diff --git a/README.md b/README.md index f97a8f8..eb53d13 100644 --- a/README.md +++ b/README.md @@ -221,6 +221,14 @@ Manager configuration example // Server key to use "key": "key.pem" }, + "misp": { + // Protocol to use for MISP connection + "protocol" :"https", + // MISP host + "host" : "misp.host", + // API key to use + "api-key" :"your misp api key" + }, // Rules directory used to serve rules to the clients "rules-dir": "", // Rules of containers used in rules (served to the clients) diff --git a/collector/manager.go b/collector/manager.go index ebc3f29..f1d7c59 100644 --- a/collector/manager.go +++ b/collector/manager.go @@ -16,6 +16,7 @@ import ( "time" "github.com/0xrawsec/gene/engine" + "github.com/0xrawsec/golang-misp/misp" "github.com/0xrawsec/golang-utils/datastructs" "github.com/0xrawsec/golang-utils/fsutil" "github.com/0xrawsec/golang-utils/fsutil/fswalker" @@ -39,8 +40,11 @@ const ( var ( guidRe = regexp.MustCompile(`(?i:\{[a-f0-9]{8}-([a-f0-9]{4}-){3}[a-f0-9]{12}\})`) - eventHashRe = regexp.MustCompile(`[a-f0-9]{32,}`) // at least md5 + eventHashRe = regexp.MustCompile(`(?i:[a-f0-9]{32,})`) // at least md5 filenameRe = regexp.MustCompile(`[\w\s\.-]+`) + // MISP container related + mispContName = "misp" + mispTextExports = []string{"md5", "sha1", "sha256", "domain", "hostname"} ) //////////////////////// FileUpload @@ -157,15 +161,16 @@ func KeyGen(size int) string { // ManagerConfig defines manager's configuration structure type ManagerConfig struct { - Host string `json:"host"` - Port int `json:"port"` - Logfile string `json:"logfile"` - Key string `json:"key"` - Authorized []string `json:"authorized"` - TLS TLSConfig `json:"tls"` - RulesDir string `json:"rules-dir"` - DumpDir string `json:"dump-dir"` - ContainersDir string `json:"containers-dir"` + Host string `json:"host"` + Port int `json:"port"` + Logfile string `json:"logfile"` + Key string `json:"key"` + Authorized []string `json:"authorized"` + TLS TLSConfig `json:"tls"` + MISP misp.MispConfig `json:"misp"` + RulesDir string `json:"rules-dir"` + DumpDir string `json:"dump-dir"` + ContainersDir string `json:"containers-dir"` } // Manager structure definition @@ -179,6 +184,7 @@ type Manager struct { authorized datastructs.SyncedSet logfile logfile.LogFile tls TLSConfig + misp misp.MispConfig srv *http.Server stop chan bool done bool @@ -208,7 +214,9 @@ func NewManager(c *ManagerConfig) (*Manager, error) { if err = c.TLS.Verify(); err != nil && !c.TLS.Empty() { return nil, err } + m.tls = c.TLS + m.misp = c.MISP // Containers initialization m.containersDir = c.ContainersDir @@ -286,6 +294,24 @@ func (m *Manager) updateRules() { m.rulesSha256 = hex.EncodeToString(sha256.Sum(nil)) } +func (m *Manager) updateMispContainer() { + c := misp.NewCon(m.misp.Proto, m.misp.Host, m.misp.APIKey) + mispContainer := make([]string, 0) + for _, expType := range mispTextExports { + log.Infof("Downloading %s attributes from MISP", expType) + exps, err := c.TextExport(expType) + if err != nil { + log.Errorf("MISP failed to export %s IDS attributes: %s", expType, err) + log.Errorf("Aborting MISP