From 624a6caf7a02a98bb7cbfd2dd7f31efd1b78b809 Mon Sep 17 00:00:00 2001
From: kevin pascoe <kevinjamespascoe@gmail.com>
Date: Tue, 17 Mar 2020 10:05:21 +0000
Subject: [PATCH] Added parent_process_command_line to all the places I think
 it should go. Updated csv in Threathunting.tar.gz file to include new column.

---
 .../data/ui/views/process_create_whitelist.xml  |  12 +++++++++---
 default/macros.conf                             |   2 +-
 default/transforms.conf                         |   4 ++--
 files/ThreatHunting.tar.gz                      | Bin 879 -> 860 bytes
 4 files changed, 12 insertions(+), 6 deletions(-)

diff --git a/default/data/ui/views/process_create_whitelist.xml b/default/data/ui/views/process_create_whitelist.xml
index 6c15326..d51be3f 100644
--- a/default/data/ui/views/process_create_whitelist.xml
+++ b/default/data/ui/views/process_create_whitelist.xml
@@ -37,6 +37,11 @@
       <default>*</default>
       <initialValue>*</initialValue>
     </input>
+    <input type="text" token="process_parent_command_line">
+      <label>process_parent_command_line</label>
+      <default>*</default>
+      <initialValue>*</initialValue>
+    </input>
     <input type="text" token="hash_sha256">
       <label>hash_sha256</label>
       <default></default>
@@ -57,6 +62,7 @@
     | eval mitre_technique_id = COALESCE(if(trim("$mitre_technique_id$")="", "*", trim("$mitre_technique_id$")), "*")
     | eval reason = trim("$input_reason$")
     | eval process_command_line = $process_command_line|s$
+    | eval process_parent_command_line = COALESCE(if(trim("$process_parent_command_line$")="", "*", trim("$process_parent_command_line$")), "*")
     | eval process_path = COALESCE(if(trim("$process_path$")="", "*", trim("$process_path$")), "*")
     | eval process_parent_path = COALESCE(if(trim("$process_parent_path$")="", "*", trim("$process_parent_path$")), "*")
     | eval hash_sha256 = COALESCE(if(trim("$hash_sha256$")="", "*", trim("$hash_sha256$")), "*")
@@ -69,9 +75,9 @@
     | inputlookup append=t threathunting_process_create_whitelist.csv
 
 | sort -added_date
-| dedup host_fqdn, user_name, mitre_technique_id, process_path process_parent_path process_command_line hash_sha256
+| dedup host_fqdn, user_name, mitre_technique_id, process_path process_parent_path process_parent_command_line process_command_line hash_sha256
 | outputlookup threathunting_process_create_whitelist.csv
-| fields added_date contact mitre_technique_id reason host_fqdn user_name process_path process_parent_path process_command_line hash_sha256
+| fields added_date contact mitre_technique_id reason host_fqdn user_name process_path process_parent_path process_parent_command_line process_command_line hash_sha256
           </query>
           <earliest>0</earliest>
         </search>
@@ -88,7 +94,7 @@
       <table>
         <title>Current Entries</title>
         <search>
-          <query>| inputlookup threathunting_process_create_whitelist.csv | sort -added_date | fields added_date contact mitre_technique_id reason host_fqdn user_name process_path process_parent_path process_command_line hash_sha256
+          <query>| inputlookup threathunting_process_create_whitelist.csv | sort -added_date | fields added_date contact mitre_technique_id reason host_fqdn user_name process_path process_parent_path process_parent_command_line process_command_line hash_sha256
 </query>
           <earliest>0</earliest>
         </search>
diff --git a/default/macros.conf b/default/macros.conf
index 2603731..01b1cd1 100644
--- a/default/macros.conf
+++ b/default/macros.conf
@@ -43,7 +43,7 @@ definition = "WINDOMAIN\\*"
 iseval = 0
 
 [process_create_whitelist]
-definition = lookup process_create_whitelist mitre_technique_id host_fqdn user_name process_path process_parent_path process_command_line output reason |  where isnull(reason)
+definition = lookup process_create_whitelist mitre_technique_id host_fqdn user_name process_path process_parent_path process_command_line process_parent_command_line output reason |  where isnull(reason)
 iseval = 0
 
 [network_whitelist]
diff --git a/default/transforms.conf b/default/transforms.conf
index 5c88166..6fd3883 100644
--- a/default/transforms.conf
+++ b/default/transforms.conf
@@ -14,7 +14,7 @@ filename = doh.csv
 batch_index_query = 0
 case_sensitive_match = 0
 filename = threathunting_process_create_whitelist.csv
-match_type = WILDCARD(mitre_technique_id),WILDCARD(host_fqdn),WILDCARD(user_name),WILDCARD(process_path),WILDCARD(process_parent_path),WILDCARD(process_command_line),WILDCARD(hash_sha256)
+match_type = WILDCARD(mitre_technique_id),WILDCARD(host_fqdn),WILDCARD(user_name),WILDCARD(process_path),WILDCARD(process_parent_path),WILDCARD(process_command_line),WILDCARD(process_parent_command_line),WILDCARD(hash_sha256)
 max_matches = 10
 min_matches = 1
 
@@ -96,4 +96,4 @@ case_sensitive_match = 0
 filename = threathunting_remote_thread_whitelist.csv
 match_type = WILDCARD(mitre_technique_id),WILDCARD(host_fqdn),WILDCARD(process_path),WILDCARD(target_process_address),WILDCARD(target_process_path)
 max_matches = 10
-min_matches = 1
\ No newline at end of file
+min_matches = 1
diff --git a/files/ThreatHunting.tar.gz b/files/ThreatHunting.tar.gz
index ad42387d2036c07279dc923dc659dbf73bea4668..d1e6860f4090e11c73aaa96e7be2c39c4773998c 100644
GIT binary patch
delta 857
zcmV-f1E&1%2HXaJABzY8gq(0*00Zrs!E)L#5I}v-S1>-4R+424jwGhjdvo__Y=Jd^
z?MNaS{=Sl-fGHUa1&6l#E?5eKLw4V4CFdnqf}8Kl!pLI!)w>DE!otu)5yC7C>Q{tt
zJ-@-j0YwDUfMDh!OmKj`UU-{dr^!+qu6jLhR&kw{qKjL9-V-m4_|MC7wygA(^PpY)
zqkv)@VfQ{a2qFGma6JB|p3T>@$wbaY!qZe}oxJDLh`H3}ORC>m-ophrqV&V~<0!Q8
z4;Ujh0|@dE2_nk89=ho_-|(Nu-{)B-vLxe1`2Dmj3{OqpUr3`wVnmu3@^vW^nfZO2
z5xOk;eqL&SlT2Q-!teW)D(kGMY_iy4ohX~@#K?un<YZ#6clU6U{=;W~X<$nm|K);D
zMKUjWc9H%k{U;3V{Kv%kPooI@?}DrPpDFn!RGldz+l{48w44_EQ*O-7Qi&r|Ka73R
zP(nJPjsJx(@1>euCck&)`j4pdA0q<(cfoQ0Gpo3Nto-#wRVw2*y+2kT4vN9Aa-mha
z{-~w4k{2B0y(`-J|DNPr=R%(;{)SWjBZjyBBj)_alm_5`7x*r)iOx9*qdkXfPaDn)
zuI5r`)1TW?p$$0vZ_vj7N>(CC-Hf<s2XM~%Z{KMBr-;J(-w9Xk|La8Aln!X#{|Z|9
zzlrjHrAL4#_x}Of^WUBSQ40NkH(b?!`<I*wlN?rs&2XxC;Z~4!8bOJ;3(oO>-2z<S
z{{TnL=Reke4E=v6H2goba90qTyM)$90cp8d@FGj*vJj1Op+sR${PduDG*1<FhY9;-
z1ggf_wDDhwskL3LE<FG|x&C9aTmNZ&{!c=G@V^uOZ2cE+&Q!Ci#P7|(Hfv^L1rG)9
zm3ICwO1tjYlb0L-oc4eF|38G$di^H^`u|Qi?tjDU3lIJeHUsuPYTfo9+a-YgpTr0L
zE31Xb9`#Bu%Hq-H#Y9e*iW^xL=RX8EdHxqrxBlaZ*v3C()_+$3!2d4z)!5^Qk?p!X
zhB2~bn2hNlKmi#sGA5&l4uhD*Lo^tShBzKRJdNUSAss&B0S#QhV#dal4saaPaU2jf
jKu^Ose2&3slTiZ`lVAe`4*&oFfE)4?gjJ{l08jt`Ac(m9

literal 879
zcmV-#1Cab5iwFRw#t2*h1MQkYbD}U5fIatDIGo+x5CYMoE$-}nduK8bAX5xBiS79B
zH-JiYZADjUyM5m{6N!$X$@kt%@IF_ZnO{q3gv@>nt^z`c`u?zPgQi88H0_$9>k))q
z;$fE#k?VUX7!3XET+S{_ZJ4r`QWh-DnKGr!4!+O6EluC}ob~tEwx5Lio$)Wq@?p8q
z7oG<vjlW0i_)~;j82>&vJpQKc&70n6p~{$R9kIA>o^xS%A+-4(>!&W~I5z&+tH$4>
z6cZN(XoxWN13Va_Yk&EQFFyVbOA?+$2{YUo#icYXHX~;)jN*~uaW2K<l1CzOMs`N%
zQjVOw)Fw(F6X}ec&CFQX$zl)fFPU)@?e%UBGsUE_=W3>reIYVp&J&TQ_IZ05Ri|_F
z-oMLN;S~Sls*_*A|KNrHKCb<z2>kDZ9sl<&Yy(2hbROxPVLxzoL%^X>u~j}U=W`~L
zs1TCxgbT%`*^dv+;U>&1HCK^j)m6L*6c86K%q#vYs|8QK>6M<B@|&FosmPX!8Bt2z
zRr@X0hk%gR{kOGW<-Z$XOo(smf9(5|g8zN65!=0)Vh>M3WXo_oBV!MFcuMgMPXjXX
zLK;rccs!lB;pFCa8vgXj<jx)2a@`JCNa>7_u^WbD7J8VD(d{Jk??Q0(6VN69D?Tr6
z-mg28)6@S^|FOGW|6xk}D*t=ne?J_q|M^pupUrB)Ps#SX34CucV9%qPvj5O30b<2F
z(ZzqspQ9>I@Y7R&&C&fI>bCViCDwluU=RH7gT2arBjvjAexW{Rst{b8QDH-cHX!W(
zL8tY<Sn&1Y|D5!H)PL7@w)=mT{}f}`|LcW|?*G*j<*zk6Z0>zvy4C-g^<Aybalhi|
z{-29m|4Fs~7Z4Bfe=q!-|2yl1y<o7NH4l8X>4Tu~(dbtHo99wJoU8vy`QHYB%6|;^
z|N7yu|A|#xES%=aqEzPmZ2+y}=A+sTeNg@5(8d2$6#VR)|AQ0#$MyYx`vCv@;G*?^
zJy9Ule<r&4FXk-cQBj_?`9J7T|I_yVzYPFY{trk1{`bK}{ZEv5vPr(0DLiS9g^sky
z<jbz=n3<*G2fBV6+ra;W0000000000000000000000000000000002q<_{%!i>Lrl
F007pi(P;nx