Add baseline registry event json

elastic · May 5, 2020 · 112c17b · 112c17b
1 parent d0942ce
commit 112c17b
Show file tree

Hide file tree

Showing 3 changed files with 307 additions and 14 deletions.
diff --git a/x-pack/winlogbeat/module/sysmon/config/winlogbeat-sysmon.js b/x-pack/winlogbeat/module/sysmon/config/winlogbeat-sysmon.js
@@ -492,8 +492,8 @@ var sysmon = (function () {
         HKU: "HKU",
     };
 
-    var qwordRegex = new RegExp(/ab+c/, "i");
-    var dwordRegex = new RegExp(/DWORD \(()\)/, "i");
+    var qwordRegex = new RegExp(/QWORD \(((0x\d{8})-(0x\d{8}))\)/, "i");
+    var dwordRegex = new RegExp(/DWORD \((0x\d{8})\)/, "i");
 
     var setRegistryFields = function (evt) {
         var path = evt.Get("winlog.event_data.TargetObject");
@@ -521,22 +521,26 @@ var sysmon = (function () {
         var dataType;
         var dataValue;
         var match = qwordRegex.exec(data);
-        if (match.length > 0) {
-            dataType = "SZ_QWORD";
-            dataValue = match[1];
+        if (match && match.length > 0) {
+            var parsedHighByte = parseInt(match[2]);
+            var parsedLowByte = parseInt(match[3]);
+            if (!isNaN(parsedHighByte) && !isNaN(parsedLowByte)) {
+                dataValue = "" + ((parsedHighByte << 8) + parsedLowByte);
+                dataType = "SZ_QWORD";
+            }
         } else {
             match = dwordRegex.exec(data);
-            if (match.length > 0) {
-                dataType = "SZ_DWORD";
-                dataValue = match[1];
+            if (match && match.length > 0) {
+                var parsedValue = parseInt(match[1]);
+                if (!isNaN(parsedValue)) {
+                    dataType = "SZ_DWORD";
+                    dataValue = "" + parsedValue;
+                }
             }
         }
-        if (match.length > 0) {
-            var parsedValue = parseInt(dataValue);
-            if (!isNan(parsedValue)) {
-                evt.Put("registry.data.strings", [parsedValue]);
-                evt.Put("registry.data.type", dataType);
-            }
+        if (dataType) {
+            evt.Put("registry.data.strings", [dataValue]);
+            evt.Put("registry.data.type", dataType);
         }
     };
 

