Add pe fields to Sysmon module (#22217)

- ProcessCreate event - LoadImage event Closes #17335
elastic · Oct 28, 2020 · 310dbf6 · 310dbf6
1 parent 577c25b
commit 310dbf6
Show file tree

Hide file tree

Showing 7 changed files with 257 additions and 0 deletions.
diff --git a/CHANGELOG.next.asciidoc b/CHANGELOG.next.asciidoc
@@ -800,6 +800,7 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d
 - Add registry and code signature information and ECS categorization fields for sysmon module {pull}18058[18058]
 - Add new winlogbeat security dashboard {pull}18775[18775]
 - Add `event.outcome` to events based on the audit success and audit failure keywords. {pull}20564[20564]
+- Add file.pe and process.pe fields to ProcessCreate & LoadImage events in Sysmon module. {issue}17335[17335] {pull}22217[22217]
 
 *Elastic Log Driver*
 - Add support for `docker logs` command {pull}19531[19531]

diff --git a/x-pack/winlogbeat/module/sysmon/config/winlogbeat-sysmon.js b/x-pack/winlogbeat/module/sysmon/config/winlogbeat-sysmon.js
@@ -677,11 +677,37 @@ var sysmon = (function () {
                     from: "winlog.event_data.ParentCommandLine",
                     to: "process.parent.command_line",
                 },
+                {
+                    from: "winlog.event_data.OriginalFileName",
+                    to: "process.pe.original_file_name",
+                },
             ],
             mode: "rename",
             ignore_missing: true,
             fail_on_error: false,
         })
+        .Convert({
+            fields: [{
+                    from: "winlog.event_data.Company",
+                    to: "process.pe.company",
+                },
+                {
+                    from: "winlog.event_data.Description",
+                    to: "process.pe.description",
+                },
+                {
+                    from: "winlog.event_data.FileVersion",
+                    to: "process.pe.file_version",
+                },
+                {
+                    from: "winlog.event_data.Product",
+                    to: "process.pe.product",
+                },
+            ],
+            mode: "copy",
+            ignore_missing: true,
+            fail_on_error: false,
+        })
         .Add(setRuleName)
         .Add(setProcessNameUsingExe)
         .Add(splitProcessArgs)
@@ -951,6 +977,11 @@ var sysmon = (function () {
                     from: "winlog.event_data.ImageLoaded",
                     to: "file.path",
                 },
+                {
+                    from: "winlog.event_data.OriginalFileName",
+                    to: "file.pe.original_file_name",
+                },
+
             ],
             mode: "rename",
             ignore_missing: true,
@@ -965,7 +996,24 @@ var sysmon = (function () {
                     from: "winlog.event_data.SignatureStatus",
                     to: "file.code_signature.status",
                 },
+                {
+                    from: "winlog.event_data.Company",
+                    to: "file.pe.company",
+                },
+                {
+                    from: "winlog.event_data.Description",
+                    to: "file.pe.description",
+                },
+                {
+                    from: "winlog.event_data.FileVersion",
+                    to: "file.pe.file_version",
+                },
+                {
+                    from: "winlog.event_data.Product",
+                    to: "file.pe.product",
+                },
             ],
+            ignore_missing: true,
             fail_on_error: false,
         })
         .Add(setRuleName)

