHINE\\SAM'
+ )
+ and
+ not
+ ps.exe imatches
+ (
+ '?:\\Windows\\System32\\lsass.exe'
+ )
+ action: >
+ {{
+ emit . "Potential SAM database dump through registry" ""
+ }}
+
+- group: LSASS memory dumping via legitimate or offensive tools
+ description: |
+ Adversaries may attempt to access credential material stored in the
+ process memory of the Local Security Authority Subsystem Service (LSASS).
+ After a user logs on, the system generates and stores a variety of credential
+ materials in LSASS process memory. These credential materials can be harvested
+ by an administrative user or SYSTEM and used to conduct Lateral Movement.
+ This rule detects attempts to dump the LSAAS memory to the disk by employing legitimate
+ tools such as procdump, Task Manager, Process Explorer or built-in Windows tools such
+ as comsvcs.dll.
+ labels:
+ tactic.id: TA0006
+ tactic.name: Credential Access
+ tactic.ref: https://attack.mitre.org/tactics/TA0006/
+ technique.id: T1003
+ technique.name: OS Credential Dumping
+ technique.ref: https://attack.mitre.org/techniques/T1003/
+ subtechnique.id: T1003.001
+ subtechnique.name: LSASS Memory
+ subtechnique.ref: https://attack.mitre.org/techniques/T1003/001/
+ policy: sequence
+ rules:
+ - name: LSASS local process object acquired
+ condition: >
+ open_process and ps.access.mask.names in ('ALL_ACCESS', 'CREATE_PROCESS')
+ and
+ ps.sibling.name ~= 'lsass.exe'
+ and
+ not
+ ps.exe imatches
+ (
+ '?:\\Windows\\System32\\svchost.exe',
+ '?:\\ProgramData\\Microsoft\\Windows Defender\\*\\MsMpEng.exe'
+ )
+ - name: LSASS dump written to the file system
+ condition: >
+ ps.exe = $1.ps.exe
+ and
+ write_minidump_file
+ max-span: 2m
+ action: >
+ {{
+ emit
+ .
+ "LSASS memory dumping"
+ `Detected an attempt by %1.ps.name process to access
+ and read the memory of the **Local Security And Authority Subsystem Service**
+ and subsequently write the %2.file.name dump file to the disk device`
+ "critical"
+ }}
diff --git a/rules/defense_evasion_system_binary_proxy_execution.yml b/rules/defense_evasion_system_binary_proxy_execution.yml
new file mode 100644
index 000000000..4a91dc64a
--- /dev/null
+++ b/rules/defense_evasion_system_binary_proxy_execution.yml
@@ -0,0 +1,86 @@
+- group: System Binary Proxy Execution via Rundll32
+ description: |
+ Adversaries may abuse rundll32.exe to proxy execution of malicious code.
+ Using rundll32.exe, vice executing directly (i.e. Shared Modules),
+ may avoid triggering security tools that may not monitor execution of the
+ rundll32.exe process because of allowlists or false positives from normal operations.
+ Rundll32.exe is commonly associated with executing DLL payloads.
+ labels:
+ tactic.id: TA0005
+ tactic.name: Defense Evasion
+ tactic.ref: https://attack.mitre.org/tactics/TA0005/
+ technique.id: T1218
+ technique.name: System Binary Proxy Execution
+ technique.ref: https://attack.mitre.org/techniques/T1218/
+ subtechnique.id: T1218.011
+ subtechnique.name: Rundll32
+ subtechnique.ref: https://attack.mitre.org/techniques/T1218/011/
+ policy: sequence
+ rules:
+ - name: Rundll32 process executed with suspicious command line
+ condition: >
+ spawn_process
+ and
+ ps.sibling.name ~= 'rundll32.exe'
+ and
+ ps.sibling.comm imatches
+ (
+ '*javascript:*',
+ '*shell32.dll*ShellExec_RunDLL*',
+ '*-sta*'
+ )
+ - name: Rundll32 child process executed
+ condition: >
+ ps.pid = $1.ps.sibling.pid
+ and
+ spawn_process
+ max-span: 45s
+ action: >
+ {{
+ emit . "System Binary Proxy Execution via Rundll32" ""
+ }}
+
+- group: System Binary Proxy Execution via Regsvr32
+ description: |
+ Adversaries may abuse Regsvr32.exe to proxy execution of malicious code.
+ Regsvr32.exe is a command-line program used to register and unregister object
+ linking and embedding controls, including dynamic link libraries (DLLs), on Windows systems.
+ labels:
+ tactic.id: TA0005
+ tactic.name: Defense Evasion
+ tactic.ref: https://attack.mitre.org/tactics/TA0005/
+ technique.id: T1218
+ technique.name: System Binary Proxy Execution
+ technique.ref: https://attack.mitre.org/techniques/T1218/
+ subtechnique.id: T1218.010
+ subtechnique.name: Regsvr32
+ subtechnique.ref: https://attack.mitre.org/techniques/T1218/010/
+ selector:
+ type: CreateProcess
+ rules:
+ - name: Regsvr32 scriptlet execution
+ description: |
+ Identifies the exection of a scriptlet file by regsvr32.exe process. Regsvr32
+ is usually abused by adversaries to execute malicious payloads without triggering
+ AV product alerts.