container update") + return + } + mispContainer = append(mispContainer, exps...) + } + // Update the MISP container + m.containers[mispContName] = mispContainer + m.containersSha256[mispContName] = Sha256StringArray(mispContainer) +} + // AddAuthKey adds an authorized key to access the manager func (m *Manager) AddAuthKey(key string) { m.authorized.Add(key) @@ -340,6 +366,16 @@ func (m *Manager) authorizationMiddleware(next http.Handler) http.Handler { // Run starts a new thread spinning the receiver func (m *Manager) Run() { + go func() { + for !m.done { + if m.misp.Host != "" { + log.Infof("Starting MISP container update routine") + m.updateMispContainer() + log.Infof("MISP container update routine finished") + } + time.Sleep(time.Hour) + } + }() go func() { // If we fail due to server crash we properly shutdown // the receiver to avoid log corruption diff --git a/go.mod b/go.mod index 0240d97..12770e1 100644 --- a/go.mod +++ b/go.mod @@ -3,15 +3,13 @@ module github.com/0xrawsec/whids require ( github.com/0xrawsec/gene v1.6.2 github.com/0xrawsec/golang-evtx v1.2.1 + github.com/0xrawsec/golang-misp v1.0.3 github.com/0xrawsec/golang-utils v1.1.8 github.com/0xrawsec/golang-win32 v1.0.3 github.com/0xrawsec/mux v1.6.2 github.com/DataDog/zstd v1.4.1 // indirect github.com/pierrec/lz4 v2.2.6+incompatible // indirect github.com/segmentio/kafka-go v0.3.2 // indirect - golang.org/x/crypto v0.0.0-20190820162420-60c769a6c586 // indirect - golang.org/x/net v0.0.0-20190813141303-74dc4d7220e7 // indirect - golang.org/x/sys v0.0.0-20190813064441-fde4db37ae7a - golang.org/x/tools v0.0.0-20190821162956-65e3620a7ae7 // indirect + golang.org/x/sys v0.0.0-20190909082730-f460065e899a golang.org/x/tools/gopls v0.1.0 // indirect ) diff --git a/go.sum b/go.sum index 8b5dc9f..6809e06 100644 --- a/go.sum +++ b/go.sum @@ -18,6 +18,10 @@ github.com/0xrawsec/golang-evtx v1.2.0 h1:SFv2zXo3Z9PWsY4yLIWcM8KkEsib2LnWsYgcC8 github.com/0xrawsec/golang-evtx v1.2.0/go.mod h1:RD+lv9ndoM/7XwvS5XViI51yAp5PDtVVJf8FM6Muro0= github.com/0xrawsec/golang-evtx v1.2.1 h1:mPwUavxoQx8r1EZN3Qre9vAEzDnIiHJQ/qufpsOT4fo= github.com/0xrawsec/golang-evtx v1.2.1/go.mod h1:RD+lv9ndoM/7XwvS5XViI51yAp5PDtVVJf8FM6Muro0= +github.com/0xrawsec/golang-misp v1.0.2 h1:p41LDUEVujHgh2TUuYKIBE14+n9JQen4MMiK5dV0/do= +github.com/0xrawsec/golang-misp v1.0.2/go.mod h1:bF7MZPgPQFPtsXPvRLcIdrs09fZV7zYDRBKpLltd6oA= +github.com/0xrawsec/golang-misp v1.0.3 h1:Y8fciKDbcRFPfmWOqlEaSOjJwe5Khx9v6FE5VDCCgNI= +github.com/0xrawsec/golang-misp v1.0.3/go.mod h1:bF7MZPgPQFPtsXPvRLcIdrs09fZV7zYDRBKpLltd6oA= github.com/0xrawsec/golang-utils v1.1.0 h1:opQAwRONEfxOOl4nxhpPkXiTYgzAw0/wFATAffNjdII= github.com/0xrawsec/golang-utils v1.1.0/go.mod h1:DADTtCFY10qXjWmUVhhJqQIZdSweaHH4soYUDEi8mj0= github.com/0xrawsec/golang-utils v1.1.1 h1:HlwVs5lHl5rK2DhB1eDlf+J9hOKBHEObQCWXFcQ4GE0= @@ -48,6 +52,8 @@ github.com/0xrawsec/mux v1.6.2 h1:cc2OyJTxRmXxsmQe2ulp0VndXV8vZIRrc1JqQzJ4BMI= github.com/0xrawsec/mux v1.6.2/go.mod h1:CiOvEAd+RMn8YOtCs1b5QfWe7P8G4olvTmzzNbERonY= github.com/DataDog/zstd v1.4.0/go.mod h1:1jcaCB/ufaK+sKp1NBhlGmpz41jOoPQ35bpF36t7BBo= github.com/DataDog/zstd