diff --git a/CHANGELOG.next.asciidoc b/CHANGELOG.next.asciidoc index e58f904535c8..874fa29264ae 100644 --- a/CHANGELOG.next.asciidoc +++ b/CHANGELOG.next.asciidoc @@ -800,6 +800,7 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d - Add registry and code signature information and ECS categorization fields for sysmon module {pull}18058[18058] - Add new winlogbeat security dashboard {pull}18775[18775] - Add `event.outcome` to events based on the audit success and audit failure keywords. {pull}20564[20564] +- Add file.pe and process.pe fields to ProcessCreate & LoadImage events in Sysmon module. {issue}17335[17335] {pull}22217[22217] *Elastic Log Driver* - Add support for `docker logs` command {pull}19531[19531] diff --git a/x-pack/winlogbeat/module/sysmon/config/winlogbeat-sysmon.js b/x-pack/winlogbeat/module/sysmon/config/winlogbeat-sysmon.js index 5b09c98fc32f..d59217222107 100644 --- a/x-pack/winlogbeat/module/sysmon/config/winlogbeat-sysmon.js +++ b/x-pack/winlogbeat/module/sysmon/config/winlogbeat-sysmon.js @@ -677,11 +677,37 @@ var sysmon = (function () { from: "winlog.event_data.ParentCommandLine", to: "process.parent.command_line", }, + { + from: "winlog.event_data.OriginalFileName", + to: "process.pe.original_file_name", + }, ], mode: "rename", ignore_missing: true, fail_on_error: false, }) + .Convert({ + fields: [{ + from: "winlog.event_data.Company", + to: "process.pe.company", + }, + { + from: "winlog.event_data.Description", + to: "process.pe.description", + }, + { + from: "winlog.event_data.FileVersion", + to: "process.pe.file_version", + }, + { + from: "winlog.event_data.Product", + to: "process.pe.product", + }, + ], + mode: "copy", + ignore_missing: true, + fail_on_error: false, + }) .Add(setRuleName) .Add(setProcessNameUsingExe) .Add(splitProcessArgs) @@ -951,6 +977,11 @@ var sysmon = (function () { from: "winlog.event_data.ImageLoaded", to: "file.path", }, + { + from: "winlog.event_data.OriginalFileName", + to: "file.pe.original_file_name", + }, + ], mode: "rename", ignore_missing: true, @@ -965,7 +996,24 @@ var sysmon = (function () { from: "winlog.event_data.SignatureStatus", to: "file.code_signature.status", }, + { + from: "winlog.event_data.Company", + to: "file.pe.company", + }, + { + from: "winlog.event_data.Description", + to: "file.pe.description", + }, + { + from: "winlog.event_data.FileVersion", + to: "file.pe.file_version", + }, + { + from: "winlog.event_data.Product", + to: "file.pe.product", + }, ], + ignore_missing: true, fail_on_error: false, }) .Add(setRuleName) diff --git a/x-pack/winlogbeat/module/sysmon/test/testdata/sysmon-12-loadimage.evtx b/x-pack/winlogbeat/module/sysmon/test/testdata/sysmon-12-loadimage.evtx new file mode 100644 index 000000000000..7414b7fd316f Binary files /dev/null and b/x-pack/winlogbeat/module/sysmon/test/testdata/sysmon-12-loadimage.evtx differ diff --git a/x-pack/winlogbeat/module/sysmon/test/testdata/sysmon-12-loadimage.evtx.golden.json b/x-pack/winlogbeat/module/sysmon/test/testdata/sysmon-12-loadimage.evtx.golden.json new file mode 100644 index 000000000000..b1dda71c5534 --- /dev/null +++ b/x-pack/winlogbeat/module/sysmon/test/testdata/sysmon-12-loadimage.evtx.golden.json @@ -0,0 +1,94 @@ +[ + { + "@timestamp": "2020-10-28T02:39:26.374Z", + "event": { + "category": [ + "process" + ], + "code": 7, + "kind": "event", + "module": "sysmon", + "provider": "Microsoft-Windows-Sysmon", + "type": [ + "change" + ] + }, + "file": { + "code_signature": { + "signed": true, + "status": "Valid", + "subject_name": "Microsoft Windows", + "valid": true + }, + "directory": "C:\\Windows\\System32", + "extension": "dll", + "hash": { + "md5": "c7c45610f644906e6f7d664ef2e45b08", + "sha1": "9955a1c071c44a7ceecc0d928a9cfb7f64cc3f93", + "sha256": "4808f1101f4e42387d8ddb7a355668bae3bf6f781c42d3bcd82e23446b1deb3e" + }, + "name": "IDStore.dll", + "path": "C:\\Windows\\System32\\IDStore.dll", + "pe": { + "company": "Microsoft Corporation", + "description": "Identity Store", + "file_version": "10.0.17763.1 (WinBuild.160101.0800)", + "imphash": "194f3797b52231028c718b6d776c6853", + "original_file_name": "IdStore.dll", + "product": "Microsoft® Windows® Operating System" + } + }, + "host": { + "name": "vagrant" + }, + "log": { + "level": "information" + }, + "process": { + "entity_id": "{9f32b55f-d9de-5f98-f006-000000000600}", + "executable": "C:\\Windows\\System32\\dllhost.exe", + "name": "dllhost.exe", + "pid": 5184 + }, + "related": { + "hash": [ + "9955a1c071c44a7ceecc0d928a9cfb7f64cc3f93", + "c7c45610f644906e6f7d664ef2e45b08", + "4808f1101f4e42387d8ddb7a355668bae3bf6f781c42d3bcd82e23446b1deb3e", + "194f3797b52231028c718b6d776c6853" + ] + }, + "winlog": { + "api": "wineventlog", + "channel": "Microsoft-Windows-Sysmon/Operational", + "computer_name": "vagrant", + "event_data": { + "Company": "Microsoft Corporation", + "Description": "Identity Store", + "FileVersion": "10.0.17763.1 (WinBuild.160101.0800)", + "Product": "Microsoft® Windows® Operating System", + "RuleName": "-", + "Signature": "Microsoft Windows", + "SignatureStatus": "Valid", + "Signed": "true" + }, + "event_id": 7, + "process": { + "pid": 1676, + "thread": { + "id": 4796 + } + }, + "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", + "provider_name": "Microsoft-Windows-Sysmon", + "record_id": 10685, + "user": { + "domain": "NT AUTHORITY", + "identifier": "S-1-5-18", + "name": "SYSTEM", + "type": "Well Known Group" + }, + "version": 3 + } + } +] \ No newline at end of file diff --git a/x-pack/winlogbeat/module/sysmon/test/testdata/sysmon-12-processcreate.evtx b/x-pack/winlogbeat/module/sysmon/test/testdata/sysmon-12-processcreate.evtx new file mode 100644 index 000000000000..d1fd4fd70efe Binary files /dev/null and b/x-pack/winlogbeat/module/sysmon/test/testdata/sysmon-12-processcreate.evtx differ diff --git a/x-pack/winlogbeat/module/sysmon/test/testdata/sysmon-12-processcreate.evtx.golden.json b/x-pack/winlogbeat/module/sysmon/test/testdata/sysmon-12-processcreate.evtx.golden.json new file mode 100644 index 000000000000..7de72129b33f --- /dev/null +++ b/x-pack/winlogbeat/module/sysmon/test/testdata/sysmon-12-processcreate.evtx.golden.json @@ -0,0 +1,96 @@ +[ + { + "@timestamp": "2020-10-27T20:00:14.32Z", + "event": { + "category": [ + "process" + ], + "code": 1, + "kind": "event", + "module": "sysmon", + "provider": "Microsoft-Windows-Sysmon", + "type": [ + "start", + "process_start" + ] + }, + "host": { + "name": "vagrant" + }, + "log": { + "level": "information" + }, + "process": { + "args": [ + "C:\\Windows\\system32\\notepad.exe" + ], + "command_line": "\"C:\\Windows\\system32\\notepad.exe\" ", + "entity_id": "{9f32b55f-7c4e-5f98-5803-000000000500}", + "executable": "C:\\Windows\\System32\\notepad.exe", + "hash": { + "sha1": "b6d237154f2e528f0b503b58b025862d66b02b73" + }, + "name": "notepad.exe", + "parent": { + "args": [ + "C:\\Windows\\Explorer.EXE" + ], + "command_line": "C:\\Windows\\Explorer.EXE", + "entity_id": "{9f32b55f-6fdf-5f98-7000-000000000500}", + "executable": "C:\\Windows\\explorer.exe", + "name": "explorer.exe", + "pid": 4212 + }, + "pe": { + "company": "Microsoft Corporation", + "description": "Notepad", + "file_version": "10.0.17763.475 (WinBuild.160101.0800)", + "original_file_name": "NOTEPAD.EXE", + "product": "Microsoft® Windows® Operating System" + }, + "pid": 3616, + "working_directory": "C:\\Users\\vagrant\\" + }, + "related": { + "hash": "b6d237154f2e528f0b503b58b025862d66b02b73", + "user": "vagrant" + }, + "user": { + "domain": "VAGRANT", + "name": "vagrant" + }, + "winlog": { + "api": "wineventlog", + "channel": "Microsoft-Windows-Sysmon/Operational", + "computer_name": "vagrant", + "event_data": { + "Company": "Microsoft Corporation", + "Description": "Notepad", + "FileVersion": "10.0.17763.475 (WinBuild.160101.0800)", + "IntegrityLevel": "Medium", + "LogonGuid": "{9f32b55f-6fdd-5f98-e7c9-020000000000}", + "LogonId": "0x2c9e7", + "Product": "Microsoft® Windows® Operating System", + "RuleName": "-", + "TerminalSessionId": "1" + }, + "event_id": 1, + "process": { + "pid": 7144, + "thread": { + "id": 6876 + } + }, + "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", + "provider_name": "Microsoft-Windows-Sysmon", + "record_id": 20, + "user": { + "domain": "NT AUTHORITY", + "identifier": "S-1-5-18", + "name": "SYSTEM", + "type": "Well Known Group" + }, + "version": 5 + } + } +] \ No newline at end of file diff --git a/x-pack/winlogbeat/module/sysmon/test/testdata/sysmon-9.01.evtx.golden.json b/x-pack/winlogbeat/module/sysmon/test/testdata/sysmon-9.01.evtx.golden.json index 0ba347499a8a..9f1d14c88ab6 100644 --- a/x-pack/winlogbeat/module/sysmon/test/testdata/sysmon-9.01.evtx.golden.json +++ b/x-pack/winlogbeat/module/sysmon/test/testdata/sysmon-9.01.evtx.golden.json @@ -126,6 +126,12 @@ "name": "services.exe", "pid": 488 }, + "pe": { + "company": "Sysinternals - www.sysinternals.com", + "description": "System activity monitor", + "file_version": "9.01", + "product": "Sysinternals Sysmon" + }, "pid": 4860, "working_directory": "C:\\Windows\\system32\\" }, @@ -215,6 +221,12 @@ "name": "svchost.exe", "pid": 560 }, + "pe": { + "company": "Microsoft Corporation", + "description": "Sink to receive asynchronous callbacks for WMI client application", + "file_version": "6.3.9600.16384 (winblue_rtm.130821-1623)", + "product": "Microsoft® Windows® Operating System" + }, "pid": 5028, "working_directory": "C:\\Windows\\system32\\" }, @@ -404,6 +416,12 @@ "name": "svchost.exe", "pid": 560 }, + "pe": { + "company": "Microsoft Corporation", + "description": "WMI Provider Host", + "file_version": "6.3.9600.16384 (winblue_rtm.130821-1623)", + "product": "Microsoft® Windows® Operating System" + }, "pid": 4508, "working_directory": "C:\\Windows\\system32\\" },