+ condition: >
+ ps.sibling.name ~= 'regsvr32.exe'
+ and
+ (
+ ps.sibling.comm imatches
+ (
+ '*scrobj*'
+ )
+ and
+ ps.sibling.comm imatches
+ (
+ '*/i:*',
+ '*-i:*',
+ '*.sct*'
+ )
+ )
+ action: >
+ {{
+ emit . "Regsvr32 scriptlet execution" ""
+ }}
+
diff --git a/rules/initial_access_phishing.yml b/rules/initial_access_phishing.yml
new file mode 100644
index 000000000..87b30c8f2
--- /dev/null
+++ b/rules/initial_access_phishing.yml
@@ -0,0 +1,85 @@
+- group: Spearphishing attachment execution of files written by Microsoft Office processes
+ description: |
+ Adversaries may send spearphishing emails with a malicious attachment in an
+ attempt to gain access to victim systems. Spearphishing attachment is a specific
+ variant of spearphishing. Spearphishing attachment is different from other forms
+ of spearphishing in that it employs the use of malware attached to an email.
+ labels:
+ tactic.id: TA0001
+ tactic.name: Initial Access
+ tactic.ref: https://attack.mitre.org/tactics/TA0001/
+ technique.id: T1566
+ technique.name: Phishing
+ technique.ref: https://attack.mitre.org/techniques/T1566/
+ subtechnique.id: T1566.001
+ subtechnique.name: Spearphishing Attachment
+ subtechnique.ref: https://attack.mitre.org/techniques/T1566/001/
+ policy: sequence
+ rules:
+ - name: Binary file written by Microsoft Office process
+ condition: >
+ write_file
+ and
+ file.extension iin
+ (
+ '.exe',
+ '.com',
+ '.scr'
+ )
+ and
+ ps.name iin msoffice_binaries
+ - name: Binary executed by Microsoft Office process
+ condition: >
+ ps.sibling.exe = $1.file.name
+ and
+ spawn_process
+ and
+ ps.name iin msoffice_binaries
+ max-span: 1h
+ action: >
+ {{
+ emit . "File execution via Microsoft Office process" ""
+ }}
+
+- group: Spearphishing DLL attachment loaded by Microsoft Office processes
+ description: |
+ Adversaries may send spearphishing emails with a malicious attachment in an
+ attempt to gain access to victim systems. Identifes the creation of the DLL
+ which is loaded by Microsoft Office process afterwards. May indicate loading of
+ a possibly malicious module.
+ labels:
+ tactic.id: TA0001
+ tactic.name: Initial Access
+ tactic.ref: https://attack.mitre.org/tactics/TA0001/
+ technique.id: T1566
+ technique.name: Phishing
+ technique.ref: https://attack.mitre.org/techniques/T1566/
+ subtechnique.id: T1566.001
+ subtechnique.name: Spearphishing Attachment
+ subtechnique.ref: https://attack.mitre.org/techniques/T1566/001/
+ policy: sequence
+ rules:
+ - name: Module file written by Microsoft Office process
+ condition: >
+ write_file
+ and
+ file.extension iin
+ (
+ '.dll',
+ '.ocx',
+ '.cpl'
+ )
+ and
+ ps.name iin msoffice_binaries
+ - name: Module loaded by Microsoft Office process
+ condition: >
+ image.name = $1.file.name
+ and
+ load_module
+ and
+ ps.name iin msoffice_binaries
+ max-span: 1h
+ action: >
+ {{
+ emit . "Potentially malicious module loaded by Microsoft Office process" ""
+ }}
diff --git a/rules/macros/macros.yml b/rules/macros/macros.yml
new file mode 100644
index 000000000..933ddfc50
--- /dev/null
+++ b/rules/macros/macros.yml
@@ -0,0 +1,51 @@
+- macro: spawn_process
+ expr: kevt.name = 'CreateProcess'
+
+- macro: open_process
+ expr: kevt.name = 'OpenProcess' and ps.access.status = 'success'
+ description: Acquires the local process object
+
+- macro: open_process_all_access
+ expr: open_process and ps.access.mask.names in ('ALL_ACCESS')
+ description: Acquires the local process object with all possible rights for the process object
+
+- macro: spawn_msoffice_process
+ expr: spawn_process and ps.sibling.exe iin msoffice_binaries
+ description: Identifies the execution of the MS Office process
+
+- macro: write_file
+ expr: kevt.name = 'WriteFile'
+
+- macro: open_file
+ expr: kevt.name = 'CreateFile' and file.operation = 'open'
+
+- macro: create_file
+ expr: kevt.name = 'CreateFile' and file.operation = 'create'
+
+- macro: query_registry
+ expr: kevt.name in ('RegQueryKey', 'RegQueryValue')
+
+- macro: open_registry
+ expr: kevt.name = 'RegOpenKey'
+
+- macro: load_module
+ expr: kevt.name = 'LoadImage'
+
+- macro: write_minidump_file
+ expr: >
+ write_file
+ and
+ (
+ file.extension iin
+ (
+ '.dmp',
+ '.mdmp',
+ '.dump'
+ )
+ or
+ is_minidump(file.name)
+ )
+ description: Detects when a process writes a minidump file
+
+- macro: msoffice_binaries
+ list: [EXCEL.EXE, WINWORD.EXE, MSACCESS.EXE, POWERPNT.EXE, WORDPAD.EXE]