v1.4.1/go.mod h1:1jcaCB/ufaK+sKp1NBhlGmpz41jOoPQ35bpF36t7BBo= +github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= +github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= github.com/eapache/go-xerial-snappy v0.0.0-20180814174437-776d5712da21/go.mod h1:+020luEh2TKB4/GOp8oxxtq0Daoen/Cii55CzbTV6DU= github.com/golang/snappy v0.0.1/go.mod h1:/XxbfmMg8lxefKM7IXC3fBNl/7bRcc72aCRzEWrmP2Q= github.com/kr/fs v0.1.0/go.mod h1:FFnZGqtBN9Gxj7eW1uZ42v5BccTP0vu6NEaFoC2HwRg= @@ -55,8 +61,14 @@ github.com/pierrec/lz4 v2.0.5+incompatible/go.mod h1:pdkljMzZIN41W+lC3N2tnIh5sFi github.com/pierrec/lz4 v2.2.6+incompatible/go.mod h1:pdkljMzZIN41W+lC3N2tnIh5sFi+IEE17M5jbnwPHcY= github.com/pkg/errors v0.8.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0= github.com/pkg/sftp v1.10.0/go.mod h1:NxmoDg/QLVWluQDUYG7XBZTLUpKeFa8e3aMf1BfjyHk= +github.com/pkg/sftp v1.10.1/go.mod h1:lYOWFsE0bwd1+KfKJaKeuokY15vzFx25BLbzYYoAxZI= +github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4= github.com/segmentio/kafka-go v0.2.2/go.mod h1:X6itGqS9L4jDletMsxZ7Dz+JFWxM6JHfPOCvTvk+EJo= github.com/segmentio/kafka-go v0.3.2/go.mod h1:OT5KXBPbaJJTcvokhWR2KFmm0niEx3mnccTwjmLvSi4= +github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME= +github.com/stretchr/objx v0.2.0/go.mod h1:qt09Ya8vawLte6SNmTgCsAVtYtaKzEcn8ATUoHMkEqE= +github.com/stretchr/testify v1.3.0/go.mod h1:M5WIy9Dh21IEIfnGCwXGc5bZfKNJtfHm1UVUgZn+9EI= +github.com/stretchr/testify v1.4.0/go.mod h1:j7eGeouHqKxXV5pUuKE4zz7dFj8WfuZ+81PSLYec5m4= github.com/xdg/scram v0.0.0-20180814205039-7eeb5667e42c/go.mod h1:lB8K/P019DLNhemzwFU4jHLhdvlE6uDZjXFejJXr49I= github.com/xdg/stringprep v1.0.0/go.mod h1:Jhud4/sHMO4oL310DaZAKk9ZaJ08SJfe+sJh0HrGL1Y= golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w= @@ -68,6 +80,8 @@ golang.org/x/crypto v0.0.0-20190513172903-22d7a77e9e5f/go.mod h1:yigFU9vqHzYiE8U golang.org/x/crypto v0.0.0-20190621222207-cc06ce4a13d4/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI= golang.org/x/crypto v0.0.0-20190701094942-4def268fd1a4/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI= golang.org/x/crypto v0.0.0-20190820162420-60c769a6c586/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI= +golang.org/x/crypto v0.0.0-20190909091759-094676da4a83/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI= +golang.org/x/crypto v0.0.0-20190911031432-227b76d455e7/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI= golang.org/x/net v0.0.0-20190311183353-d8887717615a/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg= golang.org/x/net v0.0.0-20190320064053-1272bf9dcd53/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg= golang.org/x/net v0.0.0-20190326090315-15845e8f865b/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg= @@ -78,7 +92,10 @@ golang.org/x/net v0.0.0-20190522155817-f3200d17e092/go.mod h1:HSz+uSET+XFnRR8LxR golang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= golang.org/x/net v0.0.0-20190628185345-da137c7871d7/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= golang.org/x/net v0.0.0-20190813141303-74dc4d7220e7/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= +golang.org/x/net