diff --git a/x-pack/winlogbeat/module/sysmon/test/testdata/sysmon-11-registry.evtx b/x-pack/winlogbeat/module/sysmon/test/testdata/sysmon-11-registry.evtx
diff --git a/x-pack/winlogbeat/module/sysmon/test/testdata/sysmon-11-registry.evtx.golden.json b/x-pack/winlogbeat/module/sysmon/test/testdata/sysmon-11-registry.evtx.golden.json
@@ -0,0 +1,289 @@
+[
+  {
+    "@timestamp": "2020-05-05T14:57:40.589Z",
+    "event": {
+      "code": 13,
+      "kind": "event",
+      "module": "sysmon",
+      "provider": "Microsoft-Windows-Sysmon"
+    },
+    "host": {
+      "name": "vagrant"
+    },
+    "log": {
+      "level": "information"
+    },
+    "process": {
+      "entity_id": "{5b522f6e-77ae-5eb1-2c03-000000000800}",
+      "executable": "C:\\Windows\\regedit.exe",
+      "name": "regedit.exe",
+      "pid": 6072
+    },
+    "registry": {
+      "data": {
+        "strings": [
+          "4"
+        ],
+        "type": "SZ_DWORD"
+      },
+      "hive": "HKU",
+      "key": "S-1-5-21-1067164964-2079179834-2367582738-1000\\Software\\Key 1",
+      "path": "HKU\\S-1-5-21-1067164964-2079179834-2367582738-1000\\Software\\Key 1",
+      "value": "Key 1"
+    },
+    "winlog": {
+      "api": "wineventlog",
+      "channel": "Microsoft-Windows-Sysmon/Operational",
+      "computer_name": "vagrant",
+      "event_data": {
+        "Details": "DWORD (0x00000004)",
+        "EventType": "SetValue",
+        "RuleName": "-",
+        "TargetObject": "HKU\\S-1-5-21-1067164964-2079179834-2367582738-1000\\Software\\Key 1"
+      },
+      "event_id": 13,
+      "process": {
+        "pid": 5496,
+        "thread": {
+          "id": 876
+        }
+      },
+      "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}",
+      "provider_name": "Microsoft-Windows-Sysmon",
+      "record_id": 2682,
+      "user": {
+        "domain": "NT AUTHORITY",
+        "identifier": "S-1-5-18",
+        "name": "SYSTEM",
+        "type": "Well Known Group"
+      },
+      "version": 2
+    }
+  },
+  {
+    "@timestamp": "2020-05-05T14:57:44.714Z",
+    "event": {
+      "code": 13,
+      "kind": "event",
+      "module": "sysmon",
+      "provider": "Microsoft-Windows-Sysmon"
+    },
+    "host": {
+      "name": "vagrant"
+    },
+    "log": {
+      "level": "information"
+    },
+    "process": {
+      "entity_id": "{5b522f6e-7554-5eb1-6d00-000000000800}",
+      "executable": "C:\\Windows\\Explorer.EXE",
+      "name": "Explorer.EXE",
+      "pid": 4320
+    },
+    "registry": {
+      "hive": "HKU",
+      "key": "S-1-5-21-1067164964-2079179834-2367582738-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\UserAssist\\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\\Count\\HRZR_PGYFRFFVBA",
+      "path": "HKU\\S-1-5-21-1067164964-2079179834-2367582738-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\UserAssist\\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\\Count\\HRZR_PGYFRFFVBA",
+      "value": "HRZR_PGYFRFFVBA"
+    },
+    "winlog": {
+      "api": "wineventlog",
+      "channel": "Microsoft-Windows-Sysmon/Operational",
+      "computer_name": "vagrant",
+      "event_data": {
+        "Details": "Binary Data",
+        "EventType": "SetValue",
+        "RuleName": "-",
+        "TargetObject": "HKU\\S-1-5-21-1067164964-2079179834-2367582738-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\UserAssist\\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\\Count\\HRZR_PGYFRFFVBA"
+      },
+      "event_id": 13,
+      "process": {
+        "pid": 5496,
+        "thread": {
+          "id": 876
+        }
+      },
+      "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}",
+      "provider_name": "Microsoft-Windows-Sysmon",
+      "record_id": 2686,
+      "user": {
+        "domain": "NT AUTHORITY",
+        "identifier": "S-1-5-18",
+        "name": "SYSTEM",
+        "type": "Well Known Group"
+      },
+      "version": 2
+    }
+  },
+  {
+    "@timestamp": "2020-05-05T14:57:44.714Z",
+    "event": {
+      "code": 13,
+      "kind": "event",
+      "module": "sysmon",
+      "provider": "Microsoft-Windows-Sysmon"
+    },
+    "host": {
+      "name": "vagrant"
+    },
+    "log": {
+      "level": "information"
+    },
+    "process": {
+      "entity_id": "{5b522f6e-77ae-5eb1-2c03-000000000800}",
+      "executable": "C:\\Windows\\regedit.exe",
+      "name": "regedit.exe",
+      "pid": 6072
+    },
+    "registry": {
+      "data": {
+        "strings": [
+          "5"
+        ],
+        "type": "SZ_QWORD"
+      },
+      "hive": "HKU",
+      "key": "S-1-5-21-1067164964-2079179834-2367582738-1000\\Software\\Key 2",
+      "path": "HKU\\S-1-5-21-1067164964-2079179834-2367582738-1000\\Software\\Key 2",
+      "value": "Key 2"
+    },
+    "winlog": {
