Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix: add field name to default_detail.txt (Sysmon EID 13, 14) #618

Merged
merged 3 commits into from
Mar 12, 2024
Merged

fix: add field name to default_detail.txt (Sysmon EID 13, 14) #618

merged 3 commits into from
Mar 12, 2024

Conversation

fukusuket
Copy link
Collaborator

@fukusuket fukusuket commented Mar 11, 2024
edited
Loading

What Changed

Test (Sysmon EID 13)

% ./hayabusa json-timeline -d ../all-evtx/Win2022-AD -m high -o out.json -w -C --include-eid 13

{
    "Timestamp": "2022-04-07 17:14:49.824 +09:00",
    "RuleTitle": "Disable Windows Defender Functionalities Via Registry Keys",
    "Level": "high",
    "Computer": "WIN-FPV0DSIC9O6.sigma.fr",
    "Channel": "Sysmon",
    "EventID": 13,
    "RecordID": 160653,
    "Details": {
        "EventType": "SetValue",
        "TgtObj": "HKLM\\SOFTWARE\\Microsoft\\Windows Defender\\Features\\TamperProtection",
        "Details": "DWORD (0x00000000)",
        "Proc": "C:\\Program Files\\Windows Defender\\MsMpEng.exe",
        "PID": 2936,
        "PGUID": "CB66FCBA-9D71-624E-4700-000000000200"
    },
    "ExtraFieldInfo": {
        "RuleName": "-",
        "User": "NT AUTHORITY\\SYSTEM",
        "UtcTime": "2022-04-07 08:14:49.818"
    }
}

Test (Sysmon EID 14)

% ./hayabusa json-timeline -d ../all-evtx/ -o eid-14.json -w -C --include-eid 14 -n -u -D

{
    "Timestamp": "2022-03-02 04:24:21.737 +09:00",
    "RuleTitle": "Reg Key Value Rename (Noisy)",
    "Level": "info",
    "Computer": "DESKTOP-6D0DBMB",
    "Channel": "Sysmon",
    "EventID": 14,
    "RecordID": 1098384,
    "Details": {
        "EventType": "RenameKey",
        "TgtObj": "HKLM\\SOFTWARE\\Microsoft\\Office\\ClickToRun\\VREGISTRY_FC4EF5AF-A40A-4956-9AD1-3BFA0BA62E9E",
        "NewName": "HKLM\\SOFTWARE\\Microsoft\\Office\\ClickToRun\\REGISTRY",
        "Proc": "C:\\Program Files\\Common Files\\Microsoft Shared\\ClickToRun\\OfficeClickToRun.exe",
        "PID": 8076,
        "PGUID": "6A627BFB-7265-621E-2F01-000000000300"
    },
    "ExtraFieldInfo": {
        "RuleName": "-",
        "User": "AUTORITE NT\\Système",
        "UtcTime": "2022-03-01 19:24:21.727"
    }
}

I would appreciate it if you could review when you have time🙏

@fukusuket fukusuket self-assigned this Mar 11, 2024
@fukusuket fukusuket added the bug Something isn't working label Mar 11, 2024
@fukusuket fukusuket changed the title fix: add field name to default_detail (Sysmon EID 13, 14) fix: add field name to default_detail.txt (Sysmon EID 13, 14) Mar 11, 2024
@YamatoSecurity
Copy link
Collaborator

Thanks for finding and fixing these! What about for EID 13, we rename "TgtObj" to "RegKey". For EID 14, we rename "TgtObj" to "OldName"? I think it would be easier to understand. Also, "User" information can be important so for both events, how about we put them in "Details"?

@fukusuket
Copy link
Collaborator Author

@YamatoSecurity
Thank you so much for checking :) I updated as follows!

{
    "Timestamp": "2022-04-07 17:14:49.824 +09:00",
    "RuleTitle": "Disable Windows Defender Functionalities Via Registry Keys",
    "Level": "high",
    "Computer": "WIN-FPV0DSIC9O6.sigma.fr",
    "Channel": "Sysmon",
    "EventID": 13,
    "RecordID": 160653,
    "Details": {
        "EventType": "SetValue",
        "RegKey": "HKLM\\SOFTWARE\\Microsoft\\Windows Defender\\Features\\TamperProtection",
        "Details": "DWORD (0x00000000)",
        "Proc": "C:\\Program Files\\Windows Defender\\MsMpEng.exe",
        "PID": 2936,
        "PGUID": "CB66FCBA-9D71-624E-4700-000000000200",
        "User": "NT AUTHORITY\\SYSTEM"
    },
    "ExtraFieldInfo": {
        "RuleName": "-",
        "UtcTime": "2022-04-07 08:14:49.818"
    }
}
{
    "Timestamp": "2022-03-02 04:24:21.737 +09:00",
    "RuleTitle": "Reg Key Value Rename (Noisy)",
    "Level": "info",
    "Computer": "DESKTOP-6D0DBMB",
    "Channel": "Sysmon",
    "EventID": 14,
    "RecordID": 1098384,
    "Details": {
        "EventType": "RenameKey",
        "OldName": "HKLM\\SOFTWARE\\Microsoft\\Office\\ClickToRun\\VREGISTRY_FC4EF5AF-A40A-4956-9AD1-3BFA0BA62E9E",
        "NewName": "HKLM\\SOFTWARE\\Microsoft\\Office\\ClickToRun\\REGISTRY",
        "Proc": "C:\\Program Files\\Common Files\\Microsoft Shared\\ClickToRun\\OfficeClickToRun.exe",
        "PID": 8076,
        "PGUID": "6A627BFB-7265-621E-2F01-000000000300",
        "User": "AUTORITE NT\\Système"
    },
    "ExtraFieldInfo": {
        "RuleName": "-",
        "UtcTime": "2022-03-01 19:24:21.727"
    }
}

YamatoSecurity
YamatoSecurity approved these changes Mar 12, 2024
View reviewed changes
Copy link
Collaborator

@YamatoSecurity YamatoSecurity left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@fukusuket Thanks so much! LGTM!

@YamatoSecurity YamatoSecurity merged commit 066186d into main Mar 12, 2024
2 checks passed
@YamatoSecurity YamatoSecurity deleted the 617-fix-incorrect-default-details branch March 12, 2024 06:07
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@YamatoSecurity YamatoSecurity YamatoSecurity approved these changes

Assignees

@fukusuket fukusuket

Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Incorrect Sysmon EID 14 default_details Incorrect Sysmon EID 13 default_details
2 participants
@fukusuket @YamatoSecurity