v0.0.0-20190909003024-a7b16738d86b/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= +golang.org/x/net v0.0.0-20190912160710-24e19bdeb0f2/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= +golang.org/x/sync v0.0.0-20190911185100-cd5d95a43a6e/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= golang.org/x/sys v0.0.0-20190321052220-f7bb7a8bee54/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20190322080309-f49334f85ddc/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= @@ -100,6 +117,14 @@ golang.org/x/sys v0.0.0-20190712062909-fae7ac547cb7 h1:LepdCS8Gf/MVejFIt8lsiexZA golang.org/x/sys v0.0.0-20190712062909-fae7ac547cb7/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20190813064441-fde4db37ae7a h1:aYOabOQFp6Vj6W1F80affTUvO9UxmJRx8K0gsfABByQ= golang.org/x/sys v0.0.0-20190813064441-fde4db37ae7a/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20190909082730-f460065e899a h1:mIzbOulag9/gXacgxKlFVwpCOWSfBT3/pDyyCwGA9as= +golang.org/x/sys v0.0.0-20190909082730-f460065e899a/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20190910064555-bbd175535a8b h1:3S2h5FadpNr0zUUCVZjlKIEYF+KaX/OBplTGo89CYHI= +golang.org/x/sys v0.0.0-20190910064555-bbd175535a8b/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20190911201528-7ad0cfa0b7b5 h1:SW/0nsKCUaozCUtZTakri5laocGx/5bkDSSLrFUsa5s= +golang.org/x/sys v0.0.0-20190911201528-7ad0cfa0b7b5/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20190912141932-bc967efca4b8 h1:41hwlulw1prEMBxLQSlMSux1zxJf07B3WPsdjJlKZxE= +golang.org/x/sys v0.0.0-20190912141932-bc967efca4b8/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= golang.org/x/text v0.3.2/go.mod h1:bEr9sfX3Q8Zfm5fL9x+3itogRgK3+ptLWKqgva+5dAk= golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ= @@ -120,5 +145,12 @@ golang.org/x/tools v0.0.0-20190718200317-82a3ea8a504c/go.mod h1:jcCCGcm9btYwXyDq golang.org/x/tools v0.0.0-20190719005602-e377ae9d6386/go.mod h1:jcCCGcm9btYwXyDqrUWc6MKQKKGJCWEQ3AfLSRIbEuI= golang.org/x/tools v0.0.0-20190820203921-3aeeb259764d/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo= golang.org/x/tools v0.0.0-20190821162956-65e3620a7ae7/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo= +golang.org/x/tools v0.0.0-20190909194007-75be6cdcda07/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo= +golang.org/x/tools v0.0.0-20190911174233-4f2ddba30aff/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo= +golang.org/x/tools v0.0.0-20190911202209-63a3583f646f/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo= +golang.org/x/tools v0.0.0-20190912185636-87d9f09c5d89/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo= golang.org/x/tools/gopls v0.1.0/go.mod h1:p8Q0IUu6EEeGxqmoN/g6Et3gReLCGA7PtNRdyOxcWJE= golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= +gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= +gopkg.in/check.v1 v1.0.0-20190902080502-41f04d3bba15/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= +gopkg.in/yaml.v2 v2.2.2/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI= diff --git a/tools/manager/makefile