+      "api": "wineventlog",
+      "channel": "Microsoft-Windows-Sysmon/Operational",
+      "computer_name": "vagrant",
+      "event_data": {
+        "Details": "QWORD (0x00000000-0x00000005)",
+        "EventType": "SetValue",
+        "RuleName": "-",
+        "TargetObject": "HKU\\S-1-5-21-1067164964-2079179834-2367582738-1000\\Software\\Key 2"
+      },
+      "event_id": 13,
+      "process": {
+        "pid": 5496,
+        "thread": {
+          "id": 876
+        }
+      },
+      "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}",
+      "provider_name": "Microsoft-Windows-Sysmon",
+      "record_id": 2687,
+      "user": {
+        "domain": "NT AUTHORITY",
+        "identifier": "S-1-5-18",
+        "name": "SYSTEM",
+        "type": "Well Known Group"
+      },
+      "version": 2
+    }
+  },
+  {
+    "@timestamp": "2020-05-05T14:57:46.808Z",
+    "event": {
+      "code": 13,
+      "kind": "event",
+      "module": "sysmon",
+      "provider": "Microsoft-Windows-Sysmon"
+    },
+    "host": {
+      "name": "vagrant"
+    },
+    "log": {
+      "level": "information"
+    },
+    "process": {
+      "entity_id": "{5b522f6e-7554-5eb1-6d00-000000000800}",
+      "executable": "C:\\Windows\\Explorer.EXE",
+      "name": "Explorer.EXE",
+      "pid": 4320
+    },
+    "registry": {
+      "hive": "HKU",
+      "key": "S-1-5-21-1067164964-2079179834-2367582738-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\UserAssist\\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\\Count\\{S38OS404-1Q43-42S2-9305-67QR0O28SP23}\\ertrqvg.rkr",
+      "path": "HKU\\S-1-5-21-1067164964-2079179834-2367582738-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\UserAssist\\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\\Count\\{S38OS404-1Q43-42S2-9305-67QR0O28SP23}\\ertrqvg.rkr",
+      "value": "ertrqvg.rkr"
+    },
+    "winlog": {
+      "api": "wineventlog",
+      "channel": "Microsoft-Windows-Sysmon/Operational",
+      "computer_name": "vagrant",
+      "event_data": {
+        "Details": "Binary Data",
+        "EventType": "SetValue",
+        "RuleName": "-",
+        "TargetObject": "HKU\\S-1-5-21-1067164964-2079179834-2367582738-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\UserAssist\\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\\Count\\{S38OS404-1Q43-42S2-9305-67QR0O28SP23}\\ertrqvg.rkr"
+      },
+      "event_id": 13,
+      "process": {
+        "pid": 5496,
+        "thread": {
+          "id": 876
+        }
+      },
+      "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}",
+      "provider_name": "Microsoft-Windows-Sysmon",
+      "record_id": 2690,
+      "user": {
+        "domain": "NT AUTHORITY",
+        "identifier": "S-1-5-18",
+        "name": "SYSTEM",
+        "type": "Well Known Group"
+      },
+      "version": 2
+    }
+  },
+  {
+    "@timestamp": "2020-05-05T14:57:46.808Z",
+    "event": {
+      "code": 13,
+      "kind": "event",
+      "module": "sysmon",
+      "provider": "Microsoft-Windows-Sysmon"
+    },
+    "host": {
+      "name": "vagrant"
+    },
+    "log": {
+      "level": "information"
+    },
+    "process": {
+      "entity_id": "{5b522f6e-7554-5eb1-6d00-000000000800}",
+      "executable": "C:\\Windows\\Explorer.EXE",
+      "name": "Explorer.EXE",
+      "pid": 4320
+    },
+    "registry": {
+      "hive": "HKU",
+      "key": "S-1-5-21-1067164964-2079179834-2367582738-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\UserAssist\\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\\Count\\HRZR_PGYFRFFVBA",
+      "path": "HKU\\S-1-5-21-1067164964-2079179834-2367582738-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\UserAssist\\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\\Count\\HRZR_PGYFRFFVBA",
+      "value": "HRZR_PGYFRFFVBA"
+    },
+    "winlog": {
+      "api": "wineventlog",
+      "channel": "Microsoft-Windows-Sysmon/Operational",
+      "computer_name": "vagrant",
+      "event_data": {
+        "Details": "Binary Data",
+        "EventType": "SetValue",
+        "RuleName": "-",
+        "TargetObject": "HKU\\S-1-5-21-1067164964-2079179834-2367582738-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\UserAssist\\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\\Count\\HRZR_PGYFRFFVBA"
+      },
+      "event_id": 13,
+      "process": {
+        "pid": 5496,
+        "thread": {
+          "id": 876
+        }
+      },
+      "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}",
+      "provider_name": "Microsoft-Windows-Sysmon",
+      "record_id": 2691,
+      "user": {
+        "domain": "NT AUTHORITY",
+        "identifier": "S-1-5-18",
+        "name": "SYSTEM",
+        "type": "Well Known Group"
+      },
+      "version": 2
+    }
+  }
+]