Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[8.16] Update WMI event fields and add missing custom documentation fields #546

Merged
merged 15 commits into from
Sep 24, 2024
Merged

[8.16] Update WMI event fields and add missing custom documentation fields #546

merged 15 commits into from
Sep 24, 2024

Conversation

AsuNa-jp
Copy link
Contributor

@AsuNa-jp AsuNa-jp commented Sep 19, 2024
edited
Loading

Change Summary

  • Reflected the feedbacks from @jdu2600 on the previous PR.
  • Added process.Ext.api.parameters.operation field (which I forgot to include it in the previous PR)
  • Added the custom documentation for the newly added file event fileds in this PR.
  • Added the custom documentation for Win32k APIs and WMI APIs

Sample values

Below are examples of the custom API fields (process.Ext.api.parameters.operation) that will be added by this PR. The sample of the document is here sample_event.json

    "message": "Malicious Behavior Detection Alert: EAF Rule",
    "process": {
        "Ext": {
            "api": {
                "metadata": {
                    "client_is_local": true
                },
                "name": "IWbemServices::CreateInstanceEnum",
                "parameters": {
                    "namespace": "root\\Microsoft\\Windows\\DeviceGuard",
                    "operation": "Win32_DeviceGuard"
                }
            },

Release Target

8.16

For mapping changes:

  • I ran make after making the schema changes, and committed all changes

@AsuNa-jp AsuNa-jp requested a review from a team as a code owner September 19, 2024 04:08
@AsuNa-jp AsuNa-jp marked this pull request as draft September 19, 2024 04:11
@AsuNa-jp AsuNa-jp self-assigned this Sep 19, 2024
jdu2600
jdu2600 approved these changes Sep 20, 2024
View reviewed changes
Copy link
Contributor

@jdu2600 jdu2600 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM.
You'll need to resolve the conflicts due to my merge of #545 and regenerate.

@AsuNa-jp AsuNa-jp marked this pull request as ready for review September 20, 2024 03:52
@AsuNa-jp AsuNa-jp requested a review from a team as a code owner September 20, 2024 03:52
@AsuNa-jp
Copy link
Contributor Author

Resolved the conflict between #545.
So I think it is now ready for review! @elastic/security-defend-workflows

@AsuNa-jp
Copy link
Contributor Author

Thanks for the review!