diff --git a/x-pack/winlogbeat/module/sysmon/test/testdata/sysmon-12-loadimage.evtx b/x-pack/winlogbeat/module/sysmon/test/testdata/sysmon-12-loadimage.evtx
diff --git a/x-pack/winlogbeat/module/sysmon/test/testdata/sysmon-12-loadimage.evtx.golden.json b/x-pack/winlogbeat/module/sysmon/test/testdata/sysmon-12-loadimage.evtx.golden.json
@@ -0,0 +1,94 @@
+[
+  {
+    "@timestamp": "2020-10-28T02:39:26.374Z",
+    "event": {
+      "category": [
+        "process"
+      ],
+      "code": 7,
+      "kind": "event",
+      "module": "sysmon",
+      "provider": "Microsoft-Windows-Sysmon",
+      "type": [
+        "change"
+      ]
+    },
+    "file": {
+      "code_signature": {
+        "signed": true,
+        "status": "Valid",
+        "subject_name": "Microsoft Windows",
+        "valid": true
+      },
+      "directory": "C:\\Windows\\System32",
+      "extension": "dll",
+      "hash": {
+        "md5": "c7c45610f644906e6f7d664ef2e45b08",
+        "sha1": "9955a1c071c44a7ceecc0d928a9cfb7f64cc3f93",
+        "sha256": "4808f1101f4e42387d8ddb7a355668bae3bf6f781c42d3bcd82e23446b1deb3e"
+      },
+      "name": "IDStore.dll",
+      "path": "C:\\Windows\\System32\\IDStore.dll",
+      "pe": {
+        "company": "Microsoft Corporation",
+        "description": "Identity Store",
+        "file_version": "10.0.17763.1 (WinBuild.160101.0800)",
+        "imphash": "194f3797b52231028c718b6d776c6853",
+        "original_file_name": "IdStore.dll",
+        "product": "Microsoft® Windows® Operating System"
+      }
+    },
+    "host": {
+      "name": "vagrant"
+    },
+    "log": {
+      "level": "information"
+    },
+    "process": {
+      "entity_id": "{9f32b55f-d9de-5f98-f006-000000000600}",
+      "executable": "C:\\Windows\\System32\\dllhost.exe",
+      "name": "dllhost.exe",
+      "pid": 5184
+    },
+    "related": {
+      "hash": [
+        "9955a1c071c44a7ceecc0d928a9cfb7f64cc3f93",
+        "c7c45610f644906e6f7d664ef2e45b08",
+        "4808f1101f4e42387d8ddb7a355668bae3bf6f781c42d3bcd82e23446b1deb3e",
+        "194f3797b52231028c718b6d776c6853"
+      ]
+    },
+    "winlog": {
+      "api": "wineventlog",
+      "channel": "Microsoft-Windows-Sysmon/Operational",
+      "computer_name": "vagrant",
+      "event_data": {
+        "Company": "Microsoft Corporation",
+        "Description": "Identity Store",
+        "FileVersion": "10.0.17763.1 (WinBuild.160101.0800)",
+        "Product": "Microsoft® Windows® Operating System",
+        "RuleName": "-",
+        "Signature": "Microsoft Windows",
+        "SignatureStatus": "Valid",
+        "Signed": "true"
+      },
+      "event_id": 7,
+      "process": {
+        "pid": 1676,
+        "thread": {
+          "id": 4796
+        }
+      },
+      "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}",
+      "provider_name": "Microsoft-Windows-Sysmon",
+      "record_id": 10685,
+      "user": {
+        "domain": "NT AUTHORITY",
+        "identifier": "S-1-5-18",
+        "name": "SYSTEM",
+        "type": "Well Known Group"
+      },
+      "version": 3
+    }
+  }
+]
diff --git a/x-pack/winlogbeat/module/sysmon/test/testdata/sysmon-12-processcreate.evtx b/x-pack/winlogbeat/module/sysmon/test/testdata/sysmon-12-processcreate.evtx
diff --git a/x-pack/winlogbeat/module/sysmon/test/testdata/sysmon-12-processcreate.evtx.golden.json b/x-pack/winlogbeat/module/sysmon/test/testdata/sysmon-12-processcreate.evtx.golden.json
@@ -0,0 +1,96 @@
+[
+  {
+    "@timestamp": "2020-10-27T20:00:14.32Z",
+    "event": {
+      "category": [
+        "process"
+      ],
+      "code": 1,
+      "kind": "event",
+      "module": "sysmon",
+      "provider": "Microsoft-Windows-Sysmon",
+      "type": [
+        "start",
+        "process_start"
+      ]
+    },
+    "host": {
