diff --git a/CHANGELOG.next.asciidoc b/CHANGELOG.next.asciidoc index 4eb9016f8620..5b1fcfe5fb0e 100644 --- a/CHANGELOG.next.asciidoc +++ b/CHANGELOG.next.asciidoc @@ -96,6 +96,11 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d *Winlogbeat* +- Fix message handling in the experimental api. {issue}19338[19338] {pull}41730[41730] +- Sync missing changes in modules pipelines. {pull}42619[42619] +- Reset EventLog if error EOF is encountered. {pull}42826[42826] +- Implement backoff on error retrial. {pull}42826[42826] +- Fix boolean key in security pipelines and sync pipelines with integration. {pull}43027[43027] *Functionbeat* diff --git a/x-pack/winlogbeat/module/powershell/ingest/powershell.yml b/x-pack/winlogbeat/module/powershell/ingest/powershell.yml new file mode 100644 index 000000000000..7cde92f7cb04 --- /dev/null +++ b/x-pack/winlogbeat/module/powershell/ingest/powershell.yml @@ -0,0 +1,495 @@ +--- +description: Pipeline for Windows Powershell events +processors: + - kv: + description: Split Event 800 event data fields. + field: winlog.event_data.param2 + target_field: winlog.event_data + field_split: "\n\t" + trim_key: "\n\t" + trim_value: "\n\t" + value_split: "=" + if: ctx.winlog?.event_id == "800" + - script: + description: |- + Split Events 4xx and 600 event data fields. + Some events can contain multiline values containing also '\n', '\s', and '=' characters, + for this reason a simple KV processor is not reliable enough and we need a more specific parsing. + lang: painless + if: ctx.winlog?.event_id != "800" && ctx.winlog?.event_data?.param3 != null + params: + field: param3 + source: |- + def p = ctx.winlog?.event_data[params["field"]]; + // Define the pattern that will match all keys + def pat = /(^|(^[\n]?))?\t([^\s\W]+)=/m; + def m = pat.matcher(p); + + // we position ourselves in the first matching key + m.find(); + def key = m.group(3).trim(); + def previousEnd = m.end(); + + // while new keys are found, we add everything between one key and the next + // as the value, regardless of its contents + while(m.find()) + { + ctx.winlog.event_data[key] = p.substring(previousEnd, m.start()).trim(); + previousEnd = m.end(); + key = m.group(3).trim(); + } + + // add remaining value + ctx.winlog.event_data[key] = p.substring(previousEnd).trim(); + + ## ECS and Event fields. + + - set: + field: ecs.version + value: '8.17.0' + - set: + field: log.level + copy_from: winlog.level + ignore_empty_value: true + ignore_failure: true + if: ctx.winlog?.level != "" + - date: + field: winlog.time_created + tag: "time_created_date" + formats: + - ISO8601 + if: ctx.winlog?.time_created != null + on_failure: + - remove: + field: winlog.time_created + ignore_failure: true + - append: + field: error.message + value: "fail-{{{ _ingest.on_failure_processor_tag }}}" + - fail: + message: "Processor {{ _ingest.on_failure_processor_type }} with tag {{ _ingest.on_failure_processor_tag }} in pipeline {{ _ingest.on_failure_pipeline }} failed with message: {{ _ingest.on_failure_message }}" + - set: + field: event.module + value: powershell + - set: + field: event.kind + value: event + - set: + field: event.code + value: '{{winlog.event_id}}' + - set: + field: event.category + value: ["process"] + - set: + field: event.type + value: ["start"] + if: ctx.event.code == "400" + - set: + field: event.type + value: ["end"] + if: ctx.event.code == "403" + - set: + field: event.type + value: ["info"] + if: ctx.event?.type == null + - convert: + field: winlog.event_data.SequenceNumber + target_field: event.sequence + type: long + ignore_failure: true + ignore_missing: true + - convert: + field: winlog.record_id + type: string + ignore_failure: true + ignore_missing: true + + ## Process fields. + + - rename: + field: winlog.event_data.HostId + target_field: process.entity_id + ignore_failure: true + ignore_missing: true + if: ctx.winlog?.event_data?.HostId != "" + - rename: + field: winlog.event_data.HostApplication + target_field: process.command_line + ignore_failure: true + ignore_missing: true + if: ctx.winlog?.event_data?.HostApplication != "" + - rename: + field: winlog.event_data.HostName + target_field: process.title + ignore_failure: true + ignore_missing: true + if: ctx.winlog?.event_data?.HostName != "" + + ## User fields. + + - split: + field: winlog.event_data.UserId + target_field: "_temp.user_parts" + separator: '\\' + if: ctx.winlog?.event_data?.UserId != null + - set: + field: user.domain + value: "{{_temp.user_parts.0}}" + ignore_failure: true + ignore_empty_value: true + if: ctx._temp?.user_parts != null && ctx._temp.user_parts.size() == 2 + - set: + field: user.name + value: "{{_temp.user_parts.1}}" + ignore_failure: true + ignore_empty_value: true + if: ctx._temp?.user_parts != null && ctx._temp.user_parts.size() == 2 + - append: + field: related.user + value: "{{user.name}}" + ignore_failure: true + allow_duplicates: false + if: ctx.user?.name != null + # Get user details from the translate_sid processor enrichment + # if they are available and we don't already have them. + - rename: + field: winlog.event_data._MemberUserName + target_field: user.name + ignore_failure: true + ignore_missing: true + - rename: + field: winlog.event_data._MemberDomain + target_field: user.domain + ignore_failure: true + ignore_missing: true + - append: + value: '{{{winlog.event_data._MemberAccountType}}}' + field: user.roles + ignore_failure: true + allow_duplicates: false + if: ctx.winlog?.event_data?._MemberAccountType != null + - remove: + field: winlog.event_data._MemberAccountType + ignore_missing: true + ignore_failure: true + if: ctx.user?.roles != null && ctx.winlog?.event_data?._MemberAccountType != null && ctx.user.roles.contains(ctx.winlog.event_data._MemberAccountType) + + ## PowerShell fields. + + - rename: + field: winlog.event_data.NewEngineState + target_field: powershell.engine.new_state + ignore_failure: true + ignore_missing: true + if: ctx.winlog?.event_data?.NewEngineState != "" + - rename: + field: winlog.event_data.PreviousEngineState + target_field: powershell.engine.previous_state + ignore_failure: true + ignore_missing: true + if: ctx.winlog?.event_data?.PreviousEngineState != "" + - rename: + field: winlog.event_data.NewProviderState + target_field: powershell.provider.new_state + ignore_failure: true + ignore_missing: true + if: ctx.winlog?.event_data?.NewProviderState != "" + - rename: + field: winlog.event_data.ProviderName + target_field: powershell.provider.name + ignore_failure: true + ignore_missing: true + if: ctx.winlog?.event_data?.ProviderName != "" + - convert: + field: winlog.event_data.DetailTotal + target_field: powershell.total + type: long + ignore_failure: true + ignore_missing: true + if: ctx.winlog?.event_data?.DetailTotal != "" + - convert: + field: winlog.event_data.DetailSequence + target_field: powershell.sequence + type: long + ignore_failure: true + ignore_missing: true + if: ctx.winlog?.event_data?.DetailSequence != "" + - rename: + field: winlog.event_data.EngineVersion + target_field: powershell.engine.version + ignore_missing: true + ignore_failure: true + if: ctx.winlog?.event_data?.EngineVersion != "" + - rename: + field: winlog.event_data.PipelineId + target_field: powershell.pipeline_id + ignore_missing: true + ignore_failure: true + if: ctx.winlog?.event_data?.PipelineId != "" + - rename: + field: winlog.event_data.RunspaceId + target_field: powershell.runspace_id + ignore_missing: true + ignore_failure: true + if: ctx.winlog?.event_data?.RunspaceId != "" + - rename: + field: winlog.event_data.HostVersion + target_field: powershell.process.executable_version + ignore_missing: true + ignore_failure: true + if: ctx.winlog?.event_data?.HostVersion != "" + - rename: + field: winlog.event_data.CommandLine + target_field: powershell.command.value + ignore_failure: true + ignore_missing: true + if: ctx.winlog?.event_data?.CommandLine != "" + - rename: + field: winlog.event_data.CommandPath + target_field: powershell.command.path + ignore_failure: true + ignore_missing: true + if: ctx.winlog?.event_data?.CommandPath != "" + - rename: + field: winlog.event_data.CommandName + target_field: powershell.command.name + ignore_failure: true + ignore_missing: true + if: ctx.winlog?.event_data?.CommandName != "" + - rename: + field: winlog.event_data.CommandType + target_field: powershell.command.type + ignore_failure: true + ignore_missing: true + if: ctx.winlog?.event_data?.CommandType != "" + + - split: + description: Split Event 800 command invocation details. + field: winlog.event_data.param3 + separator: "\n" + ignore_failure: true + ignore_missing: true + if: ctx.event.code == "800" + - script: + description: |- + Parses all command invocation detail raw lines, and converts them to an object, based on their type. + - for unexpectedly formatted ones: {value: "the raw line as it is"} + - for all: + * related_command: describes to what command it is related to + * value: the value for that detail line + * type: the type of the detail line, i.e.: CommandInvocation, ParameterBinding, NonTerminatingError + - additionally, ParameterBinding adds a `name` field with the parameter name being bound. + lang: painless + if: ctx.event.code == "800" + params: + field: param3 + source: |- + def parseRawDetail(String raw) { + Pattern detailRegex = /^([^:(]+)\(([^)]+)\)\:\s*(.+)?$/; + Pattern parameterBindingRegex = /name\=(.+);\s*value\=(.+)$/; + + def matcher = detailRegex.matcher(raw); + if (!matcher.matches()) { + return ["value": raw]; + } + def matches = new ArrayList(); + for (def i = 0; i <= matcher.groupCount(); i++) { + matches.add(matcher.group(i)); + } + + if (matches.length != 4) { + return ["value": raw]; + } + + if (matches[1] != "ParameterBinding") { + return [ + "type": matches[1], + "related_command": matches[2], + "value": matches[3] + ]; + } + + matcher = parameterBindingRegex.matcher(matches[3]); + if (!matcher.matches()) { + return ["value": matches[4]]; + } + def nameValMatches = new ArrayList(); + for (def i = 0; i <= matcher.groupCount(); i++) { + nameValMatches.add(matcher.group(i)); + } + if (nameValMatches.length !== 3) { + return ["value": matches[3]]; + } + + return [ + "type": matches[1], + "related_command": matches[2], + "name": nameValMatches[1], + "value": nameValMatches[2] + ]; + } + + if (ctx._temp == null) { + ctx._temp = new HashMap(); + } + + if (ctx._temp.details == null) { + ctx._temp.details = new ArrayList(); + } + + def values = ctx.winlog?.event_data[params["field"]]; + if (values != null && values.length > 0) { + for (v in values) { + ctx._temp.details.add(parseRawDetail(v)); + } + } + - rename: + field: _temp.details + target_field: powershell.command.invocation_details + if: ctx._temp?.details != null && ctx._temp?.details.length > 0 + + - script: + description: Implements Windows-like SplitCommandLine + lang: painless + if: ctx.process?.command_line != null && ctx.process.command_line != "" + source: |- + // appendBSBytes appends n '\\' bytes to b and returns the resulting slice. + def appendBSBytes(StringBuilder b, int n) { + for (; n > 0; n--) { + b.append('\\'); + } + return b; + } + + // readNextArg splits command line string cmd into next + // argument and command line remainder. + def readNextArg(String cmd) { + def b = new StringBuilder(); + boolean inquote; + int nslash; + for (; cmd.length() > 0; cmd = cmd.substring(1)) { + def c = cmd.charAt(0); + if (c == (char)' ' || c == (char)0x09) { + if (!inquote) { + return [ + "arg": appendBSBytes(b, nslash).toString(), + "rest": cmd.substring(1) + ]; + } + } else if (c == (char)'"') { + b = appendBSBytes(b, nslash/2); + if (nslash%2 == 0) { + // use "Prior to 2008" rule from + // http://daviddeley.com/autohotkey/parameters/parameters.htm + // section 5.2 to deal with double double quotes + if (inquote && cmd.length() > 1 && cmd.charAt(1) == (char)'"') { + b.append(c); + cmd = cmd.substring(1); + } + inquote = !inquote; + } else { + b.append(c); + } + nslash = 0; + continue; + } else if (c == (char)'\\') { + nslash++; + continue; + } + b = appendBSBytes(b, nslash); + nslash = 0; + b.append(c); + } + return [ + "arg": appendBSBytes(b, nslash).toString(), + "rest": '' + ]; + } + + // commandLineToArgv splits a command line into individual argument + // strings, following the Windows conventions documented + // at http://daviddeley.com/autohotkey/parameters/parameters.htm#WINARGV + // Original implementation found at: https://github.com/golang/go/commit/39c8d2b7faed06b0e91a1ad7906231f53aab45d1 + def commandLineToArgv(String cmd) { + def args = new ArrayList(); + while (cmd.length() > 0) { + if (cmd.charAt(0) == (char)' ' || cmd.charAt(0) == (char)0x09) { + cmd = cmd.substring(1); + continue; + } + def next = readNextArg(cmd); + cmd = next.rest; + args.add(next.arg); + } + return args; + } + + ctx.process.args = commandLineToArgv(ctx.process.command_line); + ctx.process.args_count = ctx.process.args.length; + + - script: + description: Adds file information. + lang: painless + if: ctx.winlog?.event_data?.ScriptName != null && ctx.winlog.event_data.ScriptName.length() > 1 + source: |- + def path = ctx.winlog.event_data.ScriptName; + def idx = path.lastIndexOf("\\"); + if (idx > -1) { + if (ctx.file == null) { + ctx.file = new HashMap(); + } + ctx.file.name = path.substring(idx+1); + ctx.file.directory = path.substring(0, idx); + + def extIdx = path.lastIndexOf("."); + if (extIdx > -1) { + ctx.file.extension = path.substring(extIdx+1); + } + } + - rename: + field: winlog.event_data.ScriptName + target_field: file.path + ignore_failure: true + ignore_missing: true + if: ctx.winlog?.event_data?.ScriptName != "" + + - convert: + field: error.code + type: string + ignore_missing: true + + ## Cleanup. + + - remove: + field: + - _temp + - winlog.event_data.param1 + - winlog.event_data.param2 + - winlog.event_data.param3 + - winlog.event_data.SequenceNumber + - winlog.event_data.DetailTotal + - winlog.event_data.DetailSequence + - winlog.event_data.UserId + - winlog.time_created + - winlog.level + ignore_missing: true + ignore_failure: true + - script: + description: Remove all empty values from event_data. + lang: painless + source: ctx.winlog?.event_data?.entrySet().removeIf(entry -> entry.getValue() == null || entry.getValue().equals("")); + if: ctx.winlog?.event_data != null + - remove: + description: Remove empty event data. + field: winlog.event_data + ignore_missing: true + ignore_failure: true + if: ctx.winlog?.event_data != null && ctx.winlog.event_data.size() == 0 + +on_failure: + - set: + field: event.kind + value: pipeline_error + - append: + field: error.message + value: "{{{ _ingest.on_failure_message }}}" diff --git a/x-pack/winlogbeat/module/powershell/ingest/powershell_operational.yml b/x-pack/winlogbeat/module/powershell/ingest/powershell_operational.yml new file mode 100644 index 000000000000..a514f85b5fb7 --- /dev/null +++ b/x-pack/winlogbeat/module/powershell/ingest/powershell_operational.yml @@ -0,0 +1,556 @@ +--- +description: Pipeline for Windows Powershell/Operational events +processors: + - kv: + description: Split Event 4103 event data fields. + field: winlog.event_data.ContextInfo + target_field: winlog.event_data + field_split: "\n" + trim_key: " \n\t" + trim_value: " \n\t" + value_split: "[:=]" + if: ctx.winlog?.event_id == "4103" + - script: + description: Remove spaces from all event_data keys. + lang: painless + if: ctx.winlog?.event_data != null + source: |- + def newEventData = new HashMap(); + for (entry in ctx.winlog.event_data.entrySet()) { + def newKey = /\s/.matcher(entry.getKey().toString()).replaceAll(""); + newEventData.put(newKey, entry.getValue()); + } + ctx.winlog.event_data = newEventData; + + ## ECS and Event fields. + + - set: + field: ecs.version + value: '8.17.0' + - set: + field: log.level + copy_from: winlog.level + ignore_empty_value: true + ignore_failure: true + if: ctx.winlog?.level != "" + - date: + field: winlog.time_created + tag: "time_created_date" + formats: + - ISO8601 + if: ctx.winlog?.time_created != null + on_failure: + - remove: + field: winlog.time_created + ignore_failure: true + - append: + field: error.message + value: "fail-{{{ _ingest.on_failure_processor_tag }}}" + - fail: + message: "Processor {{ _ingest.on_failure_processor_type }} with tag {{ _ingest.on_failure_processor_tag }} in pipeline {{ _ingest.on_failure_pipeline }} failed with message: {{ _ingest.on_failure_message }}" + - set: + field: event.module + value: powershell + - set: + field: event.kind + value: event + - set: + field: event.code + value: '{{winlog.event_id}}' + - set: + field: event.category + value: ["process"] + - set: + field: event.type + value: ["start"] + if: ctx.event.code == "4105" + - set: + field: event.type + value: ["end"] + if: ctx.event.code == "4106" + - set: + field: event.type + value: ["info"] + if: ctx.event?.type == null + - convert: + field: winlog.event_data.SequenceNumber + target_field: event.sequence + type: long + ignore_failure: true + ignore_missing: true + - convert: + field: winlog.record_id + type: string + ignore_failure: true + ignore_missing: true + + ## Process fields. + + - rename: + field: winlog.event_data.HostID + target_field: process.entity_id + ignore_failure: true + ignore_missing: true + if: ctx.winlog?.event_data?.HostID != "" + - rename: + field: winlog.event_data.HostApplication + target_field: process.command_line + ignore_failure: true + ignore_missing: true + if: ctx.winlog?.event_data?.HostApplication != "" + - rename: + field: winlog.event_data.HostName + target_field: process.title + ignore_failure: true + ignore_missing: true + if: ctx.winlog?.event_data?.HostName != "" + + ## User fields. + + - set: + field: user.id + copy_from: winlog.user.identifier + ignore_failure: true + ignore_empty_value: true + - split: + field: winlog.event_data.User + target_field: "_temp.user_parts" + separator: '\\' + if: ctx.winlog?.event_data?.User != null + - set: + field: user.domain + value: "{{_temp.user_parts.0}}" + ignore_failure: true + ignore_empty_value: true + if: ctx._temp?.user_parts != null && ctx._temp.user_parts.size() == 2 + - set: + field: user.name + value: "{{_temp.user_parts.1}}" + ignore_failure: true + ignore_empty_value: true + if: ctx._temp?.user_parts != null && ctx._temp.user_parts.size() == 2 + - append: + field: related.user + value: "{{user.name}}" + ignore_failure: true + allow_duplicates: false + if: ctx.user?.name != null + - split: + field: winlog.event_data.ConnectedUser + target_field: "_temp.connected_user_parts" + separator: '\\' + if: ctx.winlog?.event_data?.ConnectedUser != null + - set: + field: source.user.domain + value: "{{_temp.connected_user_parts.0}}" + ignore_failure: true + ignore_empty_value: true + if: ctx._temp?.connected_user_parts != null && ctx._temp.connected_user_parts.size() == 2 + - set: + field: source.user.name + value: "{{_temp.connected_user_parts.1}}" + ignore_failure: true + ignore_empty_value: true + if: ctx._temp?.connected_user_parts != null && ctx._temp.connected_user_parts.size() == 2 + - append: + field: related.user + value: "{{source.user.name}}" + ignore_failure: true + allow_duplicates: false + if: ctx.source?.user?.name != null + - rename: + field: user.domain + target_field: destination.user.domain + ignore_failure: true + ignore_missing: true + if: ctx.source?.user != null + - rename: + field: user.name + target_field: destination.user.name + ignore_failure: true + ignore_missing: true + if: ctx.source?.user != null + - set: + field: user.domain + copy_from: source.user.domain + ignore_failure: true + ignore_empty_value: true + if: ctx.source?.user != null + - set: + field: user.name + copy_from: source.user.name + ignore_failure: true + ignore_empty_value: true + if: ctx.source?.user != null + # Get user details from the translate_sid processor enrichment + # if they are available and we don't already have them. + - rename: + field: winlog.event_data._MemberUserName + target_field: user.name + ignore_failure: true + ignore_missing: true + - rename: + field: winlog.event_data._MemberDomain + target_field: user.domain + ignore_failure: true + ignore_missing: true + - append: + value: '{{{winlog.event_data._MemberAccountType}}}' + field: user.roles + ignore_failure: true + allow_duplicates: false + if: ctx.winlog?.event_data?._MemberAccountType != null + - remove: + field: winlog.event_data._MemberAccountType + ignore_missing: true + ignore_failure: true + if: ctx.user?.roles != null && ctx.winlog?.event_data?._MemberAccountType != null && ctx.user.roles.contains(ctx.winlog.event_data._MemberAccountType) + + ## PowerShell fields. + + - convert: + field: winlog.event_data.MessageNumber + target_field: powershell.sequence + type: long + ignore_failure: true + ignore_missing: true + - convert: + field: winlog.event_data.MessageTotal + target_field: powershell.total + type: long + ignore_failure: true + ignore_missing: true + - rename: + field: winlog.event_data.ShellID + target_field: powershell.id + ignore_failure: true + ignore_missing: true + if: ctx.winlog?.event_data?.ShellID != "" + - rename: + field: winlog.event_data.EngineVersion + target_field: powershell.engine.version + ignore_missing: true + ignore_failure: true + if: ctx.winlog?.event_data?.EngineVersion != "" + - rename: + field: winlog.event_data.PipelineID + target_field: powershell.pipeline_id + ignore_missing: true + ignore_failure: true + if: ctx.winlog?.event_data?.PipelineID != "" + - rename: + field: winlog.event_data.RunspaceID + target_field: powershell.runspace_id + ignore_missing: true + ignore_failure: true + if: ctx.winlog?.event_data?.RunspaceID != "" + - rename: + field: winlog.event_data.RunspaceId + target_field: powershell.runspace_id + ignore_missing: true + ignore_failure: true + if: ctx.winlog?.event_data?.RunspaceId != "" + - rename: + field: winlog.event_data.HostVersion + target_field: powershell.process.executable_version + ignore_missing: true + ignore_failure: true + if: ctx.winlog?.event_data?.HostVersion != "" + - rename: + field: winlog.event_data.CommandLine + target_field: powershell.command.value + ignore_failure: true + ignore_missing: true + if: ctx.winlog?.event_data?.CommandLine != "" + - rename: + field: winlog.event_data.CommandPath + target_field: powershell.command.path + ignore_failure: true + ignore_missing: true + if: ctx.winlog?.event_data?.CommandPath != "" + - rename: + field: winlog.event_data.CommandName + target_field: powershell.command.name + ignore_failure: true + ignore_missing: true + if: ctx.winlog?.event_data?.CommandName != "" + - rename: + field: winlog.event_data.CommandType + target_field: powershell.command.type + ignore_failure: true + ignore_missing: true + if: ctx.winlog?.event_data?.CommandType != "" + - rename: + field: winlog.event_data.ScriptBlockId + target_field: powershell.file.script_block_id + ignore_failure: true + ignore_missing: true + if: ctx.winlog?.event_data?.ScriptBlockId != "" + - rename: + field: winlog.event_data.ScriptBlockText + target_field: powershell.file.script_block_text + ignore_failure: true + ignore_missing: true + if: ctx.winlog?.event_data?.ScriptBlockText != "" + - trim: + field: powershell.file.script_block_text + ignore_missing: true + - dissect: + field: powershell.file.script_block_text + pattern: "# SIG # Begin signature block%{powershell.file.script_block_signature}# SIG # End signature block" + ignore_missing: true + ignore_failure: true + - gsub: + field: powershell.file.script_block_signature + pattern: "\\n# " + replacement: "" + ignore_missing: true + - gsub: + field: powershell.file.script_block_text + target_field: _temp.script_block_no_space + pattern: "\\s" + replacement: "" + ignore_missing: true + - fingerprint: + fields: + - _temp.script_block_no_space + target_field: powershell.file.script_block_hash + ignore_missing: true + + - split: + description: Split Event 4103 command invocation details. + field: winlog.event_data.Payload + separator: "\n" + ignore_failure: true + ignore_missing: true + if: ctx.event.code == "4103" + - script: + description: |- + Parses all command invocation detail raw lines, and converts them to an object, based on their type. + - for unexpectedly formatted ones: {value: "the raw line as it is"} + - for all: + * related_command: describes to what command it is related to + * value: the value for that detail line + * type: the type of the detail line, i.e.: CommandInvocation, ParameterBinding, NonTerminatingError + - additionally, ParameterBinding adds a `name` field with the parameter name being bound. + lang: painless + if: ctx.event.code == "4103" + params: + field: Payload + source: |- + def parseRawDetail(String raw) { + Pattern detailRegex = /^([^(]+)\(([^)]+)\)\:\s*(.