b/tools/manager/makefile index 44648c1..fb588d2 100644 --- a/tools/manager/makefile +++ b/tools/manager/makefile @@ -1,7 +1,7 @@ TEST=$(GOPATH)/test MAIN_BASEN_SRC=whids-man RELEASE=$(GOPATH)/release/$(MAIN_BASEN_SRC) -VERSION=1.1 +VERSION=1.2 COMMITID=$(shell git rev-parse HEAD) # Strips symbols and dwarf to make binary smaller diff --git a/tools/whids/hookdefs.go b/tools/whids/hookdefs.go index 5410a88..a74c1eb 100644 --- a/tools/whids/hookdefs.go +++ b/tools/whids/hookdefs.go @@ -714,7 +714,7 @@ func hookSetValueSize(e *evtx.GoEvtxMap) { } } -func hookNetwork(e *evtx.GoEvtxMap) { +/*func hookNetwork(e *evtx.GoEvtxMap) { // Default value e.Set(&pathSysmonCommandLine, "?") if guid, err := e.GetString(&pathSysmonProcessGUID); err == nil { @@ -723,7 +723,7 @@ func hookNetwork(e *evtx.GoEvtxMap) { e.Set(&pathSysmonCommandLine, pt.CommandLine) } } -} +}*/ func hookEnrichAnySysmon(e *evtx.GoEvtxMap) { eventID := e.EventID() @@ -762,14 +762,25 @@ func hookEnrichAnySysmon(e *evtx.GoEvtxMap) { } } } + break default: + hasComLine := true // Default Values for the fields e.Set(&pathSysmonUser, "?") e.Set(&pathSysmonIntegrityLevel, "?") + if _, err := e.GetString(&pathSysmonCommandLine); err != nil { + e.Set(&pathSysmonCommandLine, "?") + hasComLine = false + } + if guid, err := e.GetString(&pathSysmonProcessGUID); err == nil { if track := processTracker.GetByGuid(guid); track != nil { + // if event does not have command line + if !hasComLine { + e.Set(&pathSysmonCommandLine, track.CommandLine) + } e.Set(&pathSysmonUser, track.User) e.Set(&pathSysmonIntegrityLevel, track.IntegrityLevel) } @@ -980,57 +991,28 @@ func hookDumpFile(e *evtx.GoEvtxMap) { dumpEventAndCompress(e, guid) switch e.EventID() { - case 1: - if cl, err := e.GetString(&pathSysmonCommandLine); err == nil { - if cwd, err := e.GetString(&pathSysmonCurrentDirectory); err == nil { - if argv, err := utils.ArgvFromCommandLine(cl); err == nil { - if len(argv) > 1 { - for _, arg := range argv[1:] { - if fsutil.IsFile(arg) && !utils.IsPipePath(arg) { - if err = dumpFileAndCompress(arg, dumpPath); err != nil { - log.Errorf("Error dumping file from EventID=%d \"%s\": %s", e.EventID(), arg, err) - } - } - // try to dump a path relative to CWD - relarg := filepath.Join(cwd, arg) - if fsutil.IsFile(relarg) && !utils.IsPipePath(relarg) { - if err = dumpFileAndCompress(relarg, dumpPath); err != nil { - log.Errorf("Error dumping file from EventID=%d \"%s\": %s", e.EventID(), relarg, err) - } - } - } - } - } - } - } - if im, err := e.GetString(&pathSysmonImage); err == nil { - if err = dumpFileAndCompress(im, dumpPath); err != nil { - log.Errorf("Error dumping file from EventID=%d \"%s\": %s", e.EventID(), im, err) - } - } - if pim, err := e.GetString(&pathSysmonParentImage); err == nil { - if err = dumpFileAndCompress(pim, dumpPath); err != nil { - log.Errorf("Error dumping file from EventID=%d \"%s\": %s", e.EventID(), pim, err) - } - } + case 2, 11, 15: if target, err := e.GetString(&pathSysmonTargetFilename); err == nil { if err = dumpFileAndCompress(target, dumpPath); err != nil { log.Errorf("Error dumping file from EventID=%d \"%s\": %s", e.EventID(), target, err) } } + case 6: if im, err := e.GetString(&pathSysmonImageLoaded); err == nil { if err = dumpFileAndCompress(im, dumpPath); err != nil { log.Errorf("Error dumping file from EventID=%d \"%s\": %s", e.EventID(), im, err) } } + case 10: if sim, err := e.GetString(&pathSysmonSourceImage); err == nil { if err = dumpFileAndCompress(sim, dumpPath); err != nil { log.Errorf("Error dumping file from EventID=%d \"%s\": %s", e.EventID(), sim, err) } } + case 13, 20: // for event ID 13 path := &pathSysmonDetails @@ -1049,6 +1031,40 @@ func hookDumpFile(e *evtx.GoEvtxMap) { } } } + + default: + if cl, err := e.GetString(&pathSysmonCommandLine); err == nil { + if cwd, err := e.GetString(&pathSysmonCurrentDirectory); err == nil { + if argv, err := utils.ArgvFromCommandLine(cl); err == nil { + if len(argv) > 1 { + for _, arg := range argv[1:] { + if fsutil.IsFile(arg) && !utils.IsPipePath(arg) { + if err = dumpFileAndCompress(arg, dumpPath); err != nil { + log.Errorf("Error dumping file from EventID=%d \"%s\": %s", e.EventID(), arg, err) + } + } + // try to dump a path relative to CWD + relarg := filepath.Join(cwd, arg) + if fsutil.IsFile(relarg) && !utils.IsPipePath(relarg) { + if err = dumpFileAndCompress(relarg, dumpPath); err != nil { + log.Errorf("Error dumping file from EventID=%d \"%s\": %s", e.EventID(), relarg, err) + } + } + } + } + } + } + } + if im, err := e.GetString(&pathSysmonImage); err == nil { + if err = dumpFileAndCompress(im, dumpPath); err != nil { + log.Errorf("Error dumping file from EventID=%d \"%s\": %s", e.EventID(), im, err) + } + } + if pim, err := e.GetString(&pathSysmonParentImage); err == nil { + if err = dumpFileAndCompress(pim, dumpPath); err != nil { + log.Errorf("Error dumping file from EventID=%d \"%s\": %s", e.EventID(), pim, err) + } + } } }() } diff --git a/tools/whids/makefile b/tools/whids/makefile index fc1ba43..3a8de47 100644 --- a/tools/whids/makefile +++ b/tools/whids/makefile @@ -1,7 +1,7 @@ TEST=$(GOPATH)/test MAIN_BASEN_SRC=whids RELEASE=$(GOPATH)/release/$(MAIN_BASEN_SRC) -VERSION=1.6.1 +VERSION=1.6.2 COMMITID=$(shell git rev-parse HEAD) # Strips symbols and dwarf to make binary smaller @@ -52,7 +52,7 @@ installer: sed -E "s/set VERSION=.*?/set VERSION=$(VERSION)/" manage.bat > $(RELEASE)/windows/manage.bat sysmon: - mv $(RELEASE)/../sysmon $(RELEASE)/windows/ + #mv $(RELEASE)/../sysmon $(RELEASE)/windows/ dlrules: mkdir $(RELEASE)/windows/rules/ diff --git a/tools/whids/whids.go b/tools/whids/whids.go index 35f62e1..5d92045 100644 --- a/tools/whids/whids.go +++ b/tools/whids/whids.go @@ -298,7 +298,8 @@ func (h *HIDS) initHooks(advanced bool) { h.preHooks.Hook(hookEnrichServices, fltAnySysmon) // Not needed anymore enrich sysmon embeds necessary information //h.preHooks.Hook(hookProcessAccess, fltProcessAccess) - h.preHooks.Hook(hookNetwork, fltNetworkConnect) + // should be treated by hookEnrichAnySysmon + //h.preHooks.Hook(hookNetwork, fltNetworkConnect) h.preHooks.Hook(hookEnrichAnySysmon, fltAnySysmon) //h.preHooks.Hook(hookSetValueSize, fltRegSetValue)