+      "name": "vagrant"
+    },
+    "log": {
+      "level": "information"
+    },
+    "process": {
+      "args": [
+        "C:\\Windows\\system32\\notepad.exe"
+      ],
+      "command_line": "\"C:\\Windows\\system32\\notepad.exe\" ",
+      "entity_id": "{9f32b55f-7c4e-5f98-5803-000000000500}",
+      "executable": "C:\\Windows\\System32\\notepad.exe",
+      "hash": {
+        "sha1": "b6d237154f2e528f0b503b58b025862d66b02b73"
+      },
+      "name": "notepad.exe",
+      "parent": {
+        "args": [
+          "C:\\Windows\\Explorer.EXE"
+        ],
+        "command_line": "C:\\Windows\\Explorer.EXE",
+        "entity_id": "{9f32b55f-6fdf-5f98-7000-000000000500}",
+        "executable": "C:\\Windows\\explorer.exe",
+        "name": "explorer.exe",
+        "pid": 4212
+      },
+      "pe": {
+        "company": "Microsoft Corporation",
+        "description": "Notepad",
+        "file_version": "10.0.17763.475 (WinBuild.160101.0800)",
+        "original_file_name": "NOTEPAD.EXE",
+        "product": "Microsoft® Windows® Operating System"
+      },
+      "pid": 3616,
+      "working_directory": "C:\\Users\\vagrant\\"
+    },
+    "related": {
+      "hash": "b6d237154f2e528f0b503b58b025862d66b02b73",
+      "user": "vagrant"
+    },
+    "user": {
+      "domain": "VAGRANT",
+      "name": "vagrant"
+    },
+    "winlog": {
+      "api": "wineventlog",
+      "channel": "Microsoft-Windows-Sysmon/Operational",
+      "computer_name": "vagrant",
+      "event_data": {
+        "Company": "Microsoft Corporation",
+        "Description": "Notepad",
+        "FileVersion": "10.0.17763.475 (WinBuild.160101.0800)",
+        "IntegrityLevel": "Medium",
+        "LogonGuid": "{9f32b55f-6fdd-5f98-e7c9-020000000000}",
+        "LogonId": "0x2c9e7",
+        "Product": "Microsoft® Windows® Operating System",
+        "RuleName": "-",
+        "TerminalSessionId": "1"
+      },
+      "event_id": 1,
+      "process": {
+        "pid": 7144,
+        "thread": {
+          "id": 6876
+        }
+      },
+      "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}",
+      "provider_name": "Microsoft-Windows-Sysmon",
+      "record_id": 20,
+      "user": {
+        "domain": "NT AUTHORITY",
+        "identifier": "S-1-5-18",
+        "name": "SYSTEM",
+        "type": "Well Known Group"
+      },
+      "version": 5
+    }
+  }
+]
diff --git a/x-pack/winlogbeat/module/sysmon/test/testdata/sysmon-9.01.evtx.golden.json b/x-pack/winlogbeat/module/sysmon/test/testdata/sysmon-9.01.evtx.golden.json
@@ -126,6 +126,12 @@
         "name": "services.exe",
         "pid": 488
       },
+      "pe": {
+        "company": "Sysinternals - www.sysinternals.com",
+        "description": "System activity monitor",
+        "file_version": "9.01",
+        "product": "Sysinternals Sysmon"
+      },
       "pid": 4860,
       "working_directory": "C:\\Windows\\system32\\"
     },
@@ -215,6 +221,12 @@
         "name": "svchost.exe",
         "pid": 560
       },
+      "pe": {
+        "company": "Microsoft Corporation",
+        "description": "Sink to receive asynchronous callbacks for WMI client application",
+        "file_version": "6.3.9600.16384 (winblue_rtm.130821-1623)",
+        "product": "Microsoft® Windows® Operating System"
+      },
       "pid": 5028,
       "working_directory": "C:\\Windows\\system32\\"
     },
@@ -404,6 +416,12 @@
         "name": "svchost.exe",
         "pid": 560
       },
+      "pe": {
+        "company": "Microsoft Corporation",
+        "description": "WMI Provider Host",
+        "file_version": "6.3.9600.16384 (winblue_rtm.130821-1623)",
+        "product": "Microsoft® Windows® Operating System"
+      },
       "pid": 4508,
       "working_directory": "C:\\Windows\\system32\\"
     },