+)?$/; + Pattern parameterBindingRegex = /name\=(.+);\s*value\=(.+)$/; + + def matcher = detailRegex.matcher(raw); + if (!matcher.matches()) { + return ["value": raw]; + } + def matches = new ArrayList(); + for (def i = 0; i <= matcher.groupCount(); i++) { + matches.add(matcher.group(i)); + } + + if (matches.length != 4) { + return ["value": raw]; + } + + if (matches[1] != "ParameterBinding") { + return [ + "type": matches[1], + "related_command": matches[2], + "value": matches[3] + ]; + } + + matcher = parameterBindingRegex.matcher(matches[3]); + if (!matcher.matches()) { + return ["value": matches[4]]; + } + def nameValMatches = new ArrayList(); + for (def i = 0; i <= matcher.groupCount(); i++) { + nameValMatches.add(matcher.group(i)); + } + if (nameValMatches.length !== 3) { + return ["value": matches[3]]; + } + + return [ + "type": matches[1], + "related_command": matches[2], + "name": nameValMatches[1], + "value": nameValMatches[2] + ]; + } + + if (ctx._temp == null) { + ctx._temp = new HashMap(); + } + + if (ctx._temp.details == null) { + ctx._temp.details = new ArrayList(); + } + + def values = ctx.winlog?.event_data[params["field"]]; + if (values != null && values.length > 0) { + for (v in values) { + ctx._temp.details.add(parseRawDetail(v)); + } + } + - rename: + field: _temp.details + target_field: powershell.command.invocation_details + if: ctx._temp?.details != null && ctx._temp?.details.length > 0 + + - script: + description: Implements Windows-like SplitCommandLine + lang: painless + if: ctx.process?.command_line != null && ctx.process.command_line != "" + source: |- + // appendBSBytes appends n '\\' bytes to b and returns the resulting slice. + def appendBSBytes(StringBuilder b, int n) { + for (; n > 0; n--) { + b.append('\\'); + } + return b; + } + + // readNextArg splits command line string cmd into next + // argument and command line remainder. + def readNextArg(String cmd) { + def b = new StringBuilder(); + boolean inquote; + int nslash; + for (; cmd.length() > 0; cmd = cmd.substring(1)) { + def c = cmd.charAt(0); + if (c == (char)' ' || c == (char)0x09) { + if (!inquote) { + return [ + "arg": appendBSBytes(b, nslash).toString(), + "rest": cmd.substring(1) + ]; + } + } else if (c == (char)'"') { + b = appendBSBytes(b, nslash/2); + if (nslash%2 == 0) { + // use "Prior to 2008" rule from + // http://daviddeley.com/autohotkey/parameters/parameters.htm + // section 5.2 to deal with double double quotes + if (inquote && cmd.length() > 1 && cmd.charAt(1) == (char)'"') { + b.append(c); + cmd = cmd.substring(1); + } + inquote = !inquote; + } else { + b.append(c); + } + nslash = 0; + continue; + } else if (c == (char)'\\') { + nslash++; + continue; + } + b = appendBSBytes(b, nslash); + nslash = 0; + b.append(c); + } + return [ + "arg": appendBSBytes(b, nslash).toString(), + "rest": '' + ]; + } + + // commandLineToArgv splits a command line into individual argument + // strings, following the Windows conventions documented + // at http://daviddeley.com/autohotkey/parameters/parameters.htm#WINARGV + // Original implementation found at: https://github.com/golang/go/commit/39c8d2b7faed06b0e91a1ad7906231f53aab45d1 + def commandLineToArgv(String cmd) { + def args = new ArrayList(); + while (cmd.length() > 0) { + if (cmd.charAt(0) == (char)' ' || cmd.charAt(0) == (char)0x09) { + cmd = cmd.substring(1); + continue; + } + def next = readNextArg(cmd); + cmd = next.rest; + args.add(next.arg); + } + return args; + } + + ctx.process.args = commandLineToArgv(ctx.process.command_line); + ctx.process.args_count = ctx.process.args.length; + + - rename: + field: winlog.event_data.Path + target_field: winlog.event_data.ScriptName + ignore_failure: true + ignore_missing: true + if: ctx.winlog?.event_data?.Path != "" + - script: + description: Adds file information. + lang: painless + if: ctx.winlog?.event_data?.ScriptName != null && ctx.winlog.event_data.ScriptName.length() > 1 + source: |- + def path = ctx.winlog.event_data.ScriptName; + def idx = path.lastIndexOf("\\"); + if (idx > -1) { + if (ctx.file == null) { + ctx.file = new HashMap(); + } + ctx.file.name = path.substring(idx+1); + ctx.file.directory = path.substring(0, idx); + + def extIdx = path.lastIndexOf("."); + if (extIdx > -1) { + ctx.file.extension = path.substring(extIdx+1); + } + } + - rename: + field: winlog.event_data.ScriptName + target_field: file.path + ignore_failure: true + ignore_missing: true + if: ctx.winlog?.event_data?.ScriptName != "" + + - convert: + field: error.code + type: string + ignore_missing: true + + ## Cleanup. + + - remove: + field: + - _temp + - winlog.event_data.SequenceNumber + - winlog.event_data.User + - winlog.event_data.ConnectedUser + - winlog.event_data.ContextInfo + - winlog.event_data.Severity + - winlog.event_data.MessageTotal + - winlog.event_data.MessageNumber + - winlog.event_data.Payload + - winlog.time_created + - winlog.level + ignore_missing: true + ignore_failure: true + - script: + description: Remove all empty values from event_data. + lang: painless + source: ctx.winlog?.event_data?.entrySet().removeIf(entry -> entry.getValue() == null || entry.getValue().equals("")); + if: ctx.winlog?.event_data != null + - remove: + description: Remove empty event data. + field: winlog.event_data + ignore_missing: true + ignore_failure: true + if: ctx.winlog?.event_data != null && ctx.winlog.event_data.size() == 0 + +on_failure: + - set: + field: event.kind + value: pipeline_error + - append: + field: error.message + value: "{{{ _ingest.on_failure_message }}}" diff --git a/x-pack/winlogbeat/module/routing/ingest/routing.yml b/x-pack/winlogbeat/module/routing/ingest/routing.yml new file mode 100644 index 000000000000..945408bed4c8 --- /dev/null +++ b/x-pack/winlogbeat/module/routing/ingest/routing.yml @@ -0,0 +1,64 @@ +--- +description: Winlogbeat Routing Pipeline +processors: + - set: + field: event.ingested + value: '{{_ingest.timestamp}}' + - pipeline: + name: '{< IngestPipeline "security" >}' + if: ctx.winlog?.channel instanceof String && ctx.winlog.channel.toLowerCase() == 'security' && ['Microsoft-Windows-Eventlog', 'Microsoft-Windows-Security-Auditing'].contains(ctx.winlog?.provider_name) + - pipeline: + name: '{< IngestPipeline "sysmon" >}' + if: ctx.winlog?.channel instanceof String && ctx.winlog.channel.toLowerCase() == 'microsoft-windows-sysmon/operational' + - pipeline: + name: '{< IngestPipeline "powershell" >}' + if: ctx.winlog?.channel instanceof String && ctx.winlog.channel.toLowerCase() == 'windows powershell' + - pipeline: + name: '{< IngestPipeline "powershell_operational" >}' + if: ctx.winlog?.channel instanceof String && ctx.winlog.channel.toLowerCase() == 'microsoft-windows-powershell/operational' + + - set: + field: host.os.type + value: windows + override: false + - set: + field: host.os.family + value: windows + override: false + + # Get user details from the translate_sid processor enrichment + # if they are available and we don't already have them. + - rename: + field: winlog.event_data._MemberUserName + target_field: user.name + ignore_failure: true + ignore_missing: true + - rename: + field: winlog.event_data._MemberDomain + target_field: user.domain + ignore_failure: true + ignore_missing: true + - append: + value: '{{{winlog.event_data._MemberAccountType}}}' + field: user.roles + ignore_failure: true + allow_duplicates: false + if: ctx.winlog?.event_data?._MemberAccountType != null + - remove: + field: winlog.event_data._MemberAccountType + ignore_missing: true + ignore_failure: true + if: ctx.user?.roles != null && ctx.winlog?.event_data?._MemberAccountType != null && ctx.user.roles.contains(ctx.winlog.event_data._MemberAccountType) + + - convert: + field: error.code + type: string + ignore_missing: true + +on_failure: + - set: + field: event.kind + value: pipeline_error + - append: + field: error.message + value: "{{{ _ingest.on_failure_message }}}" diff --git a/x-pack/winlogbeat/module/security/ingest/security.yml b/x-pack/winlogbeat/module/security/ingest/security.yml new file mode 100644 index 000000000000..ccbb522879ef --- /dev/null +++ b/x-pack/winlogbeat/module/security/ingest/security.yml @@ -0,0 +1,88 @@ +--- +description: Pipeline for Security events +processors: + - set: + field: event.module + value: security + - convert: + field: event.code + type: string + ignore_missing: true + - pipeline: + name: '{< IngestPipeline "security_standard" >}' + if: 'ctx.winlog?.provider_name != null && ["Microsoft-Windows-Eventlog", "Microsoft-Windows-Security-Auditing"].contains(ctx.winlog.provider_name)' + - gsub: + field: source.ip + pattern: '^\[?::ffff:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)(?:\](?::[0-9]+)?)?$' + replacement: '$1' + ignore_missing: true + - geoip: + field: source.ip + target_field: source.geo + ignore_missing: true + - geoip: + database_file: GeoLite2-ASN.mmdb + field: source.ip + target_field: source.as + properties: + - asn + - organization_name + ignore_missing: true + - rename: + field: source.as.asn + target_field: source.as.number + ignore_missing: true + - rename: + field: source.as.organization_name + target_field: source.as.organization.name + ignore_missing: true + - append: + field: related.ip + value: '{{source.ip}}' + allow_duplicates: false + if: |- + ctx.source?.ip != null && + ctx.source.ip != "-" + - convert: + field: winlog.record_id + type: string + ignore_missing: true + - convert: + field: winlog.event_id + type: string + ignore_missing: true + - set: + field: ecs.version + value: '8.17.0' + - set: + field: log.level + copy_from: winlog.level + ignore_empty_value: true + ignore_failure: true + if: ctx.winlog?.level != "" + - date: + field: winlog.time_created + tag: "time_created_date" + formats: + - ISO8601 + if: ctx.winlog?.time_created != null + on_failure: + - remove: + field: winlog.time_created + ignore_failure: true + - append: + field: error.message + value: "fail-{{{ _ingest.on_failure_processor_tag }}}" + - fail: + message: "Processor {{ _ingest.on_failure_processor_type }} with tag {{ _ingest.on_failure_processor_tag }} in pipeline {{ _ingest.on_failure_pipeline }} failed with message: {{ _ingest.on_failure_message }}" + - convert: + field: error.code + type: string + ignore_missing: true +on_failure: + - set: + field: event.kind + value: pipeline_error + - append: + field: error.message + value: "{{ _ingest.on_failure_message }}" diff --git a/x-pack/winlogbeat/module/security/ingest/security_standard.yml b/x-pack/winlogbeat/module/security/ingest/security_standard.yml new file mode 100644 index 000000000000..68e74d61f1e1 --- /dev/null +++ b/x-pack/winlogbeat/module/security/ingest/security_standard.yml @@ -0,0 +1,4248 @@ +--- +description: Pipeline for Windows Security events +processors: + - convert: + field: event.code + type: string + ignore_missing: true + - script: + lang: painless + ignore_failure: false + tag: Set ECS categorization fields + description: Set ECS categorization fields + params: + "1100": + category: + - process + type: + - end + action: logging-service-shutdown + "1102": + category: + - iam + type: + - admin + - change + action: audit-log-cleared + "1104": + category: + - iam + type: + - admin + action: logging-full + "1105": + category: + - iam + type: + - admin + action: auditlog-archieved + "1108": + category: + - iam + type: + - admin + action: logging-processing-error + "4610": + category: + - configuration + type: + - access + action: authentication-package-loaded + "4611": + category: + - configuration + type: + - change + action: trusted-logon-process-registered + "4614": + category: + - configuration + type: + - access + action: notification-package-loaded + "4616": + category: + - configuration + type: + - change + action: system-time-changed + "4622": + category: + - configuration + type: + - access + action: security-package-loaded + "4624": + category: + - authentication + type: + - start + action: logged-in + "4625": + category: + - authentication + type: + - start + action: logon-failed + "4634": + category: + - authentication + type: + - end + action: logged-out + "4647": + category: + - authentication + type: + - end + action: logged-out + "4648": + category: + - authentication + type: + - start + action: logged-in-explicit + "4657": + category: + - registry + - configuration + type: + - change + action: registry-value-modified + "4662": + category: + - iam + - configuration + type: + - admin + - change + action: object-operation-performed + "4670": + category: + - iam + - configuration + type: + - admin + - change + action: permissions-changed + "4672": + category: + - iam + type: + - admin + action: logged-in-special + "4673": + category: + - iam + type: + - admin + action: privileged-service-called + "4674": + category: + - iam + type: + - admin + action: privileged-operation + "4688": + category: + - process + type: + - start + action: created-process + "4689": + category: + - process + type: + - end + action: exited-process + "4697": + category: + - iam + - configuration + type: + - admin + - change + action: service-installed + "4698": + category: + - iam + - configuration + type: + - creation + - admin + action: scheduled-task-created + "4699": + category: + - iam + - configuration + type: + - deletion + - admin + action: scheduled-task-deleted + "4700": + category: + - iam + - configuration + type: + - change + - admin + action: scheduled-task-enabled + "4701": + category: + - iam + - configuration + type: + - change + - admin + action: scheduled-task-disabled + "4702": + category: + - iam + - configuration + type: + - change + - admin + action: scheduled-task-updated + "4706": + category: + - configuration + type: + - creation + action: domain-trust-added + "4707": + category: + - configuration + type: + - deletion + action: domain-trust-removed + "4713": + category: + - configuration + type: + - change + action: kerberos-policy-changed + "4714": + category: + - configuration + type: + - change + action: encrypted-data-recovery-policy-changed + "4715": + category: + - configuration + type: + - change + action: object-audit-policy-changed + "4716": + category: + - configuration + type: + - change + action: trusted-domain-information-changed + "4717": + category: + - iam + - configuration + type: + - admin + - change + action: system-security-access-granted + "4718": + category: + - iam + - configuration + type: + - admin + - deletion + action: system-security-access-removed + "4719": + category: + - iam + - configuration + type: + - admin + - change + action: changed-audit-config + "4720": + category: + - iam + type: + - user + - creation + action: added-user-account + "4722": + category: + - iam + type: + - user + - change + action: enabled-user-account + "4723": + category: + - iam + type: + - user + - change + action: changed-password + "4724": + category: + - iam + type: + - user + - change + action: reset-password + "4725": + category: + - iam + type: + - user + - deletion + action: disabled-user-account + "4726": + category: + - iam + type: + - user + - deletion + action: deleted-user-account + "4727": + category: + - iam + type: + - group + - creation + action: added-group-account + "4728": + category: + - iam + type: + - group + - change + action: added-member-to-group + "4729": + category: + - iam + type: + - group + - change + action: removed-member-from-group + "4730": + category: + - iam + type: + - group + - deletion + action: deleted-group-account + "4731": + category: + - iam + type: + - group + - creation + action: added-group-account + "4732": + category: + - iam + type: + - group + - change + action: added-member-to-group + "4733": + category: + - iam + type: + - group + - change + action: removed-member-from-group + "4734": + category: + - iam + type: + - group + - deletion + action: deleted-group-account + "4735": + category: + - iam + type: + - group + - change + action: modified-group-account + "4737": + category: + - iam + type: + - group + - change + action: modified-group-account + "4738": + category: + - iam + type: + - user + - change + action: modified-user-account + "4739": + category: + - configuration + type: + - change + action: domain-policy-changed + "4740": + category: + - iam + type: + - user + - change + action: locked-out-user-account + "4741": + category: + - iam + type: + - creation + - admin + action: added-computer-account + "4742": + category: + - iam + type: + - change + - admin + action: changed-computer-account + "4743": + category: + - iam + type: + - deletion + - admin + action: deleted-computer-account + "4744": + category: + - iam + type: + - group + - creation + action: added-distribution-group-account + "4745": + category: + - iam + type: + - group + - change + action: changed-distribution-group-account + "4746": + category: + - iam + type: + - group + - change + action: added-member-to-distribution-group + "4747": + category: + - iam + type: + - group + - change + action: removed-member-from-distribution-group + "4748": + category: + - iam + type: + - group + - deletion + action: deleted-distribution-group-account + "4749": + category: + - iam + type: + - group + - creation + action: added-distribution-group-account + "4750": + category: + - iam + type: + - group + - change + action: changed-distribution-group-account + "4751": + category: + - iam + type: + - group + - change + action: added-member-to-distribution-group + "4752": + category: + - iam + type: + - group + - change + action: removed-member-from-distribution-group + "4753": + category: + - iam + type: + - group + - deletion + action: deleted-distribution-group-account + "4754": + category: + - iam + type: + - group + - creation + action: added-group-account + "4755": + category: + - iam + type: + - group + - change + action: modified-group-account + "4756": + category: + - iam + type: + - group + - change + action: added-member-to-group + "4757": + category: + - iam + type: + - group + - change + action: removed-member-from-group + "4758": + category: + - iam + type: + - group + - deletion + action: deleted-group-account + "4759": + category: + - iam + type: + - group + - creation + action: added-distribution-group-account + "4760": + category: + - iam + type: + - group + - change + action: changed-distribution-group-account + "4761": + category: + - iam + type: + - group + - change + action: added-member-to-distribution-group + "4762": + category: + - iam + type: + - group + - change + action: removed-member-from-distribution-group + "4763": + category: + - iam + type: + - group + - deletion + action: deleted-distribution-group-account + "4764": + category: + - iam + type: + - group + - change + action: type-changed-group-account + "4767": + category: + - iam + type: + - user + - change + action: unlocked-user-account + "4768": + category: + - authentication + type: + - start + action: kerberos-authentication-ticket-requested + "4769": + category: + - authentication + type: + - start + action: kerberos-service-ticket-requested + "4770": + category: + - authentication + type: + - start + action: kerberos-service-ticket-renewed + "4771": + category: + - authentication + type: + - start + action: kerberos-preauth-failed + "4776": + category: + - authentication + type: + - start + action: credential-validated + "4778": + category: + - authentication + - session + type: + - start + action: session-reconnected + "4779": + category: + - authentication + - session + type: + - end + action: session-disconnected + "4781": + category: + - iam + type: + - user + - change + action: renamed-user-account + "4797": + category: + - iam + type: + - user + - info + action: query-existence-of-blank-password + "4798": + category: + - iam + type: + - user + - info + action: group-membership-enumerated + "4799": + category: + - iam + type: + - group + - info + action: user-member-enumerated + "4817": + category: + - iam + - configuration + type: + - admin + - change + action: object-audit-changed + "4902": + category: + - iam + - configuration + type: + - admin + - creation + action: user-audit-policy-created + "4904": + category: + - iam + - configuration + type: + - admin + - change + action: security-event-source-added + "4905": + category: + - iam + - configuration + type: + - admin + - deletion + action: security-event-source-removed + "4906": + category: + - iam + - configuration + type: + - admin + - change + action: crash-on-audit-changed + "4907": + category: + - iam + - configuration + type: + - admin + - change + action: audit-setting-changed + "4908": + category: + - iam + - configuration + type: + - admin + - change + action: special-group-table-changed + "4912": + category: + - iam + - configuration + type: + - admin + - change + action: per-user-audit-policy-changed + "4950": + category: + - configuration + type: + - change + action: windows-firewall-setting-changed + "4954": + category: + - configuration + type: + - change + action: windows-firewall-group-policy-changed + "4964": + category: + - iam + type: + - admin + - group + action: logged-in-special + "5024": + category: + - process + type: + - start + action: windows-firewall-service-started + "5025": + category: + - process + type: + - end + action: windows-firewall-service-stopped + "5033": + category: + - driver + type: + - start + action: windows-firewall-driver-started + "5034": + category: + - driver + type: + - end + action: windows-firewall-driver-stopped + "5037": + category: + - driver + type: + - end + action: windows-firewall-driver-error + "5136": + category: + - iam + - configuration + type: + - admin + - change + action: directory-service-object-modified + "5140": + category: + - network + - file + type: + - info + - access + action: network-share-object-accessed + "5145": + category: + - network + - file + type: + - info + - access + action: network-share-object-access-checked + "5379": + category: + - iam + type: + - user + - info + action: credential-manager-credentials-were-read + "5380": + category: + - iam + type: + - user + - info + action: vault-credential-find + "5381": + category: + - iam + type: + - user + - info + action: vault-credentials-were-read + "5382": + category: + - iam + type: + - user + - info + action: vault-credentials-were-read + source: |- + if (ctx.event?.code == null || params.get(ctx.event.code) == null) { + return; + } + params.get(ctx.event.code).forEach((k, v) -> { + if (v instanceof List) { + ctx.event[k] = new ArrayList(v); + } else { + ctx.event[k] = v; + } + }); + - script: + lang: painless + ignore_failure: false + tag: Set Logon Type + description: Set Logon Type + # Logon Types + # https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/basic-audit-logon-events + params: + "2": Interactive + "3": Network + "4": Batch + "5": Service + "7": Unlock + "8": NetworkCleartext + "9": NewCredentials + "10": RemoteInteractive + "11": CachedInteractive + source: |- + if (ctx.winlog?.event_data?.LogonType == null) { + return; + } + def t = params.get(ctx.winlog.event_data.LogonType); + if (t == null) { + return; + } + if (ctx.winlog?.logon == null ) { + Map map = new HashMap(); + ctx.winlog.put("logon", map); + } + ctx.winlog.logon.put("type", t) + - script: + lang: painless + ignore_failure: false + tag: Set User Account Control + description: Set User Account Control + # User Account Control Attributes Table + # https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-samr/4df07fab-1bbc-452f-8e92-7853a3c7e380 + params: + "0x00000001": USER_ACCOUNT_DISABLED + "0x00000002": USER_HOME_DIRECTORY_REQUIRED + "0x00000004": USER_PASSWORD_NOT_REQUIRED + "0x00000008": USER_TEMP_DUPLICATE_ACCOUNT + "0x00000010": USER_NORMAL_ACCOUNT + "0x00000020": USER_MNS_LOGON_ACCOUNT + "0x00000040": USER_INTERDOMAIN_TRUST_ACCOUNT + "0x00000080": USER_WORKSTATION_TRUST_ACCOUNT + "0x00000100": USER_SERVER_TRUST_ACCOUNT + "0x00000200": USER_DONT_EXPIRE_PASSWORD + "0x00000400": USER_ACCOUNT_AUTO_LOCKED + "0x00000800": USER_ENCRYPTED_TEXT_PASSWORD_ALLOWED + "0x00001000": USER_SMARTCARD_REQUIRED + "0x00002000": USER_TRUSTED_FOR_DELEGATION + "0x00004000": USER_NOT_DELEGATED + "0x00008000": USER_USE_DES_KEY_ONLY + "0x00010000": USER_DONT_REQUIRE_PREAUTH + "0x00020000": USER_PASSWORD_EXPIRED + "0x00040000": USER_TRUSTED_TO_AUTHENTICATE_FOR_DELEGATION + "0x00080000": USER_NO_AUTH_DATA_REQUIRED + "0x00100000": USER_PARTIAL_SECRETS_ACCOUNT + "0x00200000": USER_USE_AES_KEYS + source: |- + if (ctx.winlog?.event_data == null) { + return; + } + if (ctx.winlog.event_data.NewUacValue == null || ctx.winlog.event_data.NewUacValue == "-") { + return; + } + Long newUacValue = Long.decode(ctx.winlog.event_data.NewUacValue); + ArrayList uacResult = new ArrayList(); + for (entry in params.entrySet()) { + Long flag = Long.decode(entry.getKey()); + if ((newUacValue.longValue() & flag.longValue()) == flag.longValue()) { + uacResult.add(entry.getValue()); + } + } + if (uacResult.length == 0) { + return; + } + ctx.winlog.event_data.put("NewUACList", uacResult); + if (ctx.winlog.event_data.UserAccountControl == null || ctx.winlog.event_data.UserAccountControl == "-") { + return; + } + ArrayList uac_array = new ArrayList(); + for (elem in ctx.winlog.event_data.UserAccountControl.splitOnToken((String)((char)0x0a))) { + def trimmed = elem.replace("%%","").trim(); + if (trimmed.length() > 0) { + uac_array.add(trimmed); + } + } + ctx.winlog.event_data.UserAccountControl = uac_array; + - script: + lang: painless + ignore_failure: false + tag: Set Kerberos Ticket Options + description: Set Kerberos Ticket Options + # Kerberos TGT and TGS Ticket Options + # https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4768 + # https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4769 + params: + "0x40000000": Forwardable + "0x20000000": Forwarded + "0x10000000": Proxiable + "0x08000000": Proxy + "0x04000000": Allow-postdate + "0x02000000": Postdated + "0x01000000": Invalid + "0x00800000": Renewable + "0x00400000": Initial + "0x00200000": Pre-authent + "0x00100000": Opt-hardware-auth + "0x00080000": Transited-policy-checked + "0x00040000": Ok-as-delegate + "0x00020000": Request-anonymous + "0x00010000": Name-canonicalize + "0x00000020": Disable-transited-check + "0x00000010": Renewable-ok + "0x00000008": Enc-tkt-in-skey + "0x00000002": Renew + "0x00000001": Validate + source: |- + if (ctx.winlog?.event_data?.TicketOptions == null) { + return; + } + Long tOpts = Long.decode(ctx.winlog.event_data.TicketOptions); + ArrayList tDescs = new ArrayList(); + for (entry in params.entrySet()) { + Long flag = Long.decode(entry.getKey()); + if ((tOpts.longValue() & flag.longValue()) == flag.longValue()) { + tDescs.add(entry.getValue()); + } + } + if (tDescs.length == 0) { + return; + } + ctx.winlog.event_data.put("TicketOptionsDescription", tDescs); + - script: + lang: painless + ignore_failure: false + tag: Set Kerberos Encryption Types + description: Set Kerberos Encryption Types + # Kerberos Encryption Types + # https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4768 + # https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4768 + params: + "0x1": DES-CBC-CRC + "0x3": DES-CBC-MD5 + "0x11": AES128-CTS-HMAC-SHA1-96 + "0x12": AES256-CTS-HMAC-SHA1-96 + "0x17": RC4-HMAC + "0x18": RC4-HMAC-EXP + "0xffffffff": FAIL + source: |- + if (ctx.winlog?.event_data?.TicketEncryptionType == null) { + return; + } + ctx.winlog.event_data.put("TicketEncryptionTypeDescription", + params[ctx.winlog.event_data.TicketEncryptionType.toLowerCase()]) + - script: + lang: painless + ignore_failure: false + tag: Set Kerberos Ticket Status Codes + # Kerberos Result Status Codes + # https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4768 + # https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4768 + description: Set Kerberos Ticket Status Codes + params: + "0x0": KDC_ERR_NONE + "0x1": KDC_ERR_NAME_EXP + "0x2": KDC_ERR_SERVICE_EXP + "0x3": KDC_ERR_BAD_PVNO + "0x4": KDC_ERR_C_OLD_MAST_KVNO + "0x5": KDC_ERR_S_OLD_MAST_KVNO + "0x6": KDC_ERR_C_PRINCIPAL_UNKNOWN + "0x7": KDC_ERR_S_PRINCIPAL_UNKNOWN + "0x8": KDC_ERR_PRINCIPAL_NOT_UNIQUE + "0x9": KDC_ERR_NULL_KEY + "0xA": KDC_ERR_CANNOT_POSTDATE + "0xB": KDC_ERR_NEVER_VALID + "0xC": KDC_ERR_POLICY + "0xD": KDC_ERR_BADOPTION + "0xE": KDC_ERR_ETYPE_NOTSUPP + "0xF": KDC_ERR_SUMTYPE_NOSUPP + "0x10": KDC_ERR_PADATA_TYPE_NOSUPP + "0x11": KDC_ERR_TRTYPE_NO_SUPP + "0x12": KDC_ERR_CLIENT_REVOKED + "0x13": KDC_ERR_SERVICE_REVOKED + "0x14": KDC_ERR_TGT_REVOKED + "0x15": KDC_ERR_CLIENT_NOTYET + "0x16": KDC_ERR_SERVICE_NOTYET + "0x17": KDC_ERR_KEY_EXPIRED + "0x18": KDC_ERR_PREAUTH_FAILED + "0x19": KDC_ERR_PREAUTH_REQUIRED + "0x1A": KDC_ERR_SERVER_NOMATCH + "0x1B": KDC_ERR_MUST_USE_USER2USER + "0x1F": KRB_AP_ERR_BAD_INTEGRITY + "0x20": KRB_AP_ERR_TKT_EXPIRED + "0x21": KRB_AP_ERR_TKT_NYV + "0x22": KRB_AP_ERR_REPEAT + "0x23": KRB_AP_ERR_NOT_US + "0x24": KRB_AP_ERR_BADMATCH + "0x25": KRB_AP_ERR_SKEW + "0x26": KRB_AP_ERR_BADADDR + "0x27": KRB_AP_ERR_BADVERSION + "0x28": KRB_AP_ERR_MSG_TYPE + "0x29": KRB_AP_ERR_MODIFIED + "0x2A": KRB_AP_ERR_BADORDER + "0x2C": KRB_AP_ERR_BADKEYVER + "0x2D": KRB_AP_ERR_NOKEY + "0x2E": KRB_AP_ERR_MUT_FAIL + "0x2F": KRB_AP_ERR_BADDIRECTION + "0x30": KRB_AP_ERR_METHOD + "0x31": KRB_AP_ERR_BADSEQ + "0x32": KRB_AP_ERR_INAPP_CKSUM + "0x33": KRB_AP_PATH_NOT_ACCEPTED + "0x34": KRB_ERR_RESPONSE_TOO_BIG + "0x3C": KRB_ERR_GENERIC + "0x3D": KRB_ERR_FIELD_TOOLONG + "0x3E": KDC_ERR_CLIENT_NOT_TRUSTED + "0x3F": KDC_ERR_KDC_NOT_TRUSTED + "0x40": KDC_ERR_INVALID_SIG + "0x41": KDC_ERR_KEY_TOO_WEAK + "0x42": KRB_AP_ERR_USER_TO_USER_REQUIRED + "0x43": KRB_AP_ERR_NO_TGT + "0x44": KDC_ERR_WRONG_REALM + source: |- + if (ctx.winlog?.event_data?.Status == null || + ctx.event?.code == null || + !["4768", "4769", "4770", "4771"].contains(ctx.event.code)) { + return; + } + ctx.winlog.event_data.put("StatusDescription", params[ctx.winlog.event_data.Status]); + - script: + lang: painless + ignore_failure: false + tag: Set Service Type and Name + description: Set Service Type and Name + # Services Types + # https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4697 + params: + "0x1": Kernel Driver + "0x2": File System Driver + "0x8": Recognizer Driver + "0x10": Win32 Own Process + "0x20": Win32 Share Process + "0x110": Interactive Own Process + "0x120": Interactive Share Process + source: |- + if (ctx.winlog?.event_data?.ServiceName != null) { + if (ctx.service == null) { + HashMap hm = new HashMap(); + ctx.put("service", hm); + } + ctx.service.put("name", ctx.winlog.event_data.ServiceName); + } + if (ctx.winlog.event_data?.ServiceType != null) { + if (ctx.service == null) { + HashMap hm = new HashMap(); + ctx.put("service", hm); + } + ctx.service.put("type", params[ctx.winlog.event_data.ServiceType]); + } + - script: + lang: painless + ignore_failure: false + tag: Set Audit Information + description: Set Audit Information + params: + "0CCE9210-69AE-11D9-BED3-505054503030": ["Security State Change", "System"] + "0CCE9211-69AE-11D9-BED3-505054503030": ["Security System Extension", "System"] + "0CCE9212-69AE-11D9-BED3-505054503030": ["System Integrity", "System"] + "0CCE9213-69AE-11D9-BED3-505054503030": ["IPsec Driver", "System"] + "0CCE9214-69AE-11D9-BED3-505054503030": ["Other System Events", "System"] + "0CCE9215-69AE-11D9-BED3-505054503030": ["Logon", "Logon/Logoff"] + "0CCE9216-69AE-11D9-BED3-505054503030": ["Logoff","Logon/Logoff"] + "0CCE9217-69AE-11D9-BED3-505054503030": ["Account Lockout","Logon/Logoff"] + "0CCE9218-69AE-11D9-BED3-505054503030": ["IPsec Main Mode","Logon/Logoff"] + "0CCE9219-69AE-11D9-BED3-505054503030": ["IPsec Quick Mode","Logon/Logoff"] + "0CCE921A-69AE-11D9-BED3-505054503030": ["IPsec Extended Mode","Logon/Logoff"] + "0CCE921B-69AE-11D9-BED3-505054503030": ["Special Logon","Logon/Logoff"] + "0CCE921C-69AE-11D9-BED3-505054503030": ["Other Logon/Logoff Events","Logon/Logoff"] + "0CCE9243-69AE-11D9-BED3-505054503030": ["Network Policy Server","Logon/Logoff"] + "0CCE9247-69AE-11D9-BED3-505054503030": ["User / Device Claims","Logon/Logoff"] + "0CCE921D-69AE-11D9-BED3-505054503030": ["File System","Object Access"] + "0CCE921E-69AE-11D9-BED3-505054503030": ["Registry","Object Access"] + "0CCE921F-69AE-11D9-BED3-505054503030": ["Kernel Object","Object Access"] + "0CCE9220-69AE-11D9-BED3-505054503030": ["SAM","Object Access"] + "0CCE9221-69AE-11D9-BED3-505054503030": ["Certification Services","Object Access"] + "0CCE9222-69AE-11D9-BED3-505054503030": ["Application Generated","Object Access"] + "0CCE9223-69AE-11D9-BED3-505054503030": ["Handle Manipulation","Object Access"] + "0CCE9224-69AE-11D9-BED3-505054503030": ["File Share","Object Access"] + "0CCE9225-69AE-11D9-BED3-505054503030": ["Filtering Platform Packet Drop","Object Access"] + "0CCE9226-69AE-11D9-BED3-505054503030": ["Filtering Platform Connection ","Object Access"] + "0CCE9227-69AE-11D9-BED3-505054503030": ["Other Object Access Events","Object Access"] + "0CCE9244-69AE-11D9-BED3-505054503030": ["Detailed File Share","Object Access"] + "0CCE9245-69AE-11D9-BED3-505054503030": ["Removable Storage","Object Access"] + "0CCE9246-69AE-11D9-BED3-505054503030": ["Central Policy Staging","Object Access"] + "0CCE9228-69AE-11D9-BED3-505054503030": ["Sensitive Privilege Use","Privilege Use"] + "0CCE9229-69AE-11D9-BED3-505054503030": ["Non Sensitive Privilege Use","Privilege Use"] + "0CCE922A-69AE-11D9-BED3-505054503030": ["Other Privilege Use Events","Privilege Use"] + "0CCE922B-69AE-11D9-BED3-505054503030": ["Process Creation","Detailed Tracking"] + "0CCE922C-69AE-11D9-BED3-505054503030": ["Process Termination","Detailed Tracking"] + "0CCE922D-69AE-11D9-BED3-505054503030": ["DPAPI Activity","Detailed Tracking"] + "0CCE922E-69AE-11D9-BED3-505054503030": ["RPC Events","Detailed Tracking"] + "0CCE9248-69AE-11D9-BED3-505054503030": ["Plug and Play Events","Detailed Tracking"] + "0CCE922F-69AE-11D9-BED3-505054503030": ["Audit Policy Change","Policy Change"] + "0CCE9230-69AE-11D9-BED3-505054503030": ["Authentication Policy Change","Policy Change"] + "0CCE9231-69AE-11D9-BED3-505054503030": ["Authorization Policy Change","Policy Change"] + "0CCE9232-69AE-11D9-BED3-505054503030": ["MPSSVC Rule-Level Policy Change","Policy Change"] + "0CCE9233-69AE-11D9-BED3-505054503030": ["Filtering Platform Policy Change","Policy Change"] + "0CCE9234-69AE-11D9-BED3-505054503030": ["Other Policy Change Events","Policy Change"] + "0CCE9235-69AE-11D9-BED3-505054503030": ["User Account Management","Account Management"] + "0CCE9236-69AE-11D9-BED3-505054503030": ["Computer Account Management","Account Management"] + "0CCE9237-69AE-11D9-BED3-505054503030": ["Security Group Management","Account Management"] + "0CCE9238-69AE-11D9-BED3-505054503030": ["Distribution Group Management","Account Management"] + "0CCE9239-69AE-11D9-BED3-505054503030": ["Application Group Management","Account Management"] + "0CCE923A-69AE-11D9-BED3-505054503030": ["Other Account Management Events","Account Management"] + "0CCE923B-69AE-11D9-BED3-505054503030": ["Directory Service Access","Account Management"] + "0CCE923C-69AE-11D9-BED3-505054503030": ["Directory Service Changes","Account Management"] + "0CCE923D-69AE-11D9-BED3-505054503030": ["Directory Service Replication","Account Management"] + "0CCE923E-69AE-11D9-BED3-505054503030": ["Detailed Directory Service Replication","Account Management"] + "0CCE923F-69AE-11D9-BED3-505054503030": ["Credential Validation","Account Logon"] + "0CCE9240-69AE-11D9-BED3-505054503030": ["Kerberos Service Ticket Operations","Account Logon"] + "0CCE9241-69AE-11D9-BED3-505054503030": ["Other Account Logon Events","Account Logon"] + "0CCE9242-69AE-11D9-BED3-505054503030": ["Kerberos Authentication Service","Account Logon"] + source: |- + if (ctx.winlog?.event_data?.SubcategoryGuid == null) { + return; + } + def subCatGuid = ctx.winlog.event_data.SubcategoryGuid.replace("{","").replace("}","").toUpperCase(); + if (!params.containsKey(subCatGuid)) { + return; + } + ctx.winlog.event_data.put("Category", params[subCatGuid][1]); + ctx.winlog.event_data.put("SubCategory", params[subCatGuid][0]); + - script: + lang: painless + ignore_failure: false + tag: Decode message table + description: Decode message table + # Message table extracted from msobjs.dll on Windows 2019. + # https://gist.github.com/andrewkroh/665dca0682bd0e4daf194ab291694012 + # https://docs.microsoft.com/en-us/windows/win32/secauthz/access-rights-and-access-masks + # https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-dtyp/7a53f60e-e730-4dfe-bbe9-b21b62eb790b + params: + descriptions: + "279": "Undefined Access (no effect) Bit 7" + "1536": "Unused message ID" + "1537": "DELETE" + "1538": "READ_CONTROL" + "1539": "WRITE_DAC" + "1540": "WRITE_OWNER" + "1541": "SYNCHRONIZE" + "1542": "ACCESS_SYS_SEC" + "1543": "MAX_ALLOWED" + "1552": "Unknown specific access (bit 0)" + "1553": "Unknown specific access (bit 1)" + "1554": "Unknown specific access (bit 2)" + "1555": "Unknown specific access (bit 3)" + "1556": "Unknown specific access (bit 4)" + "1557": "Unknown specific access (bit 5)" + "1558": "Unknown specific access (bit 6)" + "1559": "Unknown specific access (bit 7)" + "1560": "Unknown specific access (bit 8)" + "1561": "Unknown specific access (bit 9)" + "1562": "Unknown specific access (bit 10)" + "1563": "Unknown specific access (bit 11)" + "1564": "Unknown specific access (bit 12)" + "1565": "Unknown specific access (bit 13)" + "1566": "Unknown specific access (bit 14)" + "1567": "Unknown specific access (bit 15)" + "1601": "Not used" + "1603": "Assign Primary Token Privilege" + "1604": "Lock Memory Privilege" + "1605": "Increase Memory Quota Privilege" + "1606": "Unsolicited Input Privilege" + "1607": "Trusted Computer Base Privilege" + "1608": "Security Privilege" + "1609": "Take Ownership Privilege" + "1610": "Load/Unload Driver Privilege" + "1611": "Profile System Privilege" + "1612": "Set System Time Privilege" + "1613": "Profile Single Process Privilege" + "1614": "Increment Base Priority Privilege" + "1615": "Create Pagefile Privilege" + "1616": "Create Permanent Object Privilege" + "1617": "Backup Privilege" + "1618": "Restore From Backup Privilege" + "1619": "Shutdown System Privilege" + "1620": "Debug Privilege" + "1621": "View or Change Audit Log Privilege" + "1622": "Change Hardware Environment Privilege" + "1623": "Change Notify (and Traverse) Privilege" + "1624": "Remotely Shut System Down Privilege" + "1792": "" + "1794": "" + "1795": "Enabled" + "1796": "Disabled" + "1797": "All" + "1798": "None" + "1799": "Audit Policy query/set API Operation" + "1800": "" + "1801": "Granted by" + "1802": "Denied by" + "1803": "Denied by Integrity Policy check" + "1804": "Granted by Ownership" + "1805": "Not granted" + "1806": "Granted by NULL DACL" + "1807": "Denied by Empty DACL" + "1808": "Granted by NULL Security Descriptor" + "1809": "Unknown or unchecked" + "1810": "Not granted due to missing" + "1811": "Granted by ACE on parent folder" + "1812": "Denied by ACE on parent folder" + "1813": "Granted by Central Access Rule" + "1814": "NOT Granted by Central Access Rule" + "1815": "Granted by parent folder's Central Access Rule" + "1816": "NOT Granted by parent folder's Central Access Rule" + "1817": "Unknown Type" + "1818": "String" + "1819": "Unsigned 64-bit Integer" + "1820": "64-bit Integer" + "1821": "FQBN" + "1822": "Blob" + "1823": "Sid" + "1824": "Boolean" + "1825": "TRUE" + "1826": "FALSE" + "1827": "Invalid" + "1828": "an ACE too long to display" + "1829": "a Security Descriptor too long to display" + "1830": "Not granted to AppContainers" + "1831": "..." + "1832": "Identification" + "1833": "Impersonation" + "1840": "Delegation" + "1841": "Denied by Process Trust Label ACE" + "1842": "Yes" + "1843": "No" + "1844": "System" + "1845": "Not Available" + "1846": "Default" + "1847": "DisallowMmConfig" + "1848": "Off" + "1849": "Auto" + "1872": "REG_NONE" + "1873": "REG_SZ" + "1874": "REG_EXPAND_SZ" + "1875": "REG_BINARY" + "1876": "REG_DWORD" + "1877": "REG_DWORD_BIG_ENDIAN" + "1878": "REG_LINK" + "1879": "REG_MULTI_SZ (New lines are replaced with *. A * is replaced with **)" + "1880": "REG_RESOURCE_LIST" + "1881": "REG_FULL_RESOURCE_DESCRIPTOR" + "1882": "REG_RESOURCE_REQUIREMENTS_LIST" + "1883": "REG_QWORD" + "1904": "New registry value created" + "1905": "Existing registry value modified" + "1906": "Registry value deleted" + "1920": "Sunday" + "1921": "Monday" + "1922": "Tuesday" + "1923": "Wednesday" + "1924": "Thursday" + "1925": "Friday" + "1926": "Saturday" + "1936": "TokenElevationTypeDefault (1)" + "1937": "TokenElevationTypeFull (2)" + "1938": "TokenElevationTypeLimited (3)" + "2048": "Account Enabled" + "2049": "Home Directory Required' - Disabled" + "2050": "Password Not Required' - Disabled" + "2051": "Temp Duplicate Account' - Disabled" + "2052": "Normal Account' - Disabled" + "2053": "MNS Logon Account' - Disabled" + "2054": "Interdomain Trust Account' - Disabled" + "2055": "Workstation Trust Account' - Disabled" + "2056": "Server Trust Account' - Disabled" + "2057": "Don't Expire Password' - Disabled" + "2058": "Account Unlocked" + "2059": "Encrypted Text Password Allowed' - Disabled" + "2060": "Smartcard Required' - Disabled" + "2061": "Trusted For Delegation' - Disabled" + "2062": "Not Delegated' - Disabled" + "2063": "Use DES Key Only' - Disabled" + "2064": "Don't Require Preauth' - Disabled" + "2065": "Password Expired' - Disabled" + "2066": "Trusted To Authenticate For Delegation' - Disabled" + "2067": "Exclude Authorization Information' - Disabled" + "2068": "Undefined UserAccountControl Bit 20' - Disabled" + "2069": "Protect Kerberos Service Tickets with AES Keys' - Disabled" + "2070": "Undefined UserAccountControl Bit 22' - Disabled" + "2071": "Undefined UserAccountControl Bit 23' - Disabled" + "2072": "Undefined UserAccountControl Bit 24' - Disabled" + "2073": "Undefined UserAccountControl Bit 25' - Disabled" + "2074": "Undefined UserAccountControl Bit 26' - Disabled" + "2075": "Undefined UserAccountControl Bit 27' - Disabled" + "2076": "Undefined UserAccountControl Bit 28' - Disabled" + "2077": "Undefined UserAccountControl Bit 29' - Disabled" + "2078": "Undefined UserAccountControl Bit 30' - Disabled" + "2079": "Undefined UserAccountControl Bit 31' - Disabled" + "2080": "Account Disabled" + "2081": "Home Directory Required' - Enabled" + "2082": "Password Not Required' - Enabled" + "2083": "Temp Duplicate Account' - Enabled" + "2084": "Normal Account' - Enabled" + "2085": "MNS Logon Account' - Enabled" + "2086": "Interdomain Trust Account' - Enabled" + "2087": "Workstation Trust Account' - Enabled" + "2088": "Server Trust Account' - Enabled" + "2089": "Don't Expire Password' - Enabled" + "2090": "Account Locked" + "2091": "Encrypted Text Password Allowed' - Enabled" + "2092": "Smartcard Required' - Enabled" + "2093": "Trusted For Delegation' - Enabled" + "2094": "Not Delegated' - Enabled" + "2095": "Use DES Key Only' - Enabled" + "2096": "Don't Require Preauth' - Enabled" + "2097": "Password Expired' - Enabled" + "2098": "Trusted To Authenticate For Delegation' - Enabled" + "2099": "Exclude Authorization Information' - Enabled" + "2100": "Undefined UserAccountControl Bit 20' - Enabled" + "2101": "Protect Kerberos Service Tickets with AES Keys' - Enabled" + "2102": "Undefined UserAccountControl Bit 22' - Enabled" + "2103": "Undefined UserAccountControl Bit 23' - Enabled" + "2104": "Undefined UserAccountControl Bit 24' - Enabled" + "2105": "Undefined UserAccountControl Bit 25' - Enabled" + "2106": "Undefined UserAccountControl Bit 26' - Enabled" + "2107": "Undefined UserAccountControl Bit 27' - Enabled" + "2108": "Undefined UserAccountControl Bit 28' - Enabled" + "2109": "Undefined UserAccountControl Bit 29' - Enabled" + "2110": "Undefined UserAccountControl Bit 30' - Enabled" + "2111": "Undefined UserAccountControl Bit 31' - Enabled" + "2304": "An Error occured during Logon." + "2305": "The specified user account has expired." + "2306": "The NetLogon component is not active." + "2307": "Account locked out." + "2308": "The user has not been granted the requested logon type at this machine." + "2309": "The specified account's password has expired." + "2310": "Account currently disabled." + "2311": "Account logon time restriction violation." + "2312": "User not allowed to logon at this computer." + "2313": "Unknown user name or bad password." + "2314": "Domain sid inconsistent." + "2315": "Smartcard logon is required and was not used." + "2432": "Not Available." + "2436": "Random number generator failure." + "2437": "Random number generation failed FIPS-140 pre-hash check." + "2438": "Failed to zero secret data." + "2439": "Key failed pair wise consistency check." + "2448": "Failed to unprotect persistent cryptographic key." + "2449": "Key export checks failed." + "2450": "Validation of public key failed." + "2451": "Signature verification failed." + "2456": "Open key file." + "2457": "Delete key file." + "2458": "Read persisted key from file." + "2459": "Write persisted key to file." + "2464": "Export of persistent cryptographic key." + "2465": "Import of persistent cryptographic key." + "2480": "Open Key." + "2481": "Create Key." + "2482": "Delete Key." + "2483": "Encrypt." + "2484": "Decrypt." + "2485": "Sign hash." + "2486": "Secret agreement." + "2487": "Domain settings" + "2488": "Local settings" + "2489": "Add provider." + "2490": "Remove provider." + "2491": "Add context." + "2492": "Remove context." + "2493": "Add function." + "2494": "Remove function." + "2495": "Add function provider." + "2496": "Remove function provider." + "2497": "Add function property." + "2498": "Remove function property." + "2499": "Machine key." + "2500": "User key." + "2501": "Key Derivation." + "4352": "Device Access Bit 0" + "4353": "Device Access Bit 1" + "4354": "Device Access Bit 2" + "4355": "Device Access Bit 3" + "4356": "Device Access Bit 4" + "4357": "Device Access Bit 5" + "4358": "Device Access Bit 6" + "4359": "Device Access Bit 7" + "4360": "Device Access Bit 8" + "4361": "Undefined Access (no effect) Bit 9" + "4362": "Undefined Access (no effect) Bit 10" + "4363": "Undefined Access (no effect) Bit 11" + "4364": "Undefined Access (no effect) Bit 12" + "4365": "Undefined Access (no effect) Bit 13" + "4366": "Undefined Access (no effect) Bit 14" + "4367": "Undefined Access (no effect) Bit 15" + "4368": "Query directory" + "4369": "Traverse" + "4370": "Create object in directory" + "4371": "Create sub-directory" + "4372": "Undefined Access (no effect) Bit 4" + "4373": "Undefined Access (no effect) Bit 5" + "4374": "Undefined Access (no effect) Bit 6" + "4375": "Undefined Access (no effect) Bit 7" + "4376": "Undefined Access (no effect) Bit 8" + "4377": "Undefined Access (no effect) Bit 9" + "4378": "Undefined Access (no effect) Bit 10" + "4379": "Undefined Access (no effect) Bit 11" + "4380": "Undefined Access (no effect) Bit 