infosecn1nja
/
HELK
mirror of https://github.com/infosecn1nja/HELK.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #22 from leechristensen/master 

Added WMI event log ingestion, primarily for WMI permanent event subscription detection
keyword-vs-text-changes
Roberto Rodriguez 2018-02-08 14:32:24 -05:00 committed by GitHub
parent 6b4054288b 384b2d3f1e
commit 829ed84d1b
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
5 changed files with 294 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

38
logstash/output_templates/winevent-wmiactivity-template.json Normal file
View File

@ -0,0 +1,38 @@
{
"template" : "winevent-wmiactivity-*",
"settings" : {
"index.refresh_interval": "5s"
},
"mappings":{
"doc":{
"dynamic_templates": [{
"strings":{
"match_mapping_type": "string",
"mapping": {
"type": "text",
"norms": false,
"fields": {
"raw": {
"type": "keyword",
"ignore_above": 256
}
}
}
}
}],
"properties":{
"@timestamp":{"type":"date"},
"process":{
"properties":{
"id":{"type":"integer"},
"target":{
"properties":{
"id":{"type":"integer"}
}
}
}
}
}
}
}
}

235
logstash/pipeline/15-winevent-wmiactivity-filter.conf Normal file
View File

@ -0,0 +1,235 @@
# HELK winevent-wmiactivity filter conf file
# HELK build version: 0.9 (BETA)
# HELK ELK version: 6.x
# Author: Lee Christensen (@tifkin_)
# License: BSD 3-Clause
filter {
if [log_name] == "Microsoft-Windows-WMI-Activity/Operational"{
# wevtutil gp "Microsoft-Windows-WMI-Activity" /ge:true /gm:true /f:XML
if [event_id] == 5857 {
#<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
# <System>
# <Provider Name="Microsoft-Windows-WMI-Activity" Guid="{1418EF04-B0B4-4623-BF7E-D74AB47BBDAA}" />
# <EventID>5857</EventID>
# <Version>0</Version>
# <Level>0</Level>
# <Task>0</Task>
# <Opcode>0</Opcode>
# <Keywords>0x4000000000000000</Keywords>
# <TimeCreated SystemTime="2018-02-05T03:56:37.904674000Z" />
# <EventRecordID>4154</EventRecordID>
# <Correlation />
# <Execution ProcessID="4964" ThreadID="5016" />
# <Channel>Microsoft-Windows-WMI-Activity/Operational</Channel>
# <Computer>HELK-win</Computer>
# <Security UserID="S-1-5-18" />
# </System>
# <UserData>
# <Operation_StartedOperational xmlns="http://manifests.microsoft.com/win/2006/windows/WMI">
# <ProviderName>VolumeChangeEvents</ProviderName>
# <Code>0x0</Code>
# <HostProcess>wmiprvse.exe</HostProcess>
# <ProcessID>4964</ProcessID>
# <ProviderPath>%systemroot%\system32\wbem\wmipcima.dll</ProviderPath>
# </Operation_StartedOperational>
# </UserData>
#</Event>
mutate {
rename => {
"[user_data][ProviderName]" => "[wmi][provider]"
"[user_data][Code]" => "[wmi][resultcode]"
"[user_data][HostProcess]" => "[process][name]"
"[user_data][ProcessID]" => "[process][id]"
"[user_data][ProviderPath]" => "[wmi][providerpath]"
"[user_data][xml_name]" => "[wmi][xmloperation]" # Should always be "Operation_StartedOperational"
}
}
}
if [event_id] == 5858 {
#<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
# <System>
# <Provider Name="Microsoft-Windows-WMI-Activity" Guid="{1418EF04-B0B4-4623-BF7E-D74AB47BBDAA}" />
# <EventID>5858</EventID>
# <Version>0</Version>
# <Level>2</Level>
# <Task>0</Task>
# <Opcode>0</Opcode>
# <Keywords>0x4000000000000000</Keywords>
# <TimeCreated SystemTime="2018-02-05T04:08:05.147338500Z" />
# <EventRecordID>4157</EventRecordID>
# <Correlation />
# <Execution ProcessID="2616" ThreadID="3716" />
# <Channel>Microsoft-Windows-WMI-Activity/Operational</Channel>
# <Computer>HELK-win</Computer>
# <Security UserID="S-1-5-18" />
# </System>
# <UserData>
# <Operation_ClientFailure xmlns="http://manifests.microsoft.com/win/2006/windows/WMI">
# <Id>{00000000-0000-0000-0000-000000000000}</Id>
# <ClientMachine>HELK-WIN</ClientMachine>
# <User>NT AUTHORITY\SYSTEM</User>
# <ClientProcessId>3144</ClientProcessId>
# <Component>Unknown</Component>
# <Operation>Start IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PhysicalMemory</Operation>
# <ResultCode>0x80041032</ResultCode>
# <PossibleCause>Throttling Idle Tasks, refer to CIMOM regkey: ArbTaskMaxIdle</PossibleCause>
# </Operation_ClientFailure>
# </UserData>
#</Event>
mutate {
rename => {
"[user_data][Id]" => "[wmi][id]"
"[user_data][ClientMachine]" => "[wmi][clientmachine]"
"[user_data][User]" => "[user][name]"
"[user_data][ClientProcessId]" => "[process][id]"
"[user_data][Component]" => "[wmi][component]"
"[user_data][Operation]" => "[wmi][operation]"
"[user_data][ResultCode]" => "[wmi][resultcode]"
"[user_data][PossibleCause]" => "[wmi][possiblecause]"
"[user_data][xml_name]" => "[wmi][xmloperation]" # Should always be "Operation_ClientFailure"
}
}
}
if [event_id] == 5859 {
#<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
# <System>
# <Provider Name="Microsoft-Windows-WMI-Activity" Guid="{1418EF04-B0B4-4623-BF7E-D74AB47BBDAA}" />
# <EventID>5859</EventID>
# <Version>0</Version>
# <Level>0</Level>
# <Task>0</Task>
# <Opcode>0</Opcode>
# <Keywords>0x4000000000000000</Keywords>
# <TimeCreated SystemTime="2018-02-05T03:46:20.968689200Z" />
# <EventRecordID>4131</EventRecordID>
# <Correlation ActivityID="{BDB2DFE9-9E33-0000-6DEB-B2BD339ED301}" />
# <Execution ProcessID="2616" ThreadID="4548" />
# <Channel>Microsoft-Windows-WMI-Activity/Operational</Channel>
# <Computer>HELK-win</Computer>
# <Security UserID="S-1-5-18" />
# </System>
# <UserData>
# <Operation_EssStarted xmlns="http://manifests.microsoft.com/win/2006/windows/WMI">
# <NamespaceName>//./root/CIMV2</NamespaceName>
# <Query>select * from MSFT_SCMEventLogEvent</Query>
# <User>S-1-5-32-544</User>
# <Processid>2616</Processid>
# <Provider>SCM Event Provider</Provider>
# <queryid>0</queryid>
# <PossibleCause>Permanent</PossibleCause>
# </Operation_EssStarted>
# </UserData>
#</Event>
mutate {
rename => {
"[user_data][NamespaceName]" => "[wmi][namespace]"
"[user_data][Query]" => "[wmi][query]"
"[user_data][User]" => "[user][name]"
"[user_data][Processid]" => "[process][id]"
"[user_data][Provider]" => "[wmi][provider]"
"[user_data][queryid]" => "[wmi][queryid]"
"[user_data][PossibleCause]" => "[wmi][possiblecause]"
"[user_data][xml_name]" => "[wmi][xmloperation]" # Should always be "Operation_EssStarted"
}
}
}
if [event_id] == 5860 {
#<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
# <System>
# <Provider Name="Microsoft-Windows-WMI-Activity" Guid="{1418EF04-B0B4-4623-BF7E-D74AB47BBDAA}" />
# <EventID>5860</EventID>
# <Version>0</Version>
# <Level>0</Level>
# <Task>0</Task>
# <Opcode>0</Opcode>
# <Keywords>0x4000000000000000</Keywords>
# <TimeCreated SystemTime="2018-02-05T03:56:37.919072300Z" />
# <EventRecordID>4155</EventRecordID>
# <Correlation />
# <Execution ProcessID="2616" ThreadID="7060" />
# <Channel>Microsoft-Windows-WMI-Activity/Operational</Channel>
# <Computer>HELK-win</Computer>
# <Security UserID="S-1-5-18" />
# </System>
# <UserData>
# <Operation_TemporaryEssStarted xmlns="http://manifests.microsoft.com/win/2006/windows/WMI">
# <NamespaceName>root\cimv2</NamespaceName>
# <Query>SELECT * FROM Win32_VolumeChangeEvent WHERE EventType = 2</Query>
# <User>HELK-win\lee</User>
# <Processid>8120</Processid>
# <ClientMachine>HELK-WIN</ClientMachine>
# <PossibleCause>Temporary</PossibleCause>
# </Operation_TemporaryEssStarted>
# </UserData>
#</Event>
mutate {
rename => {
"[user_data][NamespaceName]" => "[wmi][namespace]"
"[user_data][Query]" => "[wmi][query]"
"[user_data][User]" => "[user][name]"
"[user_data][Processid]" => "[process][id]"
"[user_data][ClientMachine]" => "[wmi][clientmachine]"
"[user_data][PossibleCause]" => "[wmi][possiblecause]"
"[user_data][xml_name]" => "[wmi][xmloperation]" # Should always be "Operation_TemporaryEssStarted"
}
}
}
if [event_id] == 5861 {
#<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
# <System>
# <Provider Name="Microsoft-Windows-WMI-Activity" Guid="{1418EF04-B0B4-4623-BF7E-D74AB47BBDAA}" />
# <EventID>5861</EventID>
# <Version>0</Version>
# <Level>0</Level>
# <Task>0</Task>
# <Opcode>0</Opcode>
# <Keywords>0x4000000000000000</Keywords>
# <TimeCreated SystemTime="2018-02-05T04:01:49.202740500Z" />
# <EventRecordID>4156</EventRecordID>
# <Correlation />
# <Execution ProcessID="2616" ThreadID="3884" />
# <Channel>Microsoft-Windows-WMI-Activity/Operational</Channel>
# <Computer>HELK-win</Computer>
# <Security UserID="S-1-5-18" />
# </System>
# <UserData>
# <Operation_ESStoConsumerBinding xmlns="http://manifests.microsoft.com/win/2006/windows/WMI">
# <Namespace>//./root/subscription</Namespace>
# <ESS>HumanInterfaceDevice</ESS>
# <CONSUMER>NTEventLogEventConsumer="HIDConnectionEvent"</CONSUMER>
# <PossibleCause>Binding EventFilter: instance of __EventFilter { CreatorSID = {1, 5, 0, 0, 0, 0, 0, 5, 21, 0, 0, 0, 159, 178, 61, 51, 160, 20, 53, 244, 9, 6, 127, 21, 244, 1, 0, 0}; EventNamespace = "root/cimv2"; Name = "HumanInterfaceDevice"; Query = "SELECT * FROM __InstanceCreationEvent WITHIN 5 WHERE TargetInstance ISA \"Win32_PointingDevice\" OR TargetInstance ISA \"Win32_KeyBoard\""; QueryLanguage = "WQL"; }; Perm. Consumer: instance of NTEventLogEventConsumer { Category = 0; CreatorSID = {1, 5, 0, 0, 0, 0, 0, 5, 21, 0, 0, 0, 159, 178, 61, 51, 160, 20, 53, 244, 9, 6, 127, 21, 244, 1, 0, 0}; EventID = 8; EventType = 2; InsertionStringTemplates = {"HID Device Connected", "Name: %TargetInstance.Name%", "Description: %TargetInstance.Description%", "Type: %TargetInstance.CreationClassName%", "PNPDeviceID: %TargetInstance.PNPDeviceID%"}; Name = "HIDConnectionEvent"; NumberOfInsertionStrings = 5; SourceName = "WSH"; };</PossibleCause>
# </Operation_ESStoConsumerBinding>
# </UserData>
#</Event>
mutate {
rename => {
"[user_data][Namespace]" => "[wmi][namespace]"
"[user_data][ESS]" => "[wmi][eventsubsystem]"
"[user_data][CONSUMER]" => "[wmi][consumer]"
"[user_data][PossibleCause]" => "[wmi][possiblecause]"
"[user_data][xml_name]" => "[wmi][xmloperation]" # Should always be "Operation_ESStoConsumerBinding"
}
}
}
# Common to all events
mutate {
convert => {
"[process][id]" => "integer"
}
}
}
}

17
logstash/pipeline/55-wmiactivity-output.conf Normal file
View File

@ -0,0 +1,17 @@
# HELK winevent-security output conf file
# HELK build version: 0.9 (BETA)
# HELK ELK version: 6.x
# Author: Lee Christensen (@tifkin_)
# License: BSD 3-Clause
output {
if [log_name] == "Microsoft-Windows-WMI-Activity/Operational"{
elasticsearch {
hosts => ["127.0.0.1:9200"]
index => "winevent-wmiactivity-%{+YYYY.MM.dd}"
template => "/opt/helk/output_templates/winevent-wmiactivity-template.json"
template_name => "winevent-wmiactivity"
template_overwrite => true
}
}
}

4
scripts/helk_kibana_setup.sh
View File

@ -20,7 +20,7 @@ DEFAULT_INDEX="sysmon-*"
DIR=/opt/helk/dashboards
# *********** Setting Index Pattern Array ***************
declare -a index_patterns=("*" "sysmon-*" "winevent-security-*" "winevent-system-*" "winevent-application-*" "powershell-*")
declare -a index_patterns=("*" "sysmon-*" "winevent-security-*" "winevent-system-*" "winevent-application-*" "winevent-wmiactivity-*" "powershell-*")
# *********** Waiting for Kibana to be available ***************
until curl -s localhost:5601 -o /dev/null; do
@ -46,4 +46,4 @@ do
curl -XPOST "$KIBANA/api/kibana/dashboards/import" -H 'kbn-xsrf:true' \
-H 'Content-type:application/json' -d @${file} || exit 1
echo
done
done

2
winlogbeat/winlogbeat.yml
View File

@ -25,6 +25,8 @@ winlogbeat.event_logs:
- name: Microsoft-windows-sysmon/operational
- name: Microsoft-windows-PowerShell/Operational
event_id: 4103, 4104
- name: Microsoft-Windows-WMI-Activity/Operational
event_id: 5857,5858,5859,5860,5861
#==================== Elasticsearch template setting ==========================