intxgo
intxgo reviewed Sep 24, 2024
View reviewed changes
package/endpoint/data_stream/api/fields/fields.yml
@@ -1272,7 +1272,7 @@
level: custom
type: keyword
ignore_above: 1024
description: "A list of observed behaviors.\n \"cross-process\" - the observed activity was between two processes\n \"parent-child\" - the observed activity was between a parent process and its child\n \"native_api\" - a call was made directly to the Native API rather than the Win32 API\n \"direct_syscall\" - a syscall instruction originated outside of the Native API layer\n \"proxy_call\" - the call stack may indicate of a proxied API call to mask the true source\n \"sensitive_api\" - executable non-image memory is unexpectedly calling a sensitive API\n \"shellcode\" - suspicious executable non-image memory is calling a sensitive API\n \"image_hooked\" - an entry in the callstack appears to have been hooked\n \"image_indirect_call\" - an entry in the callstack was preceded by a call to a dynamically resolved function\n \"image_rop\" - no call instruction preceded an entry in the call stack\n \"image_rwx\" - an entry in the callstack is writable\n \"unbacked_rwx\" - an entry in the callstack is non-image and writable\n \"truncated_stack\" - call stack is unexpected truncated due to malicious tampering or system load\n \"allocate_shellcode\" - a region of non-image executable memory allocated more executable memory\n \"execute_fluctuation\" - the PAGE_EXECUTE protection is unexpectedly fluctuating\n \"write_fluctuation\" - the PAGE_WRITE protection of executable memory is unexpectedly fluctuating\n \"hook_api\" - a change to the memory protection of a small executable image memory region was made\n \"hollow_image\" - a change to the memory protection of a large executable image memory region was made\n \"hook_unbacked\" - a change to the memory protection of a small executable non-image memory was made\n \"hollow_unbacked\" - a change to the memory protection of a large executable non-image memory was made\n \"guarded_code\" - executable memory was unexpectedly marked as PAGE_GUARD\n \"hidden_code\" - executable memory was unexpectedly marked as PAGE_NOACCESS\n \"execute_shellcode\" - a region of non-image executable memory was unexpectedly transferred control\n \"hardware_breakpoint_set\" - a hardware breakpoint was set\n \"rapid_background_polling\" - a suspicious process which does rapid input polling via GetAsyncKeyState API was observed\n \"multiple_polling_processes\" - multiple suspicious processes which do rapid input polling via the GetAsyncKeyState API were observed\n \"pid_spoofing\" - WMI client proceess passed a forged process ID to the WMI server to spoof their origin"
description: "A list of observed behaviors.\n \"cross-process\" - the observed activity was between two processes\n \"parent-child\" - the observed activity was between a parent process and its child\n \"native_api\" - a call was made directly to the Native API rather than the Win32 API\n \"direct_syscall\" - a syscall instruction originated outside of the Native API layer\n \"proxy_call\" - the call stack may indicate of a proxied API call to mask the true source\n \"sensitive_api\" - executable non-image memory is unexpectedly calling a sensitive API\n \"shellcode\" - suspicious executable non-image memory is calling a sensitive API\n \"image_hooked\" - an entry in the callstack appears to have been hooked\n \"image_indirect_call\" - an entry in the callstack was preceded by a call to a dynamically resolved function\n \"image_rop\" - no call instruction preceded an entry in the call stack\n \"image_rwx\" - an entry in the callstack is writable\n \"unbacked_rwx\" - an entry in the callstack is non-image and writable\n \"truncated_stack\" - call stack is unexpected truncated due to malicious tampering or system load\n \"allocate_shellcode\" - a region of non-image executable memory allocated more executable memory\n \"execute_fluctuation\" - the PAGE_EXECUTE protection is unexpectedly fluctuating\n \"write_fluctuation\" - the PAGE_WRITE protection of executable memory is unexpectedly fluctuating\n \"hook_api\" - a change to the memory protection of a small executable image memory region was made\n \"hollow_image\" - a change to the memory protection of a large executable image memory region was made\n \"hook_unbacked\" - a change to the memory protection of a small executable non-image memory was made\n \"hollow_unbacked\" - a change to the memory protection of a large executable non-image memory was made\n \"guarded_code\" - executable memory was unexpectedly marked as PAGE_GUARD\n \"hidden_code\" - executable memory was unexpectedly marked as PAGE_NOACCESS\n \"execute_shellcode\" - a region of non-image executable memory was unexpectedly transferred control\n \"hardware_breakpoint_set\" - a hardware breakpoint was set\n \"rapid_background_polling\" - a suspicious process which does rapid input polling via GetAsyncKeyState API was observed\n \"multiple_polling_processes\" - multiple suspicious processes which do rapid input polling via the GetAsyncKeyState API were observed\n \"pid_spoofing\" - The acting process details may have been spoofed to hide the true origin\n \"legacy_api\" - a deprecated or superseded API was called"
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more. 

- call stack is unexpected truncated due to malicious tampering or system load
+ call stack is unexpectedly truncated due to malicious tampering or system load
- a region of non-image executable memory allocated more executable memory
+ a region of non-image executable memory allocated executable memory
- a region of non-image executable memory was unexpectedly transferred control
+ control was transferred unexpectedly to a region of non-image executable memory

Some descriptions seems oddly worded, just my suggestion, not necessarily correct

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

You’re right, the wording is indeed a bit odd. I’ll check with John, but for now, I’ll go ahead and merge this PR as it is!

@AsuNa-jp AsuNa-jp merged commit fc954a8 into main Sep 24, 2024
4 checks passed
@AsuNa-jp AsuNa-jp deleted the 8.16_events branch October 4, 2024 04:53
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@intxgo intxgo intxgo approved these changes

@jdu2600 jdu2600 jdu2600 approved these changes

@pzl pzl pzl approved these changes

Assignees

@AsuNa-jp AsuNa-jp

Labels
v8.16.0
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@AsuNa-jp @pzl @intxgo @jdu2600