12" + "4381": "Undefined Access (no effect) Bit 13" + "4382": "Undefined Access (no effect) Bit 14" + "4383": "Undefined Access (no effect) Bit 15" + "4384": "Query event state" + "4385": "Modify event state" + "4386": "Undefined Access (no effect) Bit 2" + "4387": "Undefined Access (no effect) Bit 3" + "4388": "Undefined Access (no effect) Bit 4" + "4389": "Undefined Access (no effect) Bit 5" + "4390": "Undefined Access (no effect) Bit 6" + "4391": "Undefined Access (no effect) Bit 7" + "4392": "Undefined Access (no effect) Bit 8" + "4393": "Undefined Access (no effect) Bit 9" + "4394": "Undefined Access (no effect) Bit 10" + "4395": "Undefined Access (no effect) Bit 11" + "4396": "Undefined Access (no effect) Bit 12" + "4397": "Undefined Access (no effect) Bit 13" + "4398": "Undefined Access (no effect) Bit 14" + "4399": "Undefined Access (no effect) Bit 15" + "4416": "ReadData (or ListDirectory)" + "4417": "WriteData (or AddFile)" + "4418": "AppendData (or AddSubdirectory or CreatePipeInstance)" + "4419": "ReadEA" + "4420": "WriteEA" + "4421": "Execute/Traverse" + "4422": "DeleteChild" + "4423": "ReadAttributes" + "4424": "WriteAttributes" + "4425": "Undefined Access (no effect) Bit 9" + "4426": "Undefined Access (no effect) Bit 10" + "4427": "Undefined Access (no effect) Bit 11" + "4428": "Undefined Access (no effect) Bit 12" + "4429": "Undefined Access (no effect) Bit 13" + "4430": "Undefined Access (no effect) Bit 14" + "4431": "Undefined Access (no effect) Bit 15" + "4432": "Query key value" + "4433": "Set key value" + "4434": "Create sub-key" + "4435": "Enumerate sub-keys" + "4436": "Notify about changes to keys" + "4437": "Create Link" + "4438": "Undefined Access (no effect) Bit 6" + "4439": "Undefined Access (no effect) Bit 7" + "4440": "Enable 64(or 32) bit application to open 64 bit key" + "4441": "Enable 64(or 32) bit application to open 32 bit key" + "4442": "Undefined Access (no effect) Bit 10" + "4443": "Undefined Access (no effect) Bit 11" + "4444": "Undefined Access (no effect) Bit 12" + "4445": "Undefined Access (no effect) Bit 13" + "4446": "Undefined Access (no effect) Bit 14" + "4447": "Undefined Access (no effect) Bit 15" + "4448": "Query mutant state" + "4449": "Undefined Access (no effect) Bit 1" + "4450": "Undefined Access (no effect) Bit 2" + "4451": "Undefined Access (no effect) Bit 3" + "4452": "Undefined Access (no effect) Bit 4" + "4453": "Undefined Access (no effect) Bit 5" + "4454": "Undefined Access (no effect) Bit 6" + "4455": "Undefined Access (no effect) Bit 7" + "4456": "Undefined Access (no effect) Bit 8" + "4457": "Undefined Access (no effect) Bit 9" + "4458": "Undefined Access (no effect) Bit 10" + "4459": "Undefined Access (no effect) Bit 11" + "4460": "Undefined Access (no effect) Bit 12" + "4461": "Undefined Access (no effect) Bit 13" + "4462": "Undefined Access (no effect) Bit 14" + "4463": "Undefined Access (no effect) Bit 15" + "4464": "Communicate using port" + "4465": "Undefined Access (no effect) Bit 1" + "4466": "Undefined Access (no effect) Bit 2" + "4467": "Undefined Access (no effect) Bit 3" + "4468": "Undefined Access (no effect) Bit 4" + "4469": "Undefined Access (no effect) Bit 5" + "4470": "Undefined Access (no effect) Bit 6" + "4471": "Undefined Access (no effect) Bit 7" + "4472": "Undefined Access (no effect) Bit 8" + "4473": "Undefined Access (no effect) Bit 9" + "4474": "Undefined Access (no effect) Bit 10" + "4475": "Undefined Access (no effect) Bit 11" + "4476": "Undefined Access (no effect) Bit 12" + "4477": "Undefined Access (no effect) Bit 13" + "4478": "Undefined Access (no effect) Bit 14" + "4479": "Undefined Access (no effect) Bit 15" + "4480": "Force process termination" + "4481": "Create new thread in process" + "4482": "Set process session ID" + "4483": "Perform virtual memory operation" + "4484": "Read from process memory" + "4485": "Write to process memory" + "4486": "Duplicate handle into or out of process" + "4487": "Create a subprocess of process" + "4488": "Set process quotas" + "4489": "Set process information" + "4490": "Query process information" + "4491": "Set process termination port" + "4492": "Undefined Access (no effect) Bit 12" + "4493": "Undefined Access (no effect) Bit 13" + "4494": "Undefined Access (no effect) Bit 14" + "4495": "Undefined Access (no effect) Bit 15" + "4496": "Control profile" + "4497": "Undefined Access (no effect) Bit 1" + "4498": "Undefined Access (no effect) Bit 2" + "4499": "Undefined Access (no effect) Bit 3" + "4500": "Undefined Access (no effect) Bit 4" + "4501": "Undefined Access (no effect) Bit 5" + "4502": "Undefined Access (no effect) Bit 6" + "4503": "Undefined Access (no effect) Bit 7" + "4504": "Undefined Access (no effect) Bit 8" + "4505": "Undefined Access (no effect) Bit 9" + "4506": "Undefined Access (no effect) Bit 10" + "4507": "Undefined Access (no effect) Bit 11" + "4508": "Undefined Access (no effect) Bit 12" + "4509": "Undefined Access (no effect) Bit 13" + "4510": "Undefined Access (no effect) Bit 14" + "4511": "Undefined Access (no effect) Bit 15" + "4512": "Query section state" + "4513": "Map section for write" + "4514": "Map section for read" + "4515": "Map section for execute" + "4516": "Extend size" + "4517": "Undefined Access (no effect) Bit 5" + "4518": "Undefined Access (no effect) Bit 6" + "4519": "Undefined Access (no effect) Bit 7" + "4520": "Undefined Access (no effect) Bit 8" + "4521": "Undefined Access (no effect) Bit 9" + "4522": "Undefined Access (no effect) Bit 10" + "4523": "Undefined Access (no effect) Bit 11" + "4524": "Undefined Access (no effect) Bit 12" + "4525": "Undefined Access (no effect) Bit 13" + "4526": "Undefined Access (no effect) Bit 14" + "4527": "Undefined Access (no effect) Bit 15" + "4528": "Query semaphore state" + "4529": "Modify semaphore state" + "4530": "Undefined Access (no effect) Bit 2" + "4531": "Undefined Access (no effect) Bit 3" + "4532": "Undefined Access (no effect) Bit 4" + "4533": "Undefined Access (no effect) Bit 5" + "4534": "Undefined Access (no effect) Bit 6" + "4535": "Undefined Access (no effect) Bit 7" + "4536": "Undefined Access (no effect) Bit 8" + "4537": "Undefined Access (no effect) Bit 9" + "4538": "Undefined Access (no effect) Bit 10" + "4539": "Undefined Access (no effect) Bit 11" + "4540": "Undefined Access (no effect) Bit 12" + "4541": "Undefined Access (no effect) Bit 13" + "4542": "Undefined Access (no effect) Bit 14" + "4543": "Undefined Access (no effect) Bit 15" + "4544": "Use symbolic link" + "4545": "Undefined Access (no effect) Bit 1" + "4546": "Undefined Access (no effect) Bit 2" + "4547": "Undefined Access (no effect) Bit 3" + "4548": "Undefined Access (no effect) Bit 4" + "4549": "Undefined Access (no effect) Bit 5" + "4550": "Undefined Access (no effect) Bit 6" + "4551": "Undefined Access (no effect) Bit 7" + "4552": "Undefined Access (no effect) Bit 8" + "4553": "Undefined Access (no effect) Bit 9" + "4554": "Undefined Access (no effect) Bit 10" + "4555": "Undefined Access (no effect) Bit 11" + "4556": "Undefined Access (no effect) Bit 12" + "4557": "Undefined Access (no effect) Bit 13" + "4558": "Undefined Access (no effect) Bit 14" + "4559": "Undefined Access (no effect) Bit 15" + "4560": "Force thread termination" + "4561": "Suspend or resume thread" + "4562": "Send an alert to thread" + "4563": "Get thread context" + "4564": "Set thread context" + "4565": "Set thread information" + "4566": "Query thread information" + "4567": "Assign a token to the thread" + "4568": "Cause thread to directly impersonate another thread" + "4569": "Directly impersonate this thread" + "4570": "Undefined Access (no effect) Bit 10" + "4571": "Undefined Access (no effect) Bit 11" + "4572": "Undefined Access (no effect) Bit 12" + "4573": "Undefined Access (no effect) Bit 13" + "4574": "Undefined Access (no effect) Bit 14" + "4575": "Undefined Access (no effect) Bit 15" + "4576": "Query timer state" + "4577": "Modify timer state" + "4578": "Undefined Access (no effect) Bit 2" + "4579": "Undefined Access (no effect) Bit 3" + "4580": "Undefined Access (no effect) Bit 4" + "4581": "Undefined Access (no effect) Bit 5" + "4582": "Undefined Access (no effect) Bit 6" + "4584": "Undefined Access (no effect) Bit 8" + "4585": "Undefined Access (no effect) Bit 9" + "4586": "Undefined Access (no effect) Bit 10" + "4587": "Undefined Access (no effect) Bit 11" + "4588": "Undefined Access (no effect) Bit 12" + "4589": "Undefined Access (no effect) Bit 13" + "4590": "Undefined Access (no effect) Bit 14" + "4591": "Undefined Access (no effect) Bit 15" + "4592": "AssignAsPrimary" + "4593": "Duplicate" + "4594": "Impersonate" + "4595": "Query" + "4596": "QuerySource" + "4597": "AdjustPrivileges" + "4598": "AdjustGroups" + "4599": "AdjustDefaultDacl" + "4600": "AdjustSessionID" + "4601": "Undefined Access (no effect) Bit 9" + "4602": "Undefined Access (no effect) Bit 10" + "4603": "Undefined Access (no effect) Bit 11" + "4604": "Undefined Access (no effect) Bit 12" + "4605": "Undefined Access (no effect) Bit 13" + "4606": "Undefined Access (no effect) Bit 14" + "4607": "Undefined Access (no effect) Bit 15" + "4608": "Create instance of object type" + "4609": "Undefined Access (no effect) Bit 1" + "4610": "Undefined Access (no effect) Bit 2" + "4611": "Undefined Access (no effect) Bit 3" + "4612": "Undefined Access (no effect) Bit 4" + "4613": "Undefined Access (no effect) Bit 5" + "4614": "Undefined Access (no effect) Bit 6" + "4615": "Undefined Access (no effect) Bit 7" + "4616": "Undefined Access (no effect) Bit 8" + "4617": "Undefined Access (no effect) Bit 9" + "4618": "Undefined Access (no effect) Bit 10" + "4619": "Undefined Access (no effect) Bit 11" + "4620": "Undefined Access (no effect) Bit 12" + "4621": "Undefined Access (no effect) Bit 13" + "4622": "Undefined Access (no effect) Bit 14" + "4623": "Undefined Access (no effect) Bit 15" + "4864": "Query State" + "4865": "Modify State" + "5120": "Channel read message" + "5121": "Channel write message" + "5122": "Channel query information" + "5123": "Channel set information" + "5124": "Undefined Access (no effect) Bit 4" + "5125": "Undefined Access (no effect) Bit 5" + "5126": "Undefined Access (no effect) Bit 6" + "5127": "Undefined Access (no effect) Bit 7" + "5128": "Undefined Access (no effect) Bit 8" + "5129": "Undefined Access (no effect) Bit 9" + "5130": "Undefined Access (no effect) Bit 10" + "5131": "Undefined Access (no effect) Bit 11" + "5132": "Undefined Access (no effect) Bit 12" + "5133": "Undefined Access (no effect) Bit 13" + "5134": "Undefined Access (no effect) Bit 14" + "5135": "Undefined Access (no effect) Bit 15" + "5136": "Assign process" + "5137": "Set Attributes" + "5138": "Query Attributes" + "5139": "Terminate Job" + "5140": "Set Security Attributes" + "5141": "Undefined Access (no effect) Bit 5" + "5142": "Undefined Access (no effect) Bit 6" + "5143": "Undefined Access (no effect) Bit 7" + "5144": "Undefined Access (no effect) Bit 8" + "5145": "Undefined Access (no effect) Bit 9" + "5146": "Undefined Access (no effect) Bit 10" + "5147": "Undefined Access (no effect) Bit 11" + "5148": "Undefined Access (no effect) Bit 12" + "5149": "Undefined Access (no effect) Bit 13" + "5150": "Undefined Access (no effect) Bit 14" + "5151": "Undefined Access (no effect) Bit 15" + "5376": "ConnectToServer" + "5377": "ShutdownServer" + "5378": "InitializeServer" + "5379": "CreateDomain" + "5380": "EnumerateDomains" + "5381": "LookupDomain" + "5382": "Undefined Access (no effect) Bit 6" + "5383": "Undefined Access (no effect) Bit 7" + "5384": "Undefined Access (no effect) Bit 8" + "5385": "Undefined Access (no effect) Bit 9" + "5386": "Undefined Access (no effect) Bit 10" + "5387": "Undefined Access (no effect) Bit 11" + "5388": "Undefined Access (no effect) Bit 12" + "5389": "Undefined Access (no effect) Bit 13" + "5390": "Undefined Access (no effect) Bit 14" + "5391": "Undefined Access (no effect) Bit 15" + "5392": "ReadPasswordParameters" + "5393": "WritePasswordParameters" + "5394": "ReadOtherParameters" + "5395": "WriteOtherParameters" + "5396": "CreateUser" + "5397": "CreateGlobalGroup" + "5398": "CreateLocalGroup" + "5399": "GetLocalGroupMembership" + "5400": "ListAccounts" + "5401": "LookupIDs" + "5402": "AdministerServer" + "5403": "Undefined Access (no effect) Bit 11" + "5404": "Undefined Access (no effect) Bit 12" + "5405": "Undefined Access (no effect) Bit 13" + "5406": "Undefined Access (no effect) Bit 14" + "5407": "Undefined Access (no effect) Bit 15" + "5408": "ReadInformation" + "5409": "WriteAccount" + "5410": "AddMember" + "5411": "RemoveMember" + "5412": "ListMembers" + "5413": "Undefined Access (no effect) Bit 5" + "5414": "Undefined Access (no effect) Bit 6" + "5415": "Undefined Access (no effect) Bit 7" + "5416": "Undefined Access (no effect) Bit 8" + "5417": "Undefined Access (no effect) Bit 9" + "5418": "Undefined Access (no effect) Bit 10" + "5419": "Undefined Access (no effect) Bit 11" + "5420": "Undefined Access (no effect) Bit 12" + "5421": "Undefined Access (no effect) Bit 13" + "5422": "Undefined Access (no effect) Bit 14" + "5423": "Undefined Access (no effect) Bit 15" + "5424": "AddMember" + "5425": "RemoveMember" + "5426": "ListMembers" + "5427": "ReadInformation" + "5428": "WriteAccount" + "5429": "Undefined Access (no effect) Bit 5" + "5430": "Undefined Access (no effect) Bit 6" + "5431": "Undefined Access (no effect) Bit 7" + "5432": "Undefined Access (no effect) Bit 8" + "5433": "Undefined Access (no effect) Bit 9" + "5434": "Undefined Access (no effect) Bit 10" + "5435": "Undefined Access (no effect) Bit 11" + "5436": "Undefined Access (no effect) Bit 12" + "5437": "Undefined Access (no effect) Bit 13" + "5438": "Undefined Access (no effect) Bit 14" + "5439": "Undefined Access (no effect) Bit 15" + "5440": "ReadGeneralInformation" + "5441": "ReadPreferences" + "5442": "WritePreferences" + "5443": "ReadLogon" + "5444": "ReadAccount" + "5445": "WriteAccount" + "5446": "ChangePassword (with knowledge of old password)" + "5447": "SetPassword (without knowledge of old password)" + "5448": "ListGroups" + "5449": "ReadGroupMembership" + "5450": "ChangeGroupMembership" + "5451": "Undefined Access (no effect) Bit 11" + "5452": "Undefined Access (no effect) Bit 12" + "5453": "Undefined Access (no effect) Bit 13" + "5454": "Undefined Access (no effect) Bit 14" + "5455": "Undefined Access (no effect) Bit 15" + "5632": "View non-sensitive policy information" + "5633": "View system audit requirements" + "5634": "Get sensitive policy information" + "5635": "Modify domain trust relationships" + "5636": "Create special accounts (for assignment of user rights)" + "5637": "Create a secret object" + "5638": "Create a privilege" + "5639": "Set default quota limits" + "5640": "Change system audit requirements" + "5641": "Administer audit log attributes" + "5642": "Enable/Disable LSA" + "5643": "Lookup Names/SIDs" + "5648": "Change secret value" + "5649": "Query secret value" + "5650": "Undefined Access (no effect) Bit 2" + "5651": "Undefined Access (no effect) Bit 3" + "5652": "Undefined Access (no effect) Bit 4" + "5653": "Undefined Access (no effect) Bit 5" + "5654": "Undefined Access (no effect) Bit 6" + "5655": "Undefined Access (no effect) Bit 7" + "5656": "Undefined Access (no effect) Bit 8" + "5657": "Undefined Access (no effect) Bit 9" + "5658": "Undefined Access (no effect) Bit 10" + "5659": "Undefined Access (no effect) Bit 11" + "5660": "Undefined Access (no effect) Bit 12" + "5661": "Undefined Access (no effect) Bit 13" + "5662": "Undefined Access (no effect) Bit 14" + "5663": "Undefined Access (no effect) Bit 15" + "5664": "Query trusted domain name/SID" + "5665": "Retrieve the controllers in the trusted domain" + "5666": "Change the controllers in the trusted domain" + "5667": "Query the Posix ID offset assigned to the trusted domain" + "5668": "Change the Posix ID offset assigned to the trusted domain" + "5669": "Undefined Access (no effect) Bit 5" + "5670": "Undefined Access (no effect) Bit 6" + "5671": "Undefined Access (no effect) Bit 7" + "5672": "Undefined Access (no effect) Bit 8" + "5673": "Undefined Access (no effect) Bit 9" + "5674": "Undefined Access (no effect) Bit 10" + "5675": "Undefined Access (no effect) Bit 11" + "5676": "Undefined Access (no effect) Bit 12" + "5677": "Undefined Access (no effect) Bit 13" + "5678": "Undefined Access (no effect) Bit 14" + "5679": "Undefined Access (no effect) Bit 15" + "5680": "Query account information" + "5681": "Change privileges assigned to account" + "5682": "Change quotas assigned to account" + "5683": "Change logon capabilities assigned to account" + "5684": "Change the Posix ID offset assigned to the accounted domain" + "5685": "Undefined Access (no effect) Bit 5" + "5686": "Undefined Access (no effect) Bit 6" + "5687": "Undefined Access (no effect) Bit 7" + "5688": "Undefined Access (no effect) Bit 8" + "5689": "Undefined Access (no effect) Bit 9" + "5690": "Undefined Access (no effect) Bit 10" + "5691": "Undefined Access (no effect) Bit 11" + "5692": "Undefined Access (no effect) Bit 12" + "5693": "Undefined Access (no effect) Bit 13" + "5694": "Undefined Access (no effect) Bit 14" + "5695": "Undefined Access (no effect) Bit 15" + "5696": "KeyedEvent Wait" + "5697": "KeyedEvent Wake" + "5698": "Undefined Access (no effect) Bit 2" + "5699": "Undefined Access (no effect) Bit 3" + "5700": "Undefined Access (no effect) Bit 4" + "5701": "Undefined Access (no effect) Bit 5" + "5702": "Undefined Access (no effect) Bit 6" + "5703": "Undefined Access (no effect) Bit 7" + "5704": "Undefined Access (no effect) Bit 8" + "5705": "Undefined Access (no effect) Bit 9" + "5706": "Undefined Access (no effect) Bit 10" + "5707": "Undefined Access (no effect) Bit 11" + "5708": "Undefined Access (no effect) Bit 12" + "5709": "Undefined Access (no effect) Bit 13" + "5710": "Undefined Access (no effect) Bit 14" + "5711": "Undefined Access (no effect) Bit 15" + "6656": "Enumerate desktops" + "6657": "Read attributes" + "6658": "Access Clipboard" + "6659": "Create desktop" + "6660": "Write attributes" + "6661": "Access global atoms" + "6662": "Exit windows" + "6663": "Unused Access Flag" + "6664": "Include this windowstation in enumerations" + "6665": "Read screen" + "6672": "Read Objects" + "6673": "Create window" + "6674": "Create menu" + "6675": "Hook control" + "6676": "Journal (record)" + "6677": "Journal (playback)" + "6678": "Include this desktop in enumerations" + "6679": "Write objects" + "6680": "Switch to this desktop" + "6912": "Administer print server" + "6913": "Enumerate printers" + "6930": "Full Control" + "6931": "Print" + "6948": "Administer Document" + "7168": "Connect to service controller" + "7169": "Create a new service" + "7170": "Enumerate services" + "7171": "Lock service database for exclusive access" + "7172": "Query service database lock state" + "7173": "Set last-known-good state of service database" + "7184": "Query service configuration information" + "7185": "Set service configuration information" + "7186": "Query status of service" + "7187": "Enumerate dependencies of service" + "7188": "Start the service" + "7189": "Stop the service" + "7190": "Pause or continue the service" + "7191": "Query information from service" + "7192": "Issue service-specific control commands" + "7424": "DDE Share Read" + "7425": "DDE Share Write" + "7426": "DDE Share Initiate Static" + "7427": "DDE Share Initiate Link" + "7428": "DDE Share Request" + "7429": "DDE Share Advise" + "7430": "DDE Share Poke" + "7431": "DDE Share Execute" + "7432": "DDE Share Add Items" + "7433": "DDE Share List Items" + "7680": "Create Child" + "7681": "Delete Child" + "7682": "List Contents" + "7683": "Write Self" + "7684": "Read Property" + "7685": "Write Property" + "7686": "Delete Tree" + "7687": "List Object" + "7688": "Control Access" + "7689": "Undefined Access (no effect) Bit 9" + "7690": "Undefined Access (no effect) Bit 10" + "7691": "Undefined Access (no effect) Bit 11" + "7692": "Undefined Access (no effect) Bit 12" + "7693": "Undefined Access (no effect) Bit 13" + "7694": "Undefined Access (no effect) Bit 14" + "7695": "Undefined Access (no effect) Bit 15" + "7936": "Audit Set System Policy" + "7937": "Audit Query System Policy" + "7938": "Audit Set Per User Policy" + "7939": "Audit Query Per User Policy" + "7940": "Audit Enumerate Users" + "7941": "Audit Set Options" + "7942": "Audit Query Options" + "8064": "Port sharing (read)" + "8065": "Port sharing (write)" + "8096": "Default credentials" + "8097": "Credentials manager" + "8098": "Fresh credentials" + "8192": "Kerberos" + "8193": "Preshared key" + "8194": "Unknown authentication" + "8195": "DES" + "8196": "3DES" + "8197": "MD5" + "8198": "SHA1" + "8199": "Local computer" + "8200": "Remote computer" + "8201": "No state" + "8202": "Sent first (SA) payload" + "8203": "Sent second (KE) payload" + "8204": "Sent third (ID) payload" + "8205": "Initiator" + "8206": "Responder" + "8207": "No state" + "8208": "Sent first (SA) payload" + "8209": "Sent final payload" + "8210": "Complete" + "8211": "Unknown" + "8212": "Transport" + "8213": "Tunnel" + "8214": "IKE/AuthIP DoS prevention mode started" + "8215": "IKE/AuthIP DoS prevention mode stopped" + "8216": "Enabled" + "8217": "Not enabled" + "8218": "No state" + "8219": "Sent first (EM attributes) payload" + "8220": "Sent second (SSPI) payload" + "8221": "Sent third (hash) payload" + "8222": "IKEv1" + "8223": "AuthIP" + "8224": "Anonymous" + "8225": "NTLM V2" + "8226": "CGA" + "8227": "Certificate" + "8228": "SSL" + "8229": "None" + "8230": "DH group 1" + "8231": "DH group 2" + "8232": "DH group 14" + "8233": "DH group ECP 256" + "8234": "DH group ECP 384" + "8235": "AES-128" + "8236": "AES-192" + "8237": "AES-256" + "8238": "Certificate ECDSA P256" + "8239": "Certificate ECDSA P384" + "8240": "SSL ECDSA P256" + "8241": "SSL ECDSA P384" + "8242": "SHA 256" + "8243": "SHA 384" + "8244": "IKEv2" + "8245": "EAP payload sent" + "8246": "Authentication payload sent" + "8247": "EAP" + "8248": "DH group 24" + "8272": "System" + "8273": "Logon/Logoff" + "8274": "Object Access" + "8275": "Privilege Use" + "8276": "Detailed Tracking" + "8277": "Policy Change" + "8278": "Account Management" + "8279": "DS Access" + "8280": "Account Logon" + "8448": "Success removed" + "8449": "Success Added" + "8450": "Failure removed" + "8451": "Failure Added" + "8452": "Success include removed" + "8453": "Success include added" + "8454": "Success exclude removed" + "8455": "Success exclude added" + "8456": "Failure include removed" + "8457": "Failure include added" + "8458": "Failure exclude removed" + "8459": "Failure exclude added" + "12288": "Security State Change" + "12289": "Security System Extension" + "12290": "System Integrity" + "12291": "IPsec Driver" + "12292": "Other System Events" + "12544": "Logon" + "12545": "Logoff" + "12546": "Account Lockout" + "12547": "IPsec Main Mode" + "12548": "Special Logon" + "12549": "IPsec Quick Mode" + "12550": "IPsec Extended Mode" + "12551": "Other Logon/Logoff Events" + "12552": "Network Policy Server" + "12553": "User / Device Claims" + "12554": "Group Membership" + "12800": "File System" + "12801": "Registry" + "12802": "Kernel Object" + "12803": "SAM" + "12804": "Other Object Access Events" + "12805": "Certification Services" + "12806": "Application Generated" + "12807": "Handle Manipulation" + "12808": "File Share" + "12809": "Filtering Platform Packet Drop" + "12810": "Filtering Platform Connection" + "12811": "Detailed File Share" + "12812": "Removable Storage" + "12813": "Central Policy Staging" + "13056": "Sensitive Privilege Use" + "13057": "Non Sensitive Privilege Use" + "13058": "Other Privilege Use Events" + "13312": "Process Creation" + "13313": "Process Termination" + "13314": "DPAPI Activity" + "13315": "RPC Events" + "13316": "Plug and Play Events" + "13317": "Token Right Adjusted Events" + "13568": "Audit Policy Change" + "13569": "Authentication Policy Change" + "13570": "Authorization Policy Change" + "13571": "MPSSVC Rule-Level Policy Change" + "13572": "Filtering Platform Policy Change" + "13573": "Other Policy Change Events" + "13824": "User Account Management" + "13825": "Computer Account Management" + "13826": "Security Group Management" + "13827": "Distribution Group Management" + "13828": "Application Group Management" + "13829": "Other Account Management Events" + "14080": "Directory Service Access" + "14081": "Directory Service Changes" + "14082": "Directory Service Replication" + "14083": "Detailed Directory Service Replication" + "14336": "Credential Validation" + "14337": "Kerberos Service Ticket Operations" + "14338": "Other Account Logon Events" + "14339": "Kerberos Authentication Service" + "14592": "Inbound" + "14593": "Outbound" + "14594": "Forward" + "14595": "Bidirectional" + "14596": "IP Packet" + "14597": "Transport" + "14598": "Forward" + "14599": "Stream" + "14600": "Datagram Data" + "14601": "ICMP Error" + "14602": "MAC 802.3" + "14603": "MAC Native" + "14604": "vSwitch" + "14608": "Resource Assignment" + "14609": "Listen" + "14610": "Receive/Accept" + "14611": "Connect" + "14612": "Flow Established" + "14614": "Resource Release" + "14615": "Endpoint Closure" + "14616": "Connect Redirect" + "14617": "Bind Redirect" + "14624": "Stream Packet" + "14640": "ICMP Echo-Request" + "14641": "vSwitch Ingress" + "14642": "vSwitch Egress" + "14672": "" + "14673": "[NULL]" + "14674": "Value Added" + "14675": "Value Deleted" + "14676": "Active Directory Domain Services" + "14677": "Active Directory Lightweight Directory Services" + "14678": "Yes" + "14679": "No" + "14680": "Value Added With Expiration Time" + "14681": "Value Deleted With Expiration Time" + "14688": "Value Auto Deleted With Expiration Time" + "16384": "Add" + "16385": "Delete" + "16386": "Boot-time" + "16387": "Persistent" + "16388": "Not persistent" + "16389": "Block" + "16390": "Permit" + "16391": "Callout" + "16392": "MD5" + "16393": "SHA-1" + "16394": "SHA-256" + "16395": "AES-GCM 128" + "16396": "AES-GCM 192" + "16397": "AES-GCM 256" + "16398": "DES" + "16399": "3DES" + "16400": "AES-128" + "16401": "AES-192" + "16402": "AES-256" + "16403": "Transport" + "16404": "Tunnel" + "16405": "Responder" + "16406": "Initiator" + "16407": "AES-GMAC 128" + "16408": "AES-GMAC 192" + "16409": "AES-GMAC 256" + "16416": "AuthNoEncap Transport" + "16896": "Enable WMI Account" + "16897": "Execute Method" + "16898": "Full Write" + "16899": "Partial Write" + "16900": "Provider Write" + "16901": "Remote Access" + "16902": "Subscribe" + "16903": "Publish" + reversed_descriptions: + "..." : ["1831"] + "3DES" : ["8196","16399"] + "64-bit Integer" : ["1820"] + "" : ["14672"] + "" : ["1800"] + "" : ["1794"] + "" : ["1793"] + "ACCESS_SYS_SEC" : ["1542"] + "AES-128" : ["16400","8235"] + "AES-192" : ["8236","16401"] + "AES-256" : ["16402","8237"] + "AES-GCM 128" : ["16395"] + "AES-GCM 192" : ["16396"] + "AES-GCM 256" : ["16397"] + "AES-GMAC 128" : ["16407"] + "AES-GMAC 192" : ["16408"] + "AES-GMAC 256" : ["16409"] + "Access Clipboard" : ["6658"] + "Access global atoms" : ["6661"] + "Account Disabled" : ["2080"] + "Account Enabled" : ["2048"] + "Account Locked" : ["2090"] + "Account Lockout" : ["12546"] + "Account Logon" : ["8280"] + "Account Management" : ["8278"] + "Account Unlocked" : ["2058"] + "Account currently disabled." : ["2310"] + "Account locked out." : ["2307"] + "Account logon time restriction violation." : ["2311"] + "Active Directory Domain Services" : ["14676"] + "Active Directory Lightweight Directory Services" : ["14677"] + "Add" : ["16384"] + "Add context." : ["2491"] + "Add function property." : ["2497"] + "Add function provider." : ["2495"] + "Add function." : ["2493"] + "Add provider." : ["2489"] + "AddMember" : ["5410","5424"] + "AdjustDefaultDacl" : ["4599"] + "AdjustGroups" : ["4598"] + "AdjustPrivileges" : ["4597"] + "AdjustSessionID" : ["4600"] + "Administer Document" : ["6948"] + "Administer audit log attributes" : ["5641"] + "Administer print server" : ["6912"] + "AdministerServer" : ["5402"] + "All" : ["1797"] + "An Error occured during Logon." : ["2304"] + "Anonymous" : ["8224"] + "AppendData (or AddSubdirectory or CreatePipeInstance)" : ["4418"] + "Application Generated" : ["12806"] + "Application Group Management" : ["13828"] + "Assign Primary Token Privilege" : ["1603"] + "Assign a token to the thread" : ["4567"] + "Assign process" : ["5136"] + "AssignAsPrimary" : ["4592"] + "Audit Enumerate Users" : ["7940"] + "Audit Policy Change" : ["13568"] + "Audit Policy query/set API Operation" : ["1799"] + "Audit Query Options" : ["7942"] + "Audit Query Per User Policy" : ["7939"] + "Audit Query System Policy" : ["7937"] + "Audit Set Options" : ["7941"] + "Audit Set Per User Policy" : ["7938"] + "Audit Set System Policy" : ["7936"] + "AuthIP" : ["8223"] + "AuthNoEncap Transport" : ["16416"] + "Authentication Policy Change" : ["13569"] + "Authentication payload sent" : ["8246"] + "Authorization Policy Change" : ["13570"] + "Auto" : ["1849"] + "Backup Privilege" : ["1617"] + "Bidirectional" : ["14595"] + "Bind Redirect" : ["14617"] + "Blob" : ["1822"] + "Block" : ["16389"] + "Boolean" : ["1824"] + "Boot-time" : ["16386"] + "CGA" : ["8226"] + "Callout" : ["16391"] + "Cause thread to directly impersonate another thread" : ["4568"] + "Central Policy Staging" : ["12813"] + "Certificate" : ["8227"] + "Certificate ECDSA P256" : ["8238"] + "Certificate ECDSA P384" : ["8239"] + "Certification Services" : ["12805"] + "Change Hardware Environment Privilege" : ["1622"] + "Change Notify (and Traverse) Privilege" : ["1623"] + "Change logon capabilities assigned to account" : ["5683"] + "Change privileges assigned to account" : ["5681"] + "Change quotas assigned to account" : ["5682"] + "Change secret value" : ["5648"] + "Change system audit requirements" : ["5640"] + "Change the Posix ID offset assigned to the accounted domain" : ["5684"] + "Change the Posix ID offset assigned to the trusted domain" : ["5668"] + "Change the controllers in the trusted domain" : ["5666"] + "ChangeGroupMembership" : ["5450"] + "ChangePassword (with knowledge of old password)" : ["5446"] + "Channel query information" : ["5122"] + "Channel read message" : ["5120"] + "Channel set information" : ["5123"] + "Channel write message" : ["5121"] + "Communicate using port" : ["4464"] + "Complete" : ["8210"] + "Computer Account Management" : ["13825"] + "Connect" : ["14611"] + "Connect Redirect" : ["14616"] + "Connect to service controller" : ["7168"] + "ConnectToServer" : ["5376"] + "Control Access" : ["7688"] + "Control profile" : ["4496"] + "Create Child" : ["7680"] + "Create Key." : ["2481"] + "Create Link" : ["4437"] + "Create Pagefile Privilege" : ["1615"] + "Create Permanent Object Privilege" : ["1616"] + "Create a new service" : ["7169"] + "Create a privilege" : ["5638"] + "Create a secret object" : ["5637"] + "Create a subprocess of process" : ["4487"] + "Create desktop" : ["6659"] + "Create instance of object type" : ["4608"] + "Create menu" : ["6674"] + "Create new thread in process" : ["4481"] + "Create object in directory" : ["4370"] + "Create special accounts (for assignment of user rights)" : ["5636"] + "Create sub-directory" : ["4371"] + "Create sub-key" : ["4434"] + "Create window" : ["6673"] + "CreateDomain" : ["5379"] + "CreateGlobalGroup" : ["5397"] + "CreateLocalGroup" : ["5398"] + "CreateUser" : ["5396"] + "Credential Validation" : ["14336"] + "Credentials manager" : ["8097"] + "DDE Share Add Items" : ["7432"] + "DDE Share Advise" : ["7429"] + "DDE Share Execute" : ["7431"] + "DDE Share Initiate Link" : ["7427"] + "DDE Share Initiate Static" : ["7426"] + "DDE Share List Items" : ["7433"] + "DDE Share Poke" : ["7430"] + "DDE Share Read" : ["7424"] + "DDE Share Request" : ["7428"] + "DDE Share Write" : ["7425"] + "DELETE" : ["1537"] + "DES" : ["16398","8195"] + "DH group 1" : ["8230"] + "DH group 14" : ["8232"] + "DH group 2" : ["8231"] + "DH group 24" : ["8248"] + "DH group ECP 256" : ["8233"] + "DH group ECP 384" : ["8234"] + "DPAPI Activity" : ["13314"] + "DS Access" : ["8279"] + "Datagram Data" : ["14600"] + "Debug Privilege" : ["1620"] + "Decrypt." : ["2484"] + "Default" : ["1846"] + "Default credentials" : ["8096"] + "Delegation" : ["1840"] + "Delete" : ["16385"] + "Delete Child" : ["7681"] + "Delete Key." : ["2482"] + "Delete Tree" : ["7686"] + "Delete key file." : ["2457"] + "DeleteChild" : ["4422"] + "Denied by" : ["1802"] + "Denied by ACE on parent folder" : ["1812"] + "Denied by Empty DACL" : ["1807"] + "Denied by Integrity Policy check" : ["1803"] + "Denied by Process Trust Label ACE" : ["1841"] + "Detailed Directory Service Replication" : ["14083"] + "Detailed File Share" : ["12811"] + "Detailed Tracking" : ["8276"] + "Device Access Bit 0" : ["4352"] + "Device Access Bit 1" : ["4353"] + "Device Access Bit 2" : ["4354"] + "Device Access Bit 3" : ["4355"] + "Device Access Bit 4" : ["4356"] + "Device Access Bit 5" : ["4357"] + "Device Access Bit 6" : ["4358"] + "Device Access Bit 7" : ["4359"] + "Device Access Bit 8" : ["4360"] + "Directly impersonate this thread" : ["4569"] + "Directory Service Access" : ["14080"] + "Directory Service Changes" : ["14081"] + "Directory Service Replication" : ["14082"] + "Disabled" : ["1796"] + "DisallowMmConfig" : ["1847"] + "Distribution Group Management" : ["13827"] + "Domain settings" : ["2487"] + "Domain sid inconsistent." : ["2314"] + "Don't Expire Password' - Disabled" : ["2057"] + "Don't Expire Password' - Enabled" : ["2089"] + "Don't Require Preauth' - Disabled" : ["2064"] + "Don't Require Preauth' - Enabled" : ["2096"] + "Duplicate" : ["4593"] + "Duplicate handle into or out of process" : ["4486"] + "EAP" : ["8247"] + "EAP payload sent" : ["8245"] + "Enable 64(or 32) bit application to open 32 bit key" : ["4441"] + "Enable 64(or 32) bit application to open 64 bit key" : ["4440"] + "Enable WMI Account" : ["16896"] + "Enable/Disable LSA" : ["5642"] + "Enabled" : ["1795","8216"] + "Encrypt." : ["2483"] + "Encrypted Text Password Allowed' - Disabled" : ["2059"] + "Encrypted Text Password Allowed' - Enabled" : ["2091"] + "Endpoint Closure" : ["14615"] + "Enumerate dependencies of service" : ["7187"] + "Enumerate desktops" : ["6656"] + "Enumerate printers" : ["6913"] + "Enumerate services" : ["7170"] + "Enumerate sub-keys" : ["4435"] + "EnumerateDomains" : ["5380"] + "Exclude Authorization Information' - Disabled" : ["2067"] + "Exclude Authorization Information' - Enabled" : ["2099"] + "Execute Method" : ["16897"] + "Execute/Traverse" : ["4421"] + "Existing registry value modified" : ["1905"] + "Exit windows" : ["6662"] + "Export of persistent cryptographic key." : ["2464"] + "Extend size" : ["4516"] + "FALSE" : ["1826"] + "FQBN" : ["1821"] + "Failed to unprotect persistent cryptographic key." : ["2448"] + "Failed to zero secret data." : ["2438"] + "Failure Added" : ["8451"] + "Failure exclude added" : ["8459"] + "Failure exclude removed" : ["8458"] + "Failure include added" : ["8457"] + "Failure include removed" : ["8456"] + "Failure removed" : ["8450"] + "File Share" : ["12808"] + "File System" : ["12800"] + "Filtering Platform Connection" : ["12810"] + "Filtering Platform Packet Drop" : ["12809"] + "Filtering Platform Policy Change" : ["13572"] + "Flow Established" : ["14612"] + "Force process termination" : ["4480"] + "Force thread termination" : ["4560"] + "Forward" : ["14598","14594"] + "Fresh credentials" : ["8098"] + "Friday" : ["1925"] + "Full Control" : ["6930"] + "Full Write" : ["16898"] + "Get sensitive policy information" : ["5634"] + "Get thread context" : ["4563"] + "GetLocalGroupMembership" : ["5399"] + "Granted by" : ["1801"] + "Granted by ACE on parent folder" : ["1811"] + "Granted by Central Access Rule" : ["1813"] + "Granted by NULL DACL" : ["1806"] + "Granted by NULL Security Descriptor" : ["1808"] + "Granted by Ownership" : ["1804"] + "Granted by parent folder's Central Access Rule" : ["1815"] + "Group Membership" : ["12554"] + "Handle Manipulation" : ["12807"] + "Home Directory Required' - Disabled" : ["2049"] + "Home Directory Required' - Enabled" : ["2081"] + "Hook control" : ["6675"] + "ICMP Echo-Request" : ["14640"] + "ICMP Error" : ["14601"] + "IKE/AuthIP DoS prevention mode started" : ["8214"] + "IKE/AuthIP DoS prevention mode stopped" : ["8215"] + "IKEv1" : ["8222"] + "IKEv2" : ["8244"] + "IP Packet" : ["14596"] + "IPsec Driver" : ["12291"] + "IPsec Extended Mode" : ["12550"] + "IPsec Main Mode" : ["12547"] + "IPsec Quick Mode" : ["12549"] + "Identification" : ["1832"] + "Impersonate" : ["4594"] + "Impersonation" : ["1833"] + "Import of persistent cryptographic key." : ["2465"] + "Inbound" : ["14592"] + "Include this desktop in enumerations" : ["6678"] + "Include this windowstation in enumerations" : ["6664"] + "Increase Memory Quota Privilege" : ["1605"] + "Increment Base Priority Privilege" : ["1614"] + "InitializeServer" : ["5378"] + "Initiator" : ["8205","16406"] + "Interdomain Trust Account' - Disabled" : ["2054"] + "Interdomain Trust Account' - Enabled" : ["2086"] + "Invalid" : ["1827"] + "Issue service-specific control commands" : ["7192"] + "Journal (playback)" : ["6677"] + "Journal (record)" : ["6676"] + "Kerberos" : ["8192"] + "Kerberos Authentication Service" : ["14339"] + "Kerberos Service Ticket Operations" : ["14337"] + "Kernel Object" : ["12802"] + "Key Derivation." : ["2501"] + "Key export checks failed." : ["2449"] + "Key failed pair wise consistency check." : ["2439"] + "KeyedEvent Wait" : ["5696"] + "KeyedEvent Wake" : ["5697"] + "List Contents" : ["7682"] + "List Object" : ["7687"] + "ListAccounts" : ["5400"] + "ListGroups" : ["5448"] + "ListMembers" : ["5412","5426"] + "Listen" : ["14609"] + "Load/Unload Driver Privilege" : ["1610"] + "Local computer" : ["8199"] + "Local settings" : ["2488"] + "Lock Memory Privilege" : ["1604"] + "Lock service database for exclusive access" : ["7171"] + "Logoff" : ["12545"] + "Logon" : ["12544"] + "Logon/Logoff" : ["8273"] + "Lookup Names/SIDs" : ["5643"] + "LookupDomain" : ["5381"] + "LookupIDs" : ["5401"] + "MAC 802.3" : ["14602"] + "MAC Native" : ["14603"] + "MAX_ALLOWED" : ["1543"] + "MD5" : ["16392","8197"] + "MNS Logon Account' - Disabled" : ["2053"] + "MNS Logon Account' - Enabled" : ["2085"] + "MPSSVC Rule-Level Policy Change" : ["13571"] + "Machine key." : ["2499"] + "Map section for execute" : ["4515"] + "Map section for read" : ["4514"] + "Map section for write" : ["4513"] + "Modify State" : ["4865"] + "Modify domain trust relationships" : ["5635"] + "Modify event state" : ["4385"] + "Modify semaphore state" : ["4529"] + "Modify timer state" : ["4577"] + "Monday" : ["1921"] + "NOT Granted by Central Access Rule" : ["1814"] + "NOT Granted by parent folder's Central Access Rule" : ["1816"] + "NTLM V2" : ["8225"] + "Network Policy Server" : ["12552"] + "New registry value created" : ["1904"] + "No" : ["14679","1843"] + "No state" : ["8207","8218","8201"] + "Non Sensitive Privilege Use" : ["13057"] + "None" : ["1798","8229"] + "Normal Account' - Disabled" : ["2052"] + "Normal Account' - Enabled" : ["2084"] + "Not Available" : ["1845"] + "Not Available." : ["2432"] + "Not Delegated' - Disabled" : ["2062"] + "Not Delegated' - Enabled" : ["2094"] + "Not enabled" : ["8217"] + "Not granted" : ["1805"] + "Not granted due to missing" : ["1810"] + "Not granted to AppContainers" : ["1830"] + "Not persistent" : ["16388"] + "Not used" : ["1601"] + "Notify about changes to keys" : ["4436"] + "Object Access" : ["8274"] + "Off" : ["1848"] + "Open Key." : ["2480"] + "Open key file." : ["2456"] + "Other Account Logon Events" : ["14338"] + "Other Account Management Events" : ["13829"] + "Other Logon/Logoff Events" : ["12551"] + "Other Object Access Events" : ["12804"] + "Other Policy Change Events" : ["13573"] + "Other Privilege Use Events" : ["13058"] + "Other System Events" : ["12292"] + "Outbound" : ["14593"] + "Partial Write" : ["16899"] + "Password Expired' - Disabled" : ["2065"] + "Password Expired' - Enabled" : ["2097"] + "Password Not Required' - Disabled" : ["2050"] + "Password Not Required' - Enabled" : ["2082"] + "Pause or continue the service" : ["7190"] + "Perform virtual memory operation" : ["4483"] + "Permit" : ["16390"] + "Persistent" : ["16387"] + "Plug and Play Events" : ["13316"] + "Policy Change" : ["8277"] + "Port sharing (read)" : ["8064"] + "Port sharing (write)" : ["8065"] + "Preshared key" : ["8193"] + "Print" : ["6931"] + "Privilege Use" : ["8275"] + "Process Creation" : ["13312"] + "Process Termination" : ["13313"] + "Profile Single Process Privilege" : ["1613"] + "Profile System Privilege" : ["1611"] + "Protect Kerberos Service Tickets with AES Keys' - Disabled" : ["2069"] + "Protect Kerberos Service Tickets with AES Keys' - Enabled" : ["2101"] + "Provider Write" : ["16900"] + "Publish" : ["16903"] + "Query" : ["4595"] + "Query Attributes" : ["5138"] + "Query State" : ["4864"] + "Query account information" : ["5680"] + "Query directory" : ["4368"] + "Query event state" : ["4384"] + "Query information from service" : ["7191"] + "Query key value" : ["4432"] + "Query mutant state" : ["4448"] + "Query process information" : ["4490"] + "Query secret value" : ["5649"] + "Query section state" : ["4512"] + "Query semaphore state" : ["4528"] + "Query service configuration information" : ["7184"] + "Query service database lock state" : ["7172"] + "Query status of service" : ["7186"] + "Query the Posix ID offset assigned to the trusted domain" : ["5667"] + "Query thread information" : ["4566"] + "Query timer state" : ["4576"] + "Query trusted domain name/SID" : ["5664"] + "QuerySource" : ["4596"] + "READ_CONTROL" : ["1538"] + "REG_BINARY" : ["1875"] + "REG_DWORD" : ["1876"] + "REG_DWORD_BIG_ENDIAN" : ["1877"] + "REG_EXPAND_SZ" : ["1874"] + "REG_FULL_RESOURCE_DESCRIPTOR" : ["1881"] + "REG_LINK" : ["1878"] + "REG_MULTI_SZ (New lines are replaced with *. A * is replaced with **)" : ["1879"] + "REG_NONE" : ["1872"] + "REG_QWORD" : ["1883"] + "REG_RESOURCE_LIST" : ["1880"] + "REG_RESOURCE_REQUIREMENTS_LIST" : ["1882"] + "REG_SZ" : ["1873"] + "RPC Events" : ["13315"] + "Random number generation failed FIPS-140 pre-hash check." : ["2437"] + "Random number generator failure." : ["2436"] + "Read Objects" : ["6672"] + "Read Property" : ["7684"] + "Read attributes" : ["6657"] + "Read from process memory" : ["4484"] + "Read persisted key from file." : ["2458"] + "Read screen" : ["6665"] + "ReadAccount" : ["5444"] + "ReadAttributes" : ["4423"] + "ReadData (or ListDirectory)" : ["4416"] + "ReadEA" : ["4419"] + "ReadGeneralInformation" : ["5440"] + "ReadGroupMembership" : ["5449"] + "ReadInformation" : ["5427","5408"] + "ReadLogon" : ["5443"] + "ReadOtherParameters" : ["5394"] + "ReadPasswordParameters" : ["5392"] + "ReadPreferences" : ["5441"] + "Receive/Accept" : ["14610"] + "Registry" : ["12801"] + "Registry value deleted" : ["1906"] + "Remote Access" : ["16901"] + "Remote computer" : ["8200"] + "Remotely Shut System Down Privilege" : ["1624"] + "Removable Storage" : ["12812"] + "Remove context." : ["2492"] + "Remove function property." : ["2498"] + "Remove function provider." : ["2496"] + "Remove function." : ["2494"] + "Remove provider." : ["2490"] + "RemoveMember" : ["5425","5411"] + "Resource Assignment" : ["14608"] + "Resource Release" : ["14614"] + "Responder" : ["16405","8206"] + "Restore From Backup Privilege" : ["1618"] + "Retrieve the controllers in the trusted domain" : ["5665"] + "SAM" : ["12803"] + "SHA 256" : ["8242"] + "SHA 384" : ["8243"] + "SHA-1" : ["16393"] + "SHA-256" : ["16394"] + "SHA1" : ["8198"] + "SSL" : ["8228"] + "SSL ECDSA P256" : ["8240"] + "SSL ECDSA P384" : ["8241"] + "SYNCHRONIZE" : ["1541"] + "Saturday" : ["1926"] + "Secret agreement." : ["2486"] + "Security Group Management" : ["13826"] + "Security Privilege" : ["1608"] + "Security State Change" : ["12288"] + "Security System Extension" : ["12289"] + "Send an alert to thread" : ["4562"] + "Sensitive Privilege Use" : ["13056"] + "Sent final payload" : ["8209"] + "Sent first (EM attributes) payload" : ["8219"] + "Sent first (SA) payload" : ["8208","8202"] + "Sent second (KE) payload" : ["8203"] + "Sent second (SSPI) payload" : ["8220"] + "Sent third (ID) payload" : ["8204"] + "Sent third (hash) payload" : ["8221"] + "Server Trust Account' - Disabled" : ["2056"] + "Server Trust Account' - Enabled" : ["2088"] + "Set Attributes" : ["5137"] + "Set Security Attributes" : ["5140"] + "Set System Time Privilege" : ["1612"] + "Set default quota limits" : ["5639"] + "Set key value" : ["4433"] + "Set last-known-good state of service database" : ["7173"] + "Set process information" : ["4489"] + "Set process quotas" : ["4488"] + "Set process session ID" : ["4482"] + "Set process termination port" : ["4491"] + "Set service configuration information" : ["7185"] + "Set thread context" : ["4564"] + "Set thread information" : ["4565"] + "SetPassword (without knowledge of old password)" : ["5447"] + "Shutdown System Privilege" : ["1619"] + "ShutdownServer" : ["5377"] + "Sid" : ["1823"] + "Sign hash." : ["2485"] + "Signature verification failed." : ["2451"] + "Smartcard Required' - Disabled" : ["2060"] + "Smartcard Required' - Enabled" : ["2092"] + "Smartcard logon is required and was not used." : ["2315"] + "Special Logon" : ["12548"] + "Start the service" : ["7188"] + "Stop the service" : ["7189"] + "Stream" : ["14599"] + "Stream Packet" : ["14624"] + "String" : ["1818"] + "Subscribe" : ["16902"] + "Success Added" : ["8449"] + "Success exclude added" : ["8455"] + "Success exclude removed" : ["8454"] + "Success include added" : ["8453"] + "Success include removed" : ["8452"] + "Success removed" : ["8448"] + "Sunday" : ["1920"] + "Suspend or resume thread" : ["4561"] + "Switch to this desktop" : ["6680"] + "System" : ["1844","8272"] + "System Integrity" : ["12290"] + "TRUE" : ["1825"] + "Take Ownership Privilege" : ["1609"] + "Temp Duplicate Account' - Disabled" : ["2051"] + "Temp Duplicate Account' - Enabled" : ["2083"] + "Terminate Job" : ["5139"] + "The NetLogon component is not active." : ["2306"] + "The specified account's password has expired." : ["2309"] + "The specified user account has expired." : ["2305"] + "The user has not been granted the requested logon type at this machine." : ["2308"] + "Thursday" : ["1924"] + "Token Right Adjusted Events" : ["13317"] + "TokenElevationTypeDefault (1)" : ["1936"] + "TokenElevationTypeFull (2)" : ["1937"] + "TokenElevationTypeLimited (3)" : ["1938"] + "Transport" : ["14597","16403","8212"] + "Traverse" : ["4369"] + "Trusted Computer Base Privilege" : ["1607"] + "Trusted For Delegation' - Disabled" : ["2061"] + "Trusted For Delegation' - Enabled" : ["2093"] + "Trusted To Authenticate For Delegation' - Disabled" : ["2066"] + "Trusted To Authenticate For Delegation' - Enabled" : ["2098"] + "Tuesday" : ["1922"] + "Tunnel" : ["16404","8213"] + "Undefined Access (no effect) Bit 1" : ["4609","4545","4497","4465","4449"] + "Undefined Access (no effect) Bit 10" : ["4554","4618","4378","5418","4474","7690","5690","4442","4522","4458","4602","5658","5434","5146","5706","4426","5386","4362","4538","4570","4586","5674","4506","4394","5130"] + "Undefined Access (no effect) Bit 11" : ["4587","5435","5691","5675","4603","4379","5451","5387","5707","4619","7691","4395","4459","4427","4571","4363","4539","5403","4443","5147","4523","5131","4475","4555","4507","5419","5659"] + "Undefined Access (no effect) Bit 12" : ["5660","4364","4620","5708","4540","4428","4524","5148","5420","4508","5404","5452","4380","4460","4604","5436","4492","4396","4556","7692","5676","4588","4476","4572","4444","5132","5692","5388"] + "Undefined Access (no effect) Bit 13" : ["5149","5437","4477","5389","4525","4557","5421","4605","4541","4461","5677","5693","4509","4621","4589","4381","5405","4429","4445","4573","5661","4397","5709","4365","5453","7693","4493","5133"] + "Undefined Access (no effect) Bit 14" : ["4510","4366","4606","4462","4558","5694","4446","5710","5390","5438","4478","4398","4382","4590","5150","5454","5134","5678","7694","5662","4526","4622","5422","4574","4542","4494","4430","5406"] + "Undefined Access (no effect) Bit 15" : ["4399","5679","4447","5391","5407","5135","4559","4591","5663","5439","4511","4431","4495","5151","4607","7695","4623","4575","4543","4479","5455","4367","4383","5695","5423","5711","4527","4463"] + "Undefined Access (no effect) Bit 2" : ["4450","4498","4466","5698","4386","5650","4610","4578","4530","4546"] + "Undefined Access (no effect) Bit 3" : ["4451","5699","4579","5651","4467","4387","4547","4611","4531","4499"] + "Undefined Access (no effect) Bit 4" : ["4372","5652","5124","4468","4580","4548","4500","4452","4532","5700","4612","4388"] + "Undefined Access (no effect) Bit 5" : ["5669","5701","5653","4517","4453","4469","4501","5125","4549","4533","4581","5429","5685","4373","5413","4389","4613","5141"] + "Undefined Access (no effect) Bit 6" : ["5654","4534","4502","4390","5414","5382","4550","4582","4518","4614","4438","4454","4374","5126","4470","5430","5702","5670","5686","5142"] + "Undefined Access (no effect) Bit 7" : ["4519","4455","5143","4375","5703","4471","5383","5415","4391","5687","5431","5655","4551","5127","4503","4439","5671","279","4535","4615"] + "Undefined Access (no effect) Bit 8" : ["5144","4376","5656","4552","4472","4504","4456","5128","4392","4616","4536","4584","4520","5432","5384","5672","5416","5704","5688"] + "Undefined Access (no effect) Bit 9" : ["5433","5145","4361","4457","4601","4537","4585","4393","4521","5657","5673","4553","7689","5385","4425","4505","4377","5689","5417","5705","4617","5129","4473"] + "Undefined UserAccountControl Bit 20' - Disabled" : ["2068"] + "Undefined UserAccountControl Bit 20' - Enabled" : ["2100"] + "Undefined UserAccountControl Bit 22' - Disabled" : ["2070"] + "Undefined UserAccountControl Bit 22' - Enabled" : ["2102"] + "Undefined UserAccountControl Bit 23' - Disabled" : ["2071"] + "Undefined UserAccountControl Bit 23' - Enabled" : ["2103"] + "Undefined UserAccountControl Bit 24' - Disabled" : ["2072"] + "Undefined UserAccountControl Bit 24' - Enabled" : ["2104"] + "Undefined UserAccountControl Bit 25' - Disabled" : ["2073"] + "Undefined UserAccountControl Bit 25' - Enabled" : ["2105"] + "Undefined UserAccountControl Bit 26' - Disabled" : ["2074"] + "Undefined UserAccountControl Bit 26' - Enabled" : ["2106"] + "Undefined UserAccountControl Bit 27' - Disabled" : ["2075"] + "Undefined UserAccountControl Bit 27' - Enabled" : ["2107"] + "Undefined UserAccountControl Bit 28' - Disabled" : ["2076"] + "Undefined UserAccountControl Bit 28' - Enabled" : ["2108"] + "Undefined UserAccountControl Bit 29' - Disabled" : ["2077"] + "Undefined UserAccountControl Bit 29' - Enabled" : ["2109"] + "Undefined UserAccountControl Bit 30' - Disabled" : ["2078"] + "Undefined UserAccountControl Bit 30' - Enabled" : ["2110"] + "Undefined UserAccountControl Bit 31' - Disabled" : ["2079"] + "Undefined UserAccountControl Bit 31' - Enabled" : ["2111"] + "Unknown" : ["8211"] + "Unknown Type" : ["1817"] + "Unknown authentication" : ["8194"] + "Unknown or unchecked" : ["1809"] + "Unknown specific access (bit 0)" : ["1552"] + "Unknown specific access (bit 1)" : ["1553"] + "Unknown specific access (bit 10)" : ["1562"] + "Unknown specific access (bit 11)" : ["1563"] + "Unknown specific access (bit 12)" : ["1564"] + "Unknown specific access (bit 13)" : ["1565"] + "Unknown specific access (bit 14)" : ["1566"] + "Unknown specific access (bit 15)" : ["1567"] + "Unknown specific access (bit 2)" : ["1554"] + "Unknown specific access (bit 3)" : ["1555"] + "Unknown specific access (bit 4)" : ["1556"] + "Unknown specific access (bit 5)" : ["1557"] + "Unknown specific access (bit 6)" : ["1558"] + "Unknown specific access (bit 7)" : ["1559"] + "Unknown specific access (bit 8)" : ["1560"] + "Unknown specific access (bit 9)" : ["1561"] + "Unknown user name or bad password." : ["2313"] + "Unsigned 64-bit Integer" : ["1819"] + "Unsolicited Input Privilege" : ["1606"] + "Unused Access Flag" : ["6663"] + "Unused message ID" : ["1536"] + "Use DES Key Only' - Disabled" : ["2063"] + "Use DES Key Only' - Enabled" : ["2095"] + "Use symbolic link" : ["4544"] + "User / Device Claims" : ["12553"] + "User Account Management" : ["13824"] + "User key." : ["2500"] + "User not allowed to logon at this computer." : ["2312"] + "Validation of public key failed." : ["2450"] + "Value Added" : ["14674"] + "Value Added With Expiration Time" : ["14680"] + "Value Auto Deleted With Expiration Time" : ["14688"] + "Value Deleted" : ["14675"] + "Value Deleted With Expiration Time" : ["14681"] + "View non-sensitive policy information" : ["5632"] + "View or Change Audit Log Privilege" : ["1621"] + "View system audit requirements" : ["5633"] + "WRITE_DAC" : ["1539"] + "WRITE_OWNER" : ["1540"] + "Wednesday" : ["1923"] + "Workstation Trust Account' - Disabled" : ["2055"] + "Workstation Trust Account' - Enabled" : ["2087"] + "Write Property" : ["7685"] + "Write Self" : ["7683"] + "Write attributes" : ["6660"] + "Write objects" : ["6679"] + "Write persisted key to file." : ["2459"] + "Write to process memory" : ["4485"] + "WriteAccount" : ["5409","5445","5428"] + "WriteAttributes" : ["4424"] + "WriteData (or AddFile)" : ["4417"] + "WriteEA" : ["4420"] + "WriteOtherParameters" : ["5395"] + "WritePasswordParameters" : ["5393"] + "WritePreferences" : ["5442"] + "Yes" : ["1842","14678"] + "[NULL]" : ["14673"] + "a Security Descriptor too long to display" : ["1829"] + "an ACE too long to display" : ["1828"] + "vSwitch" : ["14604"] + "vSwitch Egress" : ["14642"] + "vSwitch Ingress" : ["14641"] + AccessMaskDescriptions: + "0x00000001": Create Child + "0x00000002": Delete Child + "0x00000004": List Contents + "0x00000008": SELF + "0x00000010": Read Property + "0x00000020": Write Property + "0x00000040": Delete Treee + "0x00000080": List Object + "0x00000100": Control Access + "0x00010000": DELETE + "0x00020000": READ_CONTROL + "0x00040000": WRITE_DAC + "0x00080000": WRITE_OWNER + "0x00100000": SYNCHRONIZE + "0x00F00000": STANDARD_RIGHTS_REQUIRED + "0x001F0000": STANDARD_RIGHTS_ALL + "0x0000FFFF": SPECIFIC_RIGHTS_ALL + "0x01000000": ADS_RIGHT_ACCESS_SYSTEM_SECURITY + "0x10000000": ADS_RIGHT_GENERIC_ALL + "0x20000000": ADS_RIGHT_GENERIC_EXECUTE + "0x40000000": ADS_RIGHT_GENERIC_WRITE + "0x80000000": ADS_RIGHT_GENERIC_READ + source: |- + def split(String s) { + def f = new ArrayList(); + int last = 0; + for (; last < s.length() && Character.isWhitespace(s.charAt(last)); last++) {} + for (def i = last; i < s.length(); i++) { + if (!Character.isWhitespace(s.charAt(i))) { + continue; + } + f.add(s.substring(last, i)); + for (; i < s.length() && Character.isWhitespace(s.charAt(i)); i++) {} + last = i; + } + f.add(s.substring(last)); + return f; + } + if (ctx.winlog?.event_data?.FailureReason != null) { + def code = ctx.winlog.event_data.FailureReason.replace("%%",""); + def desc = params.descriptions[code]; + if (desc == null) { + desc = code; + } + if (desc != null) { + if (ctx.winlog?.logon == null ) { + HashMap hm = new HashMap(); + ctx.winlog.put("logon", hm); + } + if (ctx.winlog?.logon?.failure == null) { + HashMap hm = new HashMap(); + ctx.winlog.logon.put("failure", hm); + } + ctx.winlog.logon.failure.put("reason", desc); + } + } + if (ctx.winlog?.event_data?.AuditPolicyChanges != null) { + ArrayList results = new ArrayList(); + for (elem in ctx.winlog.event_data.AuditPolicyChanges.splitOnToken(",")) { + def code = elem.replace("%%","").trim(); + if (params.descriptions.containsKey(code)) { + results.add(params.descriptions[code]); + } else { + results.add(code); + } + } + if (results.length > 0) { + ctx.winlog.event_data.put("AuditPolicyChangesDescription", results); + } + } + if (ctx.winlog?.event_data?.AccessList != null) { + ArrayList codes = new ArrayList(); + ArrayList results = new ArrayList(); + for (elem in split(ctx.winlog.event_data.AccessList)) { + def code = elem.replace("%%","").trim(); + if (code != "") { + codes.add(code); + } + if (params.descriptions.containsKey(code)) { + results.add(params.descriptions[code]); + } else { + results.add(code); + } + } + if (codes.length > 0) { + ctx.winlog.event_data.AccessList = codes; + } + if (results.length > 0) { + ctx.winlog.event_data.put("AccessListDescription", results); + } + } + if (ctx.winlog?.event_data?.Direction != null) { + def code = ctx.winlog.event_data.Direction.replace("%%","").trim(); + if (params.descriptions.containsKey(code)) { + ctx.winlog.event_data.put("DirectionDescription", params.descriptions[code]); + } + } + if (ctx.winlog?.event_data?.LayerName != null) { + def code = ctx.winlog.event_data.LayerName.replace("%%","").trim(); + if (params.descriptions.containsKey(code)) { + ctx.winlog.event_data.put("LayerNameDescription", params.descriptions[code]); + } + } + if (ctx.winlog?.event_data?.AccessMask != null) { + ArrayList list = new ArrayList(); + long accessMask; + for (elem in split(ctx.winlog.event_data.AccessMask)) { + if (elem.length() == 0) { + continue; + } + def code = elem.replace("%%","").trim(); + if (params.descriptions.containsKey(code)) { + list.add(params.descriptions[code]); + } else { + list.add(code); + if (params.reversed_descriptions.containsKey(code)) + code = params.reversed_descriptions[code][0]; + } + try { + def longCode = Long.decode(code).longValue(); + accessMask |= longCode; + } catch (Exception e) {} + } + if (list.length > 0) { + ctx.winlog.event_data.put("AccessMask", list); + } + + ArrayList desc = new ArrayList(); + def[] w = new def[] { null }; + for (long b = 0; b < 32; b++) { + long flag = 1L << b; + if ((accessMask & flag) == flag) { + w[0] = flag; + def fDesc = params.AccessMaskDescriptions[String.format("0x%08X", w)]; + if (fDesc != null) { + desc.add(fDesc); + } + } + } + if (desc.length > 0) { + ctx.winlog.event_data.put("AccessMaskDescription", desc); + } + ArrayList results = new ArrayList(); + } + - script: + lang: painless + ignore_failure: false + tag: 4625 and 4776 Set Status and SubStatus + description: 4625 and 4776 Set Status and SubStatus + # Descriptions of failure status codes. + # https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4625 + # https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4776 + params: + "0xc000005e": "There are currently no logon servers available to service the logon request." + "0xc0000064": "User logon with misspelled or bad user account" + "0xc000006a": "User logon with misspelled or bad password" + "0xc000006d": "This is either due to a bad username or authentication information" + "0xc000006e": "Unknown user name or bad password." + "0xc000006f": "User logon outside authorized hours" + "0xc0000070": "User logon from unauthorized workstation" + "0xc0000071": "User logon with expired password" + "0xc0000072": "User logon to account disabled by administrator" + "0xc00000dc": "Indicates the Sam Server was in the wrong state to perform the desired operation." + "0xc0000133": "Clocks between DC and other computer too far out of sync" + "0xc000015b": "The user has not been granted the requested logon type (aka logon right) at this machine" + "0xc000018c": "The logon request failed because the trust relationship between the primary domain and the trusted domain failed." + "0xc0000192": "An attempt was made to logon, but the Netlogon service was not started." + "0xc0000193": "User logon with expired account" + "0xc0000224": "User is required to change password at next logon" + "0xc0000225": "Evidently a bug in Windows and not a risk" + "0xc0000234": "User logon with account locked" + "0xc00002ee": "Failure Reason: An Error occurred during Logon" + "0xc0000413": "Logon Failure: The machine you are logging onto is protected by an authentication firewall. The specified account is not allowed to authenticate to the machine." + "0xc0000371": "The local account store does not contain secret material for the specified account" + "0x0": "Status OK." + source: |- + if (ctx.winlog?.event_data?.Status == null || + ctx.event?.code == null || + !["4625", "4776"].contains(ctx.event.code)) { + return; + } + if (params.containsKey(ctx.winlog.event_data.Status)) { + if (ctx.winlog?.logon == null ) { + HashMap hm = new HashMap(); + ctx.winlog.put("logon", hm); + } + if (ctx.winlog?.logon?.failure == null) { + HashMap hm = new HashMap(); + ctx.winlog.logon.put("failure", hm); + } + ctx.winlog.logon.failure.put("status", params[ctx.winlog.event_data.Status]); + } + if (ctx.winlog?.event_data?.SubStatus == null || !params.containsKey(ctx.winlog.event_data.SubStatus)) { + return; + } + if (ctx.winlog?.logon == null ) { + HashMap hm = new HashMap(); + ctx.winlog.put("logon", hm); + } + if (ctx.winlog?.logon?.failure == null) { + HashMap hm = new HashMap(); + ctx.winlog.logon.put("failure", hm); + } + ctx.winlog.logon.failure.put("sub_status", params[ctx.winlog.event_data.SubStatus]); + - script: + lang: painless + ignore_failure: false + tag: Set Trust Type + description: Set Trust Type + # Trust Types + # https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4706 + params: + "1": "TRUST_TYPE_DOWNLEVEL" + "2": "TRUST_TYPE_UPLEVEL" + "3": "TRUST_TYPE_MIT" + "4": "TRUST_TYPE_DCE" + source: |- + if (ctx.winlog?.event_data?.TdoType == null) { + return; + } + if (!params.containsKey(ctx.winlog.event_data.TdoType)) { + return; + } + ctx.winlog.put("trustType", params[ctx.winlog.event_data.TdoType]); + - script: + lang: painless + ignore_failure: false + tag: Set Trust Direction + description: Set Trust Direction + # Trust Direction + # https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4706 + params: + "0": "TRUST_DIRECTION_DISABLED" + "1": "TRUST_DIRECTION_INBOUND" + "2": "TRUST_DIRECTION_OUTBOUND" + "3": "TRUST_DIRECTION_BIDIRECTIONAL" + source: |- + if (ctx.winlog?.event_data?.TdoDirection == null) { + return; + } + if (!params.containsKey(ctx.winlog.event_data.TdoDirection)) { + return; + } + ctx.winlog.put("trustDirection", params[ctx.winlog.event_data.TdoDirection]); + - script: + lang: painless + ignore_failure: false + tag: Set Trust Attributes + description: Set Trust Attributes + # Trust Attributes + # https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4706 + params: + "0": "UNDEFINED" + "1": "TRUST_ATTRIBUTE_NON_TRANSITIVE" + "2": "TRUST_ATTRIBUTE_UPLEVEL_ONLY" + "4": "TRUST_ATTRIBUTE_QUARANTINED_DOMAIN" + "8": "TRUST_ATTRIBUTE_FOREST_TRANSITIVE" + "16": "TRUST_ATTRIBUTE_CROSS_ORGANIZATION" + "32": "TRUST_ATTRIBUTE_WITHIN_FOREST" + "64": "TRUST_ATTRIBUTE_TREAT_AS_EXTERNAL" + "128": "TRUST_ATTRIBUTE_USES_RC4_ENCRYPTION" + "512": "TRUST_ATTRIBUTE_CROSS_ORGANIZATION_NO_TGT_DELEGATION" + "1024": "TRUST_ATTRIBUTE_PIM_TRUST" + source: |- + if (ctx.winlog?.event_data?.TdoAttributes == null) { + return; + } + if (!params.containsKey(ctx.winlog.event_data.TdoAttributes)) { + return; + } + ctx.winlog.put("trustAttribute", params[ctx.winlog.event_data.TdoAttributes]); + - script: + lang: painless + ignore_failure: false + tag: Add Session Events + description: Add Session Events + source: |- + if (ctx.event?.code == null || + !["4778", "4779"].contains(ctx.event.code)) { + return; + } + //AccountName to user.name and related.user + if (ctx.winlog?.event_data?.AccountName != null) { + if (ctx.user == null) { + HashMap hm = new HashMap(); + ctx.put("user", hm); + } + if (ctx.related == null) { + HashMap hm = new HashMap(); + ctx.put("related", hm); + } + if (ctx.related?.user == null) { + ArrayList al = new ArrayList(); + ctx.related.put("user", al); + } + ctx.user.put("name", ctx.winlog.event_data.AccountName); + if (!ctx.related.user.contains(ctx.winlog.event_data.AccountName)) { + ctx.related.user.add(ctx.winlog.event_data.AccountName); + } + } + + //AccountDomain to user.domain + if (ctx.winlog?.event_data?.AccountDomain != null) { + if (ctx.user == null) { + HashMap hm = new HashMap(); + ctx.put("user", hm); + } + ctx.user.put("domain", ctx.winlog.event_data.AccountDomain); + } + + //ClientAddress to source.ip and related.ip + if (ctx.winlog?.event_data?.ClientAddress != null && + ctx.winlog.event_data.ClientAddress != "-" && + ctx.winlog.event_data.ClientAddress != "Unknown") { + // Correct invalid IP address "LOCAL" + if (ctx?.winlog?.event_data?.ClientAddress == "LOCAL") { + ctx.winlog.event_data.ClientAddress="127.0.0.1"; + } + if (ctx.source == null) { + HashMap hm = new HashMap(); + ctx.put("source", hm); + } + if (ctx.related == null) { + HashMap hm = new HashMap(); + ctx.put("related", hm); + } + if (ctx.related?.ip == null) { + ArrayList al = new ArrayList(); + ctx.related.put("ip", al); + } + ctx.source.put("ip", ctx.winlog.event_data.ClientAddress); + if (!ctx.related.ip.contains(ctx.winlog.event_data.ClientAddress)) { + ctx.related.ip.add(ctx.winlog.event_data.ClientAddress); + } + } + + //ClientName to source.domain + if (ctx.winlog?.event_data?.ClientName != null) { + if (ctx.source == null) { + HashMap hm = new HashMap(); + ctx.put("source", hm); + } + ctx.source.put("domain", ctx.winlog.event_data.ClientName); + } + + //LogonID to winlog.logon.id + if (ctx.winlog?.event_data?.LogonID != null) { + if (ctx.winlog?.logon == null) { + HashMap hm = new HashMap(); + ctx.winlog.put("logon", hm); + } + ctx.winlog.logon.put("id", ctx.winlog.event_data.LogonID); + } + + - script: + lang: painless + ignore_failure: false + tag: Copy Target User + description: Copy Target User + source: |- + if (ctx.event?.code == null || + !["4624", "4625", "4634", "4647", "4648", "4768", "4769", "4770", + "4771", "4776", "4964"].contains(ctx.event.code)) { + return; + } + + def targetUserId = ctx.winlog?.event_data?.TargetUserSid; + if (targetUserId == null) { + targetUserId = ctx.winlog?.event_data?.TargetSid; + } + + //TargetUserSid to user.id or user.target.id + if (targetUserId != null) { + if (ctx.user == null) { + HashMap hm = new HashMap(); + ctx.put("user", hm); + } + if (ctx.user?.id == null) { + ctx.user.put("id", targetUserId); + } else { + if (ctx.user?.target == null) { + HashMap hm = new HashMap(); + ctx.user.put("target", hm); + } + ctx.user.target.put("id", targetUserId); + } + } + + //TargetUserName to related.user and user.name or user.target.name + if (ctx.winlog?.event_data?.TargetUserName != null) { + def tun = ctx.winlog.event_data.TargetUserName.splitOnToken("@"); + if (ctx.user == null) { + HashMap hm = new HashMap(); + ctx.put("user", hm); + } + if (ctx.user?.name == null) { + ctx.user.put("name", tun[0]); + } else { + if (ctx.user?.target == null) { + HashMap hm = new HashMap(); + ctx.user.put("target", hm); + } + ctx.user.target.put("name", tun[0]); + } + if (ctx.related == null) { + HashMap hm = new HashMap(); + ctx.put("related", hm); + } + if (ctx.related?.user == null) { + ArrayList al = new ArrayList(); + ctx.related.put("user", al); + } + if (!ctx.related.user.contains(tun[0])) { + ctx.related.user.add(tun[0]); + } + } + //TargetUserDomain to user.domain or user.target.domain + if (ctx.winlog?.event_data?.TargetDomainName != null) { + if (ctx.user == null) { + HashMap hm = new HashMap(); + ctx.put("user", hm); + } + if (ctx.user?.domain == null) { + ctx.user.put("domain", ctx.winlog.event_data.TargetDomainName); + } else { + if (ctx.user?.target == null){ + HashMap hm = new HashMap(); + ctx.user.put("target", hm); + } + ctx.user.target.put("domain", ctx.winlog.event_data.TargetDomainName); + } + } +# split member name into parts based on comma ignoring escaped commas +# https://learn.microsoft.com/en-us/previous-versions/windows/desktop/ldap/distinguished-names + - split: + if: ctx.winlog?.event_data?.MemberName != null + field: winlog.event_data.MemberName + target_field: _temp.MemberNameParts + separator: "(?= 4) { + def domain = memberNameParts[3].replace("DC=", "").replace("dc=", ""); + ctx.user.target.put("domain", domain); + } + } + if (ctx.winlog?.event_data?.TargetUserSid != null) { + if (ctx.group == null) { + HashMap hm = new HashMap(); + ctx.put("group", hm); + } + ctx.group.put("id", ctx.winlog.event_data.TargetUserSid); + } + if (ctx.winlog?.event_data?.TargetSid != null) { + if (ctx.group == null) { + HashMap hm = new HashMap(); + ctx.put("group", hm); + } + ctx.group.put("id", ctx.winlog.event_data.TargetSid); + } + if (ctx.winlog?.event_data?.TargetUserName != null) { + if (ctx.group == null) { + HashMap hm = new HashMap(); + ctx.put("group", hm); + } + ctx.group.put("name", ctx.winlog.event_data.TargetUserName); + } + if (ctx.winlog?.event_data?.TargetDomainName != null) { + if (ctx.group == null) { + HashMap hm = new HashMap(); + ctx.put("group", hm); + } + def domain = ctx.winlog.event_data.TargetDomainName.replace("DC=", "").replace("dc=", ""); + ctx.group.put("domain", domain); + } + if (ctx.user?.target != null) { + if (ctx.user?.target?.group == null) { + HashMap hm = new HashMap(); + ctx.user.target.put("group", hm); + } + if (ctx.group?.id != null) { + ctx.user.target.group.put("id", ctx.group.id); + } + if (ctx.group?.name != null) { + ctx.user.target.group.put("name", ctx.group.name); + } + if (ctx.group?.domain != null) { + ctx.user.target.group.put("domain", ctx.group.domain); + } + } + + - script: + lang: painless + ignore_failure: false + tag: Copy Target User to Computer Object + description: Copy Target User to Computer Object + source: |- + if (ctx.event?.code == null || + !["4741", "4742", "4743"].contains(ctx.event.code)) { + return; + } + if (ctx.winlog?.event_data?.TargetSid != null) { + if (ctx.winlog?.computerObject == null) { + HashMap hm = new HashMap(); + ctx.winlog.put("computerObject", hm); + } + ctx.winlog.computerObject.put("id", ctx.winlog.event_data.TargetSid); + } + if (ctx.winlog?.event_data?.TargetUserName != null) { + if (ctx.winlog?.computerObject == null) { + HashMap hm = new HashMap(); + ctx.winlog.put("computerObject", hm); + } + ctx.winlog.computerObject.put("name", ctx.winlog.event_data.TargetUserName); + } + if (ctx.winlog?.event_data?.TargetDomainName != null) { + if (ctx.winlog?.computerObject == null) { + HashMap hm = new HashMap(); + ctx.winlog.put("computerObject", hm); + } + ctx.winlog.computerObject.put("domain", ctx.winlog.event_data.TargetDomainName); + } + + - set: + field: winlog.logon.id + copy_from: winlog.event_data.TargetLogonId + ignore_failure: false + if: ctx.event?.code != null && ["4634", "4647", "4964"].contains(ctx.event.code) + + - script: + lang: painless + ignore_failure: false + tag: Copy Subject User from Event Data + description: Copy Subject User from Event Data + source: |- + if (ctx.event?.code == null || + !["4648", "4657", "4662", "4670", "4672", "4673", "4674", "4688", "4689", "4697", + "4698", "4699", "4700", "4701", "4702", "4706", "4707", "4713", "4716", "4717", + "4718", "4719", "4720", "4722", "4723", "4724", "4725", "4726", "4727", "4728", + "4729", "4730", "4731", "4732", "4733", "4734", "4735", "4737", "4738", "4739", + "4740", "4741", "4742", "4743", "4744", "4745", "4746", "4747", "4748", "4749", + "4750", "4751", "4752", "4753", "4754", "4755", "4756", "4757", "4758", "4759", + "4760", "4761", "4762", "4763", "4764", "4767", "4781", "4797", "4798", "4799", + "4817", "4904", "4905", "4907", "4912", "5136", "5140", "5145", "5379", "5380", + "5381", "5382"].contains(ctx.event.code)) { + return; + } + if (ctx.winlog?.event_data?.SubjectUserSid != null) { + if (ctx.user == null) { + HashMap hm = new HashMap(); + ctx.put("user", hm); + } + ctx.user.put("id", ctx.winlog.event_data.SubjectUserSid); + } + if (ctx.winlog?.event_data?.SubjectUserName != null) { + if (ctx.user == null) { + HashMap hm = new HashMap(); + ctx.put("user", hm); + } + if (ctx.related == null) { + HashMap hm = new HashMap(); + ctx.put("related", hm); + } + if (ctx.related?.user == null) { + ArrayList al = new ArrayList(); + ctx.related.put("user", al); + } + ctx.user.put("name", ctx.winlog.event_data.SubjectUserName); + if (!ctx.related.user.contains(ctx.winlog.event_data.SubjectUserName)) { + ctx.related.user.add(ctx.winlog.event_data.SubjectUserName); + } + } + if (ctx.winlog?.event_data?.SubjectDomainName != null) { + if (ctx.user == null) { + HashMap hm = new HashMap(); + ctx.put("user", hm); + } + ctx.user.put("domain", ctx.winlog.event_data.SubjectDomainName); + } + + - script: + lang: painless + ignore_failure: false + tag: Copy Target User to Target + description: Copy Target User to Target + source: |- + if (ctx?.event?.code == null || + !["4670", "4720", "4722", "4723", "4724", "4725", + "4726", "4738", "4740", "4767", "4798", "4817", + "4907", "4797"].contains(ctx.event.code)) { + return; + } + if (ctx?.user == null) { + HashMap hm = new HashMap(); + ctx.put("user", hm); + } + if (ctx?.user?.target == null) { + HashMap hm = new HashMap(); + ctx.user.put("target", hm); + } + def userId = ctx?.winlog?.event_data?.TargetSid; + if (userId != null && userId != "" && userId != "-") ctx.user.target.id = userId; + def userName = ctx?.winlog?.event_data?.TargetUserName; + if (userName != null && userName != "" && userName != "-") { + ctx.user.target.name = userName; + def parts = userName.splitOnToken("@"); + if (parts.length > 1) { + ctx.user.target.name = parts[0]; + } + if (ctx?.related?.user == null) { + ArrayList al = new ArrayList(); + ctx.related.put("user", al); + } + if (!ctx.related.user.contains(ctx.user.target.name)) { + ctx.related.user.add(ctx.user.target.name); + } + } + def userDomain = ctx?.winlog?.event_data?.TargetDomainName; + if (userDomain != null && userDomain != "" && userDomain != "-") ctx.user.target.domain = userDomain; + if (ctx.user?.target != null && ctx.user.target.size() == 0) ctx.user.remove("target"); + + - script: + lang: painless + ignore_failure: false + tag: Copy Target User to Effective + description: Copy Target User to Effective + source: |- + if (ctx?.event?.code == null || + !["4648", "4688"].contains(ctx.event.code)) { + return; + } + if (ctx?.user == null) { + HashMap hm = new HashMap(); + ctx.put("user", hm); + } + if (ctx?.user?.effective == null) { + HashMap hm = new HashMap(); + ctx.user.put("effective", hm); + } + def userId = ctx?.winlog?.event_data?.TargetUserSid; + if (userId != null && userId != "" && userId != "-") ctx.user.effective.id = userId; + def userName = ctx?.winlog?.event_data?.TargetUserName; + if (userName != null && userName != "" && userName != "-") { + ctx.user.effective.name = userName; + def parts = userName.splitOnToken("@"); + if (parts.length > 1) { + ctx.user.effective.name = parts[0]; + } + if (ctx?.related?.user == null) { + ArrayList al = new ArrayList(); + ctx.related.put("user", al); + } + if (!ctx.related.user.contains(ctx.user.effective.name)) { + ctx.related.user.add(ctx.user.effective.name); + } + } + def userDomain = ctx?.winlog?.event_data?.TargetDomainName; + if (userDomain != null && userDomain != "" && userDomain != "-") ctx.user.effective.domain = userDomain; + if (ctx.user?.effective != null && ctx.user.effective.size() == 0) ctx.user.remove("effective"); + + - script: + lang: painless + ignore_failure: false + tag: Copy Subject User from user_data + description: Copy Subject User from user_data + source: |- + if (ctx.event?.code == null || + !["1102"].contains(ctx.event.code)) { + return; + } + if (ctx.winlog?.user_data?.SubjectUserSid != null) { + if (ctx.user == null) { + HashMap hm = new HashMap(); + ctx.put("user", hm); + } + ctx.user.put("id", ctx.winlog.user_data.SubjectUserSid); + } + if (ctx.winlog?.user_data?.SubjectUserName != null) { + if (ctx.user == null) { + HashMap hm = new HashMap(); + ctx.put("user", hm); + } + if (ctx.related == null) { + HashMap hm = new HashMap(); + ctx.put("related", hm); + } + if (ctx.related?.user == null) { + ArrayList al = new ArrayList(); + ctx.related.put("user", al); + } + ctx.user.put("name", ctx.winlog.user_data.SubjectUserName); + if (!ctx.related.user.contains(ctx.winlog.user_data.SubjectUserName)) { + ctx.related.user.add(ctx.winlog.user_data.SubjectUserName); + } + } + if (ctx.winlog?.user_data?.SubjectDomainName != null) { + if (ctx.user == null) { + HashMap hm = new HashMap(); + ctx.put("user", hm); + } + ctx.user.put("domain", ctx.winlog.user_data.SubjectDomainName); + } + + - set: + field: winlog.logon.id + copy_from: winlog.event_data.SubjectLogonId + ignore_failure: true + + - set: + field: winlog.logon.id + copy_from: winlog.user_data.SubjectLogonId + ignore_failure: true + if: |- + ctx.event?.code != null && + ["1102"].contains(ctx.event.code) + + - script: + lang: painless + ignore_failure: false + tag: Rename Common Auth Fields + description: Rename Common Auth Fields + source: |- + if (ctx.event?.code == null || + !["1100", "1102", "1104", "1105", "1108", "4624", "4648", "4625", + "4670", "4673", "4674", "4689", "4697", "4719", "4720", "4722", + "4723", "4724", "4725", "4726", "4727", "4728", "4729", "4730", + "4731", "4732", "4733", "4734", "4735", "4737", "4738", "4740", + "4741", "4742", "4743", "4744", "4745", "4746", "4747", "4748", + "4749", "4750", "4751", "4752", "4753", "4754", "4755", "4756", + "4757", "4758", "4759", "4760", "4761", "4762", "4763", "4764", + "4767", "4768", "4769", "4770", "4771", "4798", "4799", "4817", + "4904", "4905", "4907", "4912", "5140", "5145"].contains(ctx.event.code)) { + return; + } + if (ctx.winlog?.event_data?.ProcessId != null) { + if (ctx.process == null) { + HashMap hm = new HashMap(); + ctx.put("process", hm); + } + if (ctx.winlog.event_data.ProcessId instanceof String) { + Long pid = Long.decode(ctx.winlog.event_data.ProcessId); + ctx.process.put("pid", pid.longValue()); + } else { + ctx.process.put("pid", ctx.winlog.event_data.ProcessId); + } + ctx.winlog.event_data.remove("ProcessId"); + } + if (ctx.winlog?.event_data?.ProcessName != null) { + if (ctx.process == null) { + HashMap hm = new HashMap(); + ctx.put("process", hm); + } + ctx.process.put("executable", ctx.winlog.event_data.ProcessName); + ctx.winlog.event_data.remove("ProcessName"); + } + if (ctx.winlog?.event_data?.IpAddress != null && + ctx.winlog.event_data.IpAddress != "-") { + if (ctx.source == null) { + HashMap hm = new HashMap(); + ctx.put("source", hm); + } + ctx.source.put("ip", ctx.winlog.event_data.IpAddress); + ctx.winlog.event_data.remove("IpAddress"); + } + if (ctx.winlog?.event_data?.IpPort != null && ctx.winlog.event_data.IpPort != "-") { + if (ctx.source == null) { + HashMap hm = new HashMap(); + ctx.put("source", hm); + } + ctx.source.put("port", Long.decode(ctx.winlog.event_data.IpPort)); + ctx.winlog.event_data.remove("IpPort"); + } + if (ctx.winlog?.event_data?.WorkstationName != null) { + if (ctx.source == null) { + HashMap hm = new HashMap(); + ctx.put("source", hm); + } + ctx.source.put("domain", ctx.winlog.event_data.WorkstationName); + ctx.winlog.event_data.remove("WorkstationName"); + } + if (ctx.winlog?.event_data?.ClientAddress != null && + ctx.winlog.event_data.ClientAddress != "-") { + if (ctx.related == null) { + HashMap hm = new HashMap(); + ctx.put("related", hm); + } + ctx.related.put("ip", ctx.winlog.event_data.ClientAddress); + ctx.winlog.event_data.remove("ClientAddress"); + } + if (ctx.process?.name == null && ctx.process?.executable != null) { + def parts = ctx.process.executable.splitOnToken("\\"); + ctx.process.put("name", parts[-1]); + } + + - script: + lang: painless + ignore_failure: false + tag: Process Event 4688 + description: Process Event 4688 + source: |- + if (ctx.event?.code == null || + !["4688"].contains(ctx.event.code)) { + return; + } + if (ctx.winlog?.event_data?.NewProcessId != null) { + if (ctx.process == null) { + HashMap hm = new HashMap(); + ctx.put("process", hm); + } + if (ctx.winlog.event_data.NewProcessId instanceof String) { + Long pid = Long.decode(ctx.winlog.event_data.NewProcessId); + ctx.process.put("pid", pid.longValue()); + } else { + ctx.process.put("pid", ctx.winlog.event_data.NewProcessId); + } + ctx.winlog.event_data.remove("NewProcessId"); + } + if (ctx.winlog?.event_data?.NewProcessName != null) { + if (ctx.process == null) { + HashMap hm = new HashMap(); + ctx.put("process", hm); + } + ctx.process.put("executable", ctx.winlog.event_data.NewProcessName); + ctx.winlog.event_data.remove("NewProcessName"); + } + if (ctx.winlog?.event_data?.ParentProcessName != null) { + if (ctx.process == null) { + HashMap hm = new HashMap(); + ctx.put("process", hm); + } + if (ctx.process?.parent == null) { + HashMap hm = new HashMap(); + ctx.process.put("parent", hm); + } + ctx.process.parent.put("executable", ctx.winlog.event_data.ParentProcessName); + ctx.winlog.event_data.remove("ParentProcessName"); + } + if (ctx.process?.name == null && ctx.process?.executable != null) { + def parts = ctx.process.executable.splitOnToken("\\"); + ctx.process.put("name", parts[-1]); + } + if (ctx.process?.parent?.name == null && ctx.process?.parent?.executable != null) { + def parts = ctx.process.parent.executable.splitOnToken("\\"); + ctx.process.parent.put("name", parts[-1]); + } + if (ctx.winlog?.event_data?.ProcessId != null) { + if (ctx.process == null) { + HashMap hm = new HashMap(); + ctx.put("process", hm); + } + if (ctx.process?.parent == null) { + HashMap hm = new HashMap(); + ctx.process.put("parent", hm); + } + if (ctx.winlog.event_data.ProcessId instanceof String) { + Long pid = Long.decode(ctx.winlog.event_data.ProcessId); + ctx.process.parent.put("pid", pid.longValue()); + } else { + ctx.process.parent.put("pid", ctx.winlog.event_data.ProcessId); + } + } + if (ctx.winlog?.event_data?.CommandLine != null) { + int start = 0; + int end = 0; + boolean in_quote = false; + ArrayList al = new ArrayList(); + for (int i = 0; i < ctx.winlog.event_data.CommandLine.length(); i++) { + end = i; + if (Character.compare(ctx.winlog.event_data.CommandLine.charAt(i), "\"".charAt(0)) == 0) { + if (in_quote) { + in_quote = false; + } else { + in_quote = true; + } + } + if (Character.isWhitespace(ctx.winlog.event_data.CommandLine.charAt(i)) && !in_quote) { + al.add(ctx.winlog.event_data.CommandLine.substring(start, end)); + start = i + 1; + } + if (i == ctx.winlog.event_data.CommandLine.length() - 1) { + al.add(ctx.winlog.event_data.CommandLine.substring(start, end + 1)); + } + } + if (ctx.process == null) { + HashMap hm = new HashMap(); + ctx.put("process", hm); + } + ctx.process.put("args", al); + ctx.process.put("command_line", ctx.winlog.event_data.CommandLine); + } + if ((ctx.winlog?.event_data?.TargetUserName != null) && + (!ctx.winlog.event_data.TargetUserName.equals("-"))) { + if (ctx.related == null) { + HashMap hm = new HashMap(); + ctx.put("related", hm); + } + if (ctx.related?.user == null) { + ArrayList al = new ArrayList(); + ctx.related.put("user", al); + } + if (!ctx.related.user.contains(ctx.winlog.event_data.TargetUserName)) { + ctx.related.user.add(ctx.winlog.event_data.TargetUserName); + } + } + + - append: + field: related.user + value: '{{winlog.event_data.SubjectUserName}}' + allow_duplicates: false + if: |- + ctx.event?.code != null && + ["4624", "4648", "4797", "5379", "5380", "5381", "5382"].contains(ctx.event.code) && + ctx.winlog?.event_data?.SubjectUserName != null && + ctx.winlog.event_data.SubjectUserName != "-" + + - append: + field: related.user + value: '{{winlog.event_data.TargetUserName}}' + allow_duplicates: false + if: |- + ctx.event?.code != null && + ["4688", "4720", "4722", "4723", "4724", "4725", "4726", "4738", + "4740", "4767", "4797", "4798"].contains(ctx.event.code) && + ctx.winlog?.event_data?.TargetUserName != null && + ctx.winlog.event_data.TargetUserName != "-" + + - split: + field: winlog.event_data.PrivilegeList + separator: "\\s+" + if: |- + ctx.event?.code != null && + ["4672", "4673", "4674", "4741", "4742", "4743"].contains(ctx.event.code) && + ctx.winlog?.event_data?.PrivilegeList != null + + - set: + field: user.target.name + copy_from: winlog.event_data.OldTargetUserName + ignore_empty_value: true + + - set: + field: user.changes.name + copy_from: winlog.event_data.NewTargetUserName + ignore_empty_value: true + + - append: + field: related.user + value: '{{winlog.event_data.NewTargetUserName}}' + allow_duplicates: false + if: |- + ctx.winlog?.event_data?.NewTargetUserName != null && + ctx.winlog.event_data.NewTargetUserName != "-" + + - append: + field: related.user + value: '{{winlog.event_data.OldTargetUserName}}' + allow_duplicates: false + if: |- + ctx.winlog?.event_data?.OldTargetUserName != null && + ctx.winlog.event_data.OldTargetUserName != "-" + + - gsub: + field: source.ip + pattern: '^\[?::ffff:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)(?:\](?::[0-9]+)?)?$' + replacement: '$1' + ignore_missing: true + + - append: + field: related.ip + value: '{{source.ip}}' + allow_duplicates: false + if: |- + ctx.source?.ip != null && + ctx.source.ip != "-" + + - script: + lang: painless + ignore_failure: false + tag: Object Policy Change and SidListDesc + description: Object Policy Change and SidListDesc + # SDDL Ace Types + # https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4715 + # https://docs.microsoft.com/en-us/windows/win32/secauthz/ace-strings + # https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-dtyp/f4296d69-1c0f-491f-9587-a960b292d070 + # SDDL Permissions + # https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4715 + # https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-dtyp/f4296d69-1c0f-491f-9587-a960b292d070 + # Known SIDs + # https://support.microsoft.com/en-au/help/243330/well-known-security-identifier"S-in-window"S-operating-systems + # https://docs.microsoft.com/en-us/windows/win32/secauthz/sid-strings + # Domain-specific SIDs + # https://support.microsoft.com/en-au/help/243330/well-known-security-identifiers-in-windows-operating-systems + # Object Permission Flags + # https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-dtyp/7a53f60e-e730-4dfe-bbe9-b21b62eb790b + params: + AccountSIDDescription: + AO: Account operators + RU: Alias to allow previous Windows 2000 + AN: Anonymous logon + AU: Authenticated users + BA: Built-in administrators + BG: Built-in guests + BO: Backup operators + BU: Built-in users + CA: Certificate server administrators + CG: Creator group + CO: Creator owner + DA: Domain administrators + DC: Domain computers + DD: Domain controllers + DG: Domain guests + DU: Domain users + EA: Enterprise administrators + ED: Enterprise domain controllers + WD: Everyone + PA: Group Policy administrators + IU: Interactively logged-on user + LA: Local administrator + LG: Local guest + LS: Local service account + SY: Local system + NU: Network logon user + "NO": Network configuration operators + NS: Network service account + PO: Printer operators + PS: Personal self + PU: Power users + RS: RAS servers group + RD: Terminal server users + RE: Replicator + RC: Restricted code + SA: Schema administrators + SO: Server operators + SU: Service logon user + S-1-0: Null Authority + S-1-0-0: Nobody + S-1-1: World Authority + S-1-1-0: Everyone + S-1-16-0: Untrusted Mandatory Level + S-1-16-12288: High Mandatory Level + S-1-16-16384: System Mandatory Level + S-1-16-20480: Protected Process Mandatory Level + S-1-16-28672: Secure Process Mandatory Level + S-1-16-4096: Low Mandatory Level + S-1-16-8192: Medium Mandatory Level + S-1-16-8448: Medium Plus Mandatory Level + S-1-2: Local Authority + S-1-2-0: Local + S-1-2-1: Console Logon + S-1-3: Creator Authority + S-1-3-0: Creator Owner + S-1-3-1: Creator Group + S-1-3-2: Creator Owner Server + S-1-3-3: Creator Group Server + S-1-3-4: Owner Rights + S-1-4: Non-unique Authority + S-1-5: NT Authority + S-1-5-1: Dialup + S-1-5-10: Principal Self + S-1-5-11: Authenticated Users + S-1-5-12: Restricted Code + S-1-5-13: Terminal Server Users + S-1-5-14: Remote Interactive Logon + S-1-5-15: This Organization + S-1-5-17: This Organization + S-1-5-18: Local System + S-1-5-19: NT Authority + S-1-5-2: Network + S-1-5-20: NT Authority + S-1-5-3: Batch + S-1-5-32-544: Administrators + S-1-5-32-545: Users + S-1-5-32-546: Guests + S-1-5-32-547: Power Users + S-1-5-32-548: Account Operators + S-1-5-32-549: Server Operators + S-1-5-32-550: Print Operators + S-1-5-32-551: Backup Operators + S-1-5-32-552: Replicators + S-1-5-32-554: Builtin\Pre-Windows 2000 Compatible Access + S-1-5-32-555: Builtin\Remote Desktop Users + S-1-5-32-556: Builtin\Network Configuration Operators + S-1-5-32-557: Builtin\Incoming Forest Trust Builders + S-1-5-32-558: Builtin\Performance Monitor Users + S-1-5-32-559: Builtin\Performance Log Users + S-1-5-32-560: Builtin\Windows Authorization Access Group + S-1-5-32-561: Builtin\Terminal Server License Servers + S-1-5-32-562: Builtin\Distributed COM Users + S-1-5-32-569: Builtin\Cryptographic Operators + S-1-5-32-573: Builtin\Event Log Readers + S-1-5-32-574: Builtin\Certificate Service DCOM Access + S-1-5-32-575: Builtin\RDS Remote Access Servers + S-1-5-32-576: Builtin\RDS Endpoint Servers + S-1-5-32-577: Builtin\RDS Management Servers + S-1-5-32-578: Builtin\Hyper-V Administrators + S-1-5-32-579: Builtin\Access Control Assistance Operators + S-1-5-32-580: Builtin\Remote Management Users + S-1-5-32-582: Storage Replica Administrators + S-1-5-4: Interactive + S-1-5-5-X-Y: Logon Session + S-1-5-6: Service + S-1-5-64-10: NTLM Authentication + S-1-5-64-14: SChannel Authentication + S-1-5-64-21: Digest Authentication + S-1-5-7: Anonymous + S-1-5-8: Proxy + S-1-5-80: NT Service + S-1-5-80-0: All Services + S-1-5-83-0: NT Virtual Machine\Virtual Machines + S-1-5-9: Enterprise Domain Controllers + S-1-5-90-0: Windows Manager\Windows Manager Group + AceTypes: + A: Access Allowed + D: Access Denied + OA: Object Access Allowed + OD: Object Access Denied + AU: System Audit + AL: System Alarm + OU: System Object Audit + OL: System Object Alarm + ML: System Mandatory Label + SP: Central Policy ID + DomainSpecificSID: + "498": Enterprise Read-only Domain Controllers + "500": Administrator + "501": Guest + "502": KRBTGT + "512": Domain Admins + "513": Domain Users + "514": Domain Guests + "515": Domain Computers + "516": Domain Controllers + "517": Cert Publishers + "518": Schema Admins + "519": Enterprise Admins + "520": Group Policy Creator Owners + "521": Read-only Domain Controllers + "522": Cloneable Domain Controllers + "526": Key Admins + "527": Enterprise Key Admins + "553": RAS and IAS Servers + "571": Allowed RODC Password Replication Group + "572": Denied RODC Password Replication Group + PermissionDescription: + GA: Generic All + GR: Generic Read + GW: Generic Write + GX: Generic Execute + RC: Read Permissions + SD: Delete + WD: Modify Permissions + WO: Modify Owner + RP: Read All Properties + WP: Write All Properties + CC: Create All Child Objects + DC: Delete All Child Objects + LC: List Contents + SW: All Validated + LO: List Object + DT: Delete Subtree + CR: All Extended Rights + FA: File All Access + FR: File Generic Read + FX: FILE GENERIC EXECUTE + FW: FILE GENERIC WRITE + KA: KEY ALL ACCESS + KR: KEY READ + KW: KEY WRITE + KX: KEY EXECUTE + PermsFlags: + "0x80000000": 'Generic Read' + "0x4000000": 'Generic Write' + "0x20000000": 'Generic Execute' + "0x10000000": 'Generic All' + "0x02000000": 'Maximum Allowed' + "0x01000000": 'Access System Security' + "0x00100000": 'Syncronize' + "0x00080000": 'Write Owner' + "0x00040000": 'Write DACL' + "0x00020000": 'Read Control' + "0x00010000": 'Delete' + source: |- + ArrayList translatePermissionMask(def mask, def params) { + ArrayList al = new ArrayList(); + Long permCode = Long.decode(mask); + for (entry in params.PermsFlags.entrySet()) { + Long permFlag = Long.decode(entry.getKey()); + if ((permCode.longValue() & permFlag.longValue()) == permFlag.longValue()) { + al.add(entry.getValue()); + } + } + if (al.length == 0) { + al.add(mask); + } + return al; + } + + HashMap translateACL(def dacl, def params) { + def aceArray = dacl.splitOnToken(";"); + HashMap hm = new HashMap(); + + if (aceArray.length >= 6 ) { + hm.put("grantee", translateSID(aceArray[5], params)); + } + + if (aceArray.length >= 1) { + hm.put("type", params.AceTypes[aceArray[0]]); + } + + if (aceArray.length >= 3) { + if (aceArray[2].startsWith("0x")) { + hm.put("perms", translatePermissionMask(aceArray[2], params)); + } else { + ArrayList al = new ArrayList(); + Pattern permPattern = /.{1,2}/; + Matcher permMatcher = permPattern.matcher(aceArray[2]); + while (permMatcher.find()) { + al.add(params.PermissionDescription[permMatcher.group(0)]); + } + hm.put("perms", al); + } + } + return hm; + } + String translateSID(def sid, def params) { + if (!params.AccountSIDDescription.containsKey(sid)) { + if (sid.startsWith("S-1-5-21")) { + Pattern uidPattern = /[0-9]{1,5}$/; + Matcher uidMatcher = uidPattern.matcher(sid); + if (uidMatcher.find()) { + return params.DomainSpecificSID[uidMatcher.group(0)]; + } + return sid; + } + return sid; + } + return params.AccountSIDDescription[sid]; + } + + void enrichSDDL(def sddlStr, def Sd, def params, def ctx) { + Pattern sdOwnerPattern = /^O\:[A-Z]{2}/; + Matcher sdOwnerMatcher = sdOwnerPattern.matcher(sddlStr); + if (sdOwnerMatcher.find()) { + ctx.winlog.event_data.put(Sd + "Owner", translateSID(sdOwnerMatcher.group(0), params)); + } + + Pattern sdGroupPattern = /^G\:[A-Z]{2}/; + Matcher sdGroupMatcher = sdGroupPattern.matcher(sddlStr); + if (sdGroupMatcher.find()) { + ctx.winlog.event_data.put(Sd + "Group", translateSID(sdGroupMatcher.group(0), params)); + } + + Pattern sdDaclPattern = /(D:([A-Z]*(\(.*\))*))/; + Matcher sdDaclMatcher = sdDaclPattern.matcher(sddlStr); + if (sdDaclMatcher.find()) { + Pattern dacListPattern = /\([^*\)]*\)/; + Matcher dacListMatcher = dacListPattern.matcher(sdDaclMatcher.group(1)); + for (def i = 0; dacListMatcher.find(); i++) { + def newDacl = translateACL(dacListMatcher.group(0).replace("(","").replace(")",""), params); + ctx.winlog.event_data.put(Sd + "Dacl" + i.toString(), newDacl['grantee'] + " :" + newDacl['type'] + " (" + newDacl['perms'] + ")"); + if (["Administrator", "Guest", "KRBTGT"].contains(newDacl['grantee'])) { + if (ctx.related == null) { + HashMap hm = new HashMap(); + ctx.put("related", hm); + } + if (ctx.related?.user == null) { + ArrayList al = new ArrayList(); + ctx.related.put("user", al); + } + if (!ctx.related.user.contains(newDacl['grantee'])) { + ctx.related.user.add(newDacl['grantee']); + } + } + } + } + + Pattern sdSaclPattern = /(S:([A-Z]*(\(.*\))*))?$/; + Matcher sdSaclMatcher = sdSaclPattern.matcher(sddlStr); + if (sdSaclMatcher.find()) { + Pattern sacListPattern = /\([^*\)]*\)/; + Matcher sacListMatcher = sacListPattern.matcher(sdSaclMatcher.group(0)); + for (def i = 0; sacListMatcher.find(); i++) { + def newSacl = translateACL(sacListMatcher.group(0).replace("(","").replace(")",""), params); + ctx.winlog.event_data.put(Sd + "Sacl" + i.toString(), newSacl['grantee'] + " :" + newSacl['type'] + " (" + newSacl['perms'] + ")"); + if (["Administrator", "Guest", "KRBTGT"].contains(newSacl['grantee'])) { + if (ctx.related == null) { + HashMap hm = new HashMap(); + ctx.put("related", hm); + } + if (ctx.related?.user == null) { + ArrayList al = new ArrayList(); + ctx.related.put("user", al); + } + if (!ctx.related.user.contains(newSacl['grantee'])) { + ctx.related.user.add(newSacl['grantee']); + } + } + } + } + } + + void splitSidList(def sids, def params, def ctx) { + ArrayList al = new ArrayList(); + def sidList = sids.splitOnToken(" "); + ctx.winlog.event_data.put("SidList", sidList); + for (def i = 0; i < sidList.length; i++ ) { + al.add(translateSID(sidList[i].replace("%", "").replace("{", "").replace("}", "").replace(" ",""), params)); + } + ctx.winlog.event_data.put("SidListDesc", al); + } + + if (ctx.event?.code == null || + !["4670", "4817", "4907", "4908"].contains(ctx.event.code)) { + return; + } + if (ctx.winlog?.event_data?.OldSd != null) { + enrichSDDL(ctx.winlog.event_data.OldSd, "OldSd", params, ctx); + } + if (ctx.winlog?.event_data?.NewSd != null) { + enrichSDDL(ctx.winlog.event_data.NewSd, "NewSd", params, ctx); + } + if (ctx.winlog?.event_data?.SidList != null) { + splitSidList(ctx.winlog.event_data.SidList, params, ctx); + } + + - set: + field: file.name + copy_from: winlog.event_data.RelativeTargetName + if: |- + ctx.event?.code != null && + ["5140", "5145"].contains(ctx.event.code) && + ctx.winlog?.event_data?.RelativeTargetName != null && + ctx.winlog.event_data.RelativeTargetName != "" + - set: + field: file.directory + copy_from: winlog.event_data.ShareLocalPath + if: |- + ctx.event?.code != null && + ["5140", "5145"].contains(ctx.event.code) && + ctx.winlog?.event_data?.ShareLocalPath != null && + ctx.winlog.event_data.ShareLocalPath != "" + - set: + field: file.path + value: "{{file.directory}}\\{{file.name}}" + if: ctx.file?.name != null && ctx.file?.directory != null + - set: + field: file.directory + copy_from: winlog.event_data.ShareLocalPath + if: |- + ctx.event?.code != null && + ["5140", "5145"].contains(ctx.event.code) && + ctx.winlog?.event_data?.ShareLocalPath != null && + ctx.winlog.event_data.ShareLocalPath != "" + - set: + field: file.target_path + value: "{{winlog.event_data.ShareName}}\\{{file.name}}" + if: |- + ctx.event?.code != null && + ["5140", "5145"].contains(ctx.event.code) && + ctx.winlog?.event_data?.ShareName != null && + ctx.winlog.event_data.ShareName != "" && + ctx.file?.name != null + - script: + description: Adds file information. + lang: painless + if: ctx.file?.name != null + source: |- + def extIdx = ctx.file.name.lastIndexOf("."); + if (extIdx > -1) { + ctx.file.extension = ctx.file.name.substring(extIdx+1); + } + - convert: + field: winlog.record_id + type: string + ignore_missing: true + + - convert: + field: winlog.event_id + type: string + ignore_missing: true + + - set: + field: ecs.version + value: '8.0.0' + + - set: + field: log.level + copy_from: winlog.level + ignore_empty_value: true + ignore_failure: true + if: ctx.winlog?.level != "" + + - date: + field: winlog.time_created + tag: "time_created_date" + formats: + - ISO8601 + if: ctx.winlog?.time_created != null + on_failure: + - remove: + field: winlog.time_created + ignore_failure: true + - append: + field: error.message + value: "fail-{{{ _ingest.on_failure_processor_tag }}}" + - fail: + message: "Processor {{ _ingest.on_failure_processor_type }} with tag {{ _ingest.on_failure_processor_tag }} in pipeline {{ _ingest.on_failure_pipeline }} failed with message: {{ _ingest.on_failure_message }}" + + #Cleanup _temp fields as it is not needed anymore + - remove: + field: _temp + ignore_missing: true + ignore_failure: true + +on_failure: + - set: + field: event.kind + value: pipeline_error + - append: + field: error.message + value: "{{{ _ingest.on_failure_message }}}" diff --git a/x-pack/winlogbeat/module/sysmon/ingest/sysmon.yml b/x-pack/winlogbeat/module/sysmon/ingest/sysmon.yml new file mode 100644 index 000000000000..efec7a6246df --- /dev/null +++ b/x-pack/winlogbeat/module/sysmon/ingest/sysmon.yml @@ -0,0 +1,1427 @@ +--- +description: Pipeline for Windows Sysmon Event Logs +processors: +## ECS and Event fields. + + - set: + field: ecs.version + value: '8.17.0' + - script: + description: Remove all empty values from event_data. + lang: painless + source: ctx.winlog?.event_data?.entrySet().removeIf(entry -> [null, "", "-", "{00000000-0000-0000-0000-000000000000}"].contains(entry.getValue())) + - rename: + field: winlog.level + target_field: log.level + ignore_missing: true + ignore_failure: true + if: ctx.winlog?.level != "" + - date: + field: winlog.time_created + target_field: event.created + tag: "time_created_date" + formats: + - ISO8601 + if: ctx.winlog?.time_created != null + on_failure: + - remove: + field: winlog.time_created + ignore_failure: true + - append: + field: error.message + value: "fail-{{{ _ingest.on_failure_processor_tag }}}" + - fail: + message: "Processor {{ _ingest.on_failure_processor_type }} with tag {{ _ingest.on_failure_processor_tag }} in pipeline {{ _ingest.on_failure_pipeline }} failed with message: {{ _ingest.on_failure_message }}" + - date: + field: winlog.event_data.UtcTime + formats: + - yyyy-MM-dd HH:mm:ss.SSS + timezone: UTC + ignore_failure: true + if: ctx.winlog?.event_data?.UtcTime != null + + - set: + field: event.module + value: sysmon + - set: + field: event.kind + value: event + - set: + field: event.code + value: '{{winlog.event_id}}' + + - script: + description: Set event action, category and type for all event types. + lang: painless + params: + "1": + category: + - process + type: + - start + action: 'Process creation' + "2": + category: + - file + type: + - change + action: 'A process changed a file creation time' + "3": + category: + - network + type: + - start + - connection + - protocol + action: 'Network connection' + "4": + category: + - process + type: + - change + action: 'Sysmon service state changed' + "5": + category: + - process + type: + - end + action: 'Process terminated' + "6": + category: + - driver + type: + - start + action: 'Driver loaded' + "7": + category: + - process + type: + - change + action: 'Image loaded' + "8": + category: + - process + type: + - change + action: 'CreateRemoteThread' + "9": + category: + - process + type: + - access + action: 'RawAccessRead' + "10": + category: + - process + type: + - access + action: 'ProcessAccess' + "11": + category: + - file + type: + - creation + action: 'FileCreate' + "12": + category: + - configuration + - registry + type: + - change + action: 'RegistryEvent (Object create and delete)' + "13": + category: + - configuration + - registry + type: + - change + action: 'RegistryEvent (Value Set)' + "14": + category: + - configuration + - registry + type: + - change + action: 'RegistryEvent (Key and Value Rename)' + "15": + category: + - file + type: + - access + action: 'FileCreateStreamHash' + "16": + category: + - configuration + type: + - change + action: 'ServiceConfigurationChange' + "17": + category: + - file + type: + - creation + action: 'PipeEvent (Pipe Created)' + "18": + category: + - file + type: + - access + action: 'PipeEvent (Pipe Connected)' + "19": + category: + - process + type: + - info + action: 'WmiEvent (WmiEventFilter activity detected)' + "20": + category: + - process + type: + - change + action: 'WmiEvent (WmiEventConsumer activity detected)' + "21": + category: + - process + type: + - access + action: 'WmiEvent (WmiEventConsumerToFilter activity detected)' + "22": + category: + - network + type: + - connection + - protocol + - info + action: 'DNSEvent (DNS query)' + "23": + category: + - file + type: + - deletion + action: 'FileDelete (File Delete archived)' + "24": + type: + - change + action: 'ClipboardChange (New content in the clipboard)' + "25": + category: + - process + type: + - change + action: 'ProcessTampering (Process image change)' + "26": + category: + - file + type: + - deletion + action: 'FileDeleteDetected (File Delete logged)' + "27": + category: + - file + type: + - creation + outcome: + - failure + action: 'FileBlockExecutable' + "28": + category: + - file + type: + - deletion + action: 'FileBlockShredding' + "29": + category: + - file + type: + - creation + action: 'FileExecutableDetected' + "255": + category: + - process + outcome: + - failure + action: 'Error' + tag: Add ECS categorization fields + source: |- + if (ctx.event?.code == null || params.get(ctx.event.code) == null) { + return; + } + def hm = new HashMap(params[ctx.event.code]); + hm.forEach((k, v) -> ctx.event[k] = v); + - convert: + field: winlog.record_id + type: string + ignore_failure: true + ignore_missing: true + + - rename: + field: winlog.event_data.ID + target_field: error.code + ignore_failure: true + ignore_missing: true + if: ctx.event.code == "255" && ctx.winlog?.event_data?.ID != null && ctx.winlog?.event_data?.ID != "" + + - rename: + field: winlog.event_data.RuleName + target_field: rule.name + ignore_missing: true + ignore_failure: true + if: ctx.winlog?.event_data?.RuleName != null && ctx.winlog?.event_data?.RuleName != "" && ctx.winlog?.event_data?.RuleName != "-" + + + - rename: + field: winlog.event_data.Type + target_field: message + ignore_missing: true + ignore_failure: true + if: ctx.event.code == "25" && ctx.winlog?.event_data?.Type != null && ctx.winlog?.event_data?.Type != "" + + - rename: + field: winlog.event_data.Hash + target_field: winlog.event_data.Hashes + ignore_missing: true + ignore_failure: true + if: ctx.winlog?.event_data?.Hash != null && ctx.winlog?.event_data?.Hash != "" + - kv: + field: winlog.event_data.Hashes + target_field: _temp.hashes + field_split: "," + value_split: "=" + ignore_failure: true + if: ctx.winlog?.event_data?.Hashes != null + - script: + lang: painless + if: ctx._temp?.hashes != null + source: |- + def hashIsEmpty(String hash) { + if (hash == "") { + return true; + } + + Pattern emptyHashRegex = /^0*$/; + def matcher = emptyHashRegex.matcher(hash); + + return matcher.matches(); + } + + def hashes = new HashMap(); + def related = [ + "hash": new ArrayList() + ]; + for (entry in ctx._temp.hashes.entrySet()) { + def key = entry.getKey().toString().toLowerCase(); + def value = entry.getValue().toString().toLowerCase(); + + if (hashIsEmpty(value)) { + continue; + } + + hashes[key] = value; + related.hash.add(value); + } + + ctx._temp.hashes = hashes; + if (related.hash.length > 0) { + ctx.related = related; + } + +## Process fields + + - rename: + field: _temp.hashes + target_field: process.hash + if: |- + ctx._temp?.hashes != null && + ["1", "23", "24", "25", "26"].contains(ctx.event.code) + - rename: + field: process.hash.imphash + target_field: process.pe.imphash + ignore_failure: true + ignore_missing: true + - rename: + field: winlog.event_data.ProcessGuid + target_field: process.entity_id + ignore_missing: true + ignore_failure: true + if: ctx.winlog?.event_data?.ProcessGuid != null && ctx.winlog?.event_data?.ProcessGuid != "" + - convert: + field: winlog.event_data.ProcessId + target_field: process.pid + type: long + ignore_failure: true + ignore_missing: true + if: ctx.winlog?.event_data?.ProcessId != null && ctx.winlog?.event_data?.ProcessId != "" + - rename: + field: winlog.event_data.Image + target_field: process.executable + ignore_missing: true + ignore_failure: true + if: ctx.winlog?.event_data?.Image != null && ctx.winlog?.event_data?.Image != "" + - rename: + field: winlog.event_data.SourceProcessGuid + target_field: process.entity_id + ignore_missing: true + ignore_failure: true + if: ctx.winlog?.event_data?.SourceProcessGuid != null && ctx.winlog?.event_data?.SourceProcessGuid != "" + - rename: + field: winlog.event_data.SourceProcessGUID + target_field: process.entity_id + ignore_missing: true + ignore_failure: true + if: ctx.winlog?.event_data?.SourceProcessGUID != null && ctx.winlog?.event_data?.SourceProcessGUID != "" + - convert: + field: winlog.event_data.SourceProcessId + target_field: process.pid + type: long + ignore_failure: true + ignore_missing: true + if: ctx.winlog?.event_data?.SourceProcessId != null && ctx.winlog?.event_data?.SourceProcessId != "" + - convert: + field: winlog.event_data.SourceThreadId + target_field: process.thread.id + type: long + ignore_failure: true + ignore_missing: true + if: ctx.winlog?.event_data?.SourceThreadId != null && ctx.winlog?.event_data?.SourceThreadId != "" + - rename: + field: winlog.event_data.SourceImage + target_field: process.executable + ignore_missing: true + ignore_failure: true + if: ctx.winlog?.event_data?.SourceImage != null && ctx.winlog?.event_data?.SourceImage != "" + - rename: + field: winlog.event_data.Destination + target_field: process.executable + ignore_missing: true + ignore_failure: true + if: ctx.winlog?.event_data?.Destination != null && ctx.winlog?.event_data?.Destination != "" + - rename: + field: winlog.event_data.CommandLine + target_field: process.command_line + ignore_missing: true + ignore_failure: true + if: ctx.winlog?.event_data?.CommandLine != null && ctx.winlog?.event_data?.CommandLine != "" + - rename: + field: winlog.event_data.CurrentDirectory + target_field: process.working_directory + ignore_missing: true + ignore_failure: true + if: ctx.winlog?.event_data?.CurrentDirectory != null && ctx.winlog?.event_data?.CurrentDirectory != "" + - rename: + field: winlog.event_data.ParentProcessGuid + target_field: process.parent.entity_id + ignore_missing: true + ignore_failure: true + if: ctx.winlog?.event_data?.ParentProcessGuid != null && ctx.winlog?.event_data?.ParentProcessGuid != "" + - convert: + field: winlog.event_data.ParentProcessId + target_field: process.parent.pid + type: long + ignore_failure: true + ignore_missing: true + if: ctx.winlog?.event_data?.ParentProcessId != null && ctx.winlog?.event_data?.ParentProcessId != "" + - rename: + field: winlog.event_data.ParentImage + target_field: process.parent.executable + ignore_missing: true + ignore_failure: true + if: ctx.winlog?.event_data?.ParentImage != null && ctx.winlog?.event_data?.ParentImage != "" + - rename: + field: winlog.event_data.ParentCommandLine + target_field: process.parent.command_line + ignore_missing: true + ignore_failure: true + if: ctx.winlog?.event_data?.ParentCommandLine != null && ctx.winlog?.event_data?.ParentCommandLine != "" + - rename: + field: winlog.event_data.OriginalFileName + target_field: process.pe.original_file_name + ignore_missing: true + ignore_failure: true + if: ctx.event.code != "7" && ctx.winlog?.event_data?.OriginalFileName != null && ctx.winlog?.event_data?.OriginalFileName != "" + - set: + field: process.pe.company + copy_from: winlog.event_data.Company + ignore_empty_value: true + ignore_failure: true + if: ctx.event.code != "7" + - set: + field: process.pe.description + copy_from: winlog.event_data.Description + ignore_empty_value: true + ignore_failure: true + if: ctx.event.code != "7" + - set: + field: process.pe.file_version + copy_from: winlog.event_data.FileVersion + ignore_empty_value: true + ignore_failure: true + if: ctx.event.code != "7" + - set: + field: process.pe.product + copy_from: winlog.event_data.Product + ignore_empty_value: true + ignore_failure: true + if: ctx.event.code != "7" + + - script: + description: Implements Windows-like SplitCommandLine + lang: painless + if: |- + (ctx.process?.command_line != null && ctx.process.command_line != "") || + (ctx.process?.parent?.command_line != null && ctx.process.parent.command_line != "") + source: |- + // appendBSBytes appends n '\\' bytes to b and returns the resulting slice. + def appendBSBytes(StringBuilder b, int n) { + for (; n > 0; n--) { + b.append('\\'); + } + return b; + } + + // readNextArg splits command line string cmd into next + // argument and command line remainder. + def readNextArg(String cmd) { + def b = new StringBuilder(); + boolean inquote; + int nslash; + for (; cmd.length() > 0; cmd = cmd.substring(1)) { + def c = cmd.charAt(0); + if (c == (char)' ' || c == (char)0x09) { + if (!inquote) { + return [ + "arg": appendBSBytes(b, nslash).toString(), + "rest": cmd.substring(1) + ]; + } + } else if (c == (char)'"') { + b = appendBSBytes(b, nslash/2); + if (nslash%2 == 0) { + // use "Prior to 2008" rule from + // http://daviddeley.com/autohotkey/parameters/parameters.htm + // section 5.2 to deal with double double quotes + if (inquote && cmd.length() > 1 && cmd.charAt(1) == (char)'"') { + b.append(c); + cmd = cmd.substring(1); + } + inquote = !inquote; + } else { + b.append(c); + } + nslash = 0; + continue; + } else if (c == (char)'\\') { + nslash++; + continue; + } + b = appendBSBytes(b, nslash); + nslash = 0; + b.append(c); + } + return [ + "arg": appendBSBytes(b, nslash).toString(), + "rest": '' + ]; + } + + // commandLineToArgv splits a command line into individual argument + // strings, following the Windows conventions documented + // at http://daviddeley.com/autohotkey/parameters/parameters.htm#WINARGV + // Original implementation found at: https://github.com/golang/go/commit/39c8d2b7faed06b0e91a1ad7906231f53aab45d1 + def commandLineToArgv(String cmd) { + def args = new ArrayList(); + while (cmd.length() > 0) { + if (cmd.charAt(0) == (char)' ' || cmd.charAt(0) == (char)0x09) { + cmd = cmd.substring(1); + continue; + } + def next = readNextArg(cmd); + cmd = next.rest; + args.add(next.arg); + } + return args; + } + + def cmd = ctx.process?.command_line; + if (cmd != null && cmd != "") { + ctx.process.args = commandLineToArgv(cmd); + ctx.process.args_count = ctx.process.args.length; + } + + def parentCmd = ctx.process?.parent?.command_line; + if (parentCmd != null && parentCmd != "") { + ctx.process.parent.args = commandLineToArgv(parentCmd); + ctx.process.parent.args_count = ctx.process.parent.args.length; + } + + - script: + description: Adds process name information. + lang: painless + if: |- + (ctx.process?.executable != null && ctx.process.executable.length() > 1) || + (ctx.process?.parent?.executable != null && ctx.process.parent.executable.length() > 1) + source: |- + def getProcessName(def path) { + def idx = path.lastIndexOf("\\"); + if (idx > -1) { + return path.substring(idx+1); + } + return ""; + } + + def cmd = ctx.process?.executable; + if (cmd != null && cmd != "" && ctx.process?.name == null) { + def name = getProcessName(cmd); + if (name != "") { + ctx.process.name = name; + } + } + + def parentCmd = ctx.process?.parent?.executable; + if (parentCmd != null && parentCmd != "" && ctx.process?.parent?.name == null) { + def name = getProcessName(parentCmd); + if (name != "") { + ctx.process.parent.name = name; + } + } + +## File fields + + - rename: + field: _temp.hashes + target_field: file.hash + if: |- + ctx._temp?.hashes != null && + ["6", "7", "15", "26", "29"].contains(ctx.event.code) + - rename: + field: file.hash.imphash + target_field: file.pe.imphash + ignore_failure: true + ignore_missing: true + - rename: + field: winlog.event_data.TargetFilename + target_field: file.path + ignore_missing: true + ignore_failure: true + if: ctx.winlog?.event_data?.TargetFilename != null && ctx.winlog?.event_data?.TargetFilename != "" + - rename: + field: winlog.event_data.Device + target_field: file.path + ignore_missing: true + ignore_failure: true + if: ctx.winlog?.event_data?.Device != null && ctx.winlog?.event_data?.Device != "" + - rename: + field: winlog.event_data.PipeName + target_field: file.name + ignore_missing: true + ignore_failure: true + if: ctx.winlog?.event_data?.PipeName != null && ctx.winlog?.event_data?.PipeName != "" + - rename: + field: winlog.event_data.ImageLoaded + target_field: file.path + ignore_missing: true + ignore_failure: true + if: ctx.winlog?.event_data?.ImageLoaded != null && ctx.winlog?.event_data?.ImageLoaded != "" + - set: + field: file.code_signature.subject_name + copy_from: winlog.event_data.Signature + ignore_failure: true + ignore_empty_value: true + - set: + field: file.code_signature.status + copy_from: winlog.event_data.SignatureStatus + ignore_failure: true + ignore_empty_value: true + - rename: + field: winlog.event_data.OriginalFileName + target_field: file.pe.original_file_name + ignore_missing: true + ignore_failure: true + if: ctx.event.code == "7" && ctx.winlog?.event_data?.OriginalFileName != null && ctx.winlog?.event_data?.OriginalFileName != "" + - set: + field: file.pe.company + copy_from: winlog.event_data.Company + ignore_failure: true + ignore_empty_value: true + if: ctx.event.code == "7" + - set: + field: file.pe.description + copy_from: winlog.event_data.Description + ignore_failure: true + ignore_empty_value: true + if: ctx.event.code == "7" + - set: + field: file.pe.file_version + copy_from: winlog.event_data.FileVersion + ignore_failure: true + ignore_empty_value: true + if: ctx.event.code == "7" + - set: + field: file.pe.product + copy_from: winlog.event_data.Product + ignore_failure: true + ignore_empty_value: true + if: ctx.event.code == "7" + - set: + field: file.code_signature.signed + value: true + if: ctx.winlog?.event_data?.Signed != null && ctx.winlog.event_data.Signed == true + - set: + field: file.code_signature.valid + value: true + if: ctx.winlog?.event_data?.SignatureStatus != null && ctx.winlog?.event_data?.SignatureStatus == "Valid" + + - script: + description: Adds file information. + lang: painless + if: ctx.file?.path != null && ctx.file.path.length() > 1 + source: |- + def path = ctx.file.path; + def idx = path.lastIndexOf("\\"); + if (idx > -1) { + if (ctx.file == null) { + ctx.file = new HashMap(); + } + ctx.file.name = path.substring(idx+1); + ctx.file.directory = path.substring(0, idx); + + def extIdx = path.lastIndexOf("."); + if (extIdx > -1) { + ctx.file.extension = path.substring(extIdx+1); + } + } + +## Network, Destination, and Source fields + + - rename: + field: winlog.event_data.Protocol + target_field: network.transport + ignore_missing: true + ignore_failure: true + if: ctx.winlog?.event_data?.Protocol != null && ctx.winlog?.event_data?.Protocol != "" + - rename: + field: winlog.event_data.DestinationPortName + target_field: network.protocol + ignore_missing: true + ignore_failure: true + if: ctx.event.code != "22" && ctx.winlog?.event_data?.DestinationPortName != null && ctx.winlog?.event_data?.DestinationPortName != "" + - rename: + field: winlog.event_data.SourcePortName + target_field: network.protocol + ignore_missing: true + ignore_failure: true + if: ctx.event.code != "22" && ctx.winlog?.event_data?.SourcePortName != null && ctx.winlog?.event_data?.SourcePortName != "" + - set: + field: network.protocol + value: dns + if: ctx.event.code == "22" + - convert: + field: winlog.event_data.SourceIp + target_field: source.ip + type: ip + ignore_failure: true + ignore_missing: true + if: ctx.winlog?.event_data?.SourceIp != null && ctx.winlog?.event_data?.SourceIp != "" + - rename: + field: winlog.event_data.SourceHostname + target_field: source.domain + ignore_missing: true + ignore_failure: true + if: ctx.winlog?.event_data?.SourceHostname != null && ctx.winlog?.event_data?.SourceHostname != "" + - convert: + field: winlog.event_data.SourcePort + target_field: source.port + type: long + ignore_failure: true + ignore_missing: true + if: ctx.winlog?.event_data?.SourcePort != null && ctx.winlog?.event_data?.SourcePort != "" + - convert: + field: winlog.event_data.DestinationIp + target_field: destination.ip + type: ip + ignore_failure: true + ignore_missing: true + if: ctx.winlog?.event_data?.DestinationIp != null && ctx.winlog?.event_data?.DestinationIp != "" + - rename: + field: winlog.event_data.DestinationHostname + target_field: destination.domain + ignore_missing: true + ignore_failure: true + if: ctx.winlog?.event_data?.DestinationHostname != null && ctx.winlog?.event_data?.DestinationHostname != "" + - convert: + field: winlog.event_data.DestinationPort + target_field: destination.port + type: long + ignore_failure: true + ignore_missing: true + if: ctx.winlog?.event_data?.DestinationPort != null && ctx.winlog?.event_data?.DestinationPort != "" + - rename: + field: winlog.event_data.QueryName + target_field: dns.question.name + ignore_missing: true + ignore_failure: true + if: ctx.winlog?.event_data?.QueryName != null && ctx.winlog?.event_data?.QueryName != "" + - set: + field: network.direction + value: egress + if: ctx.winlog?.event_data?.Initiated != null && ctx.winlog?.event_data?.Initiated == "true" + - set: + field: network.direction + value: ingress + if: ctx.winlog?.event_data?.Initiated != null && ctx.winlog?.event_data?.Initiated == "false" + - set: + field: network.type + value: ipv4 + if: ctx.winlog?.event_data?.SourceIsIpv6 != null && ctx.winlog?.event_data?.SourceIsIpv6 == "false" + - set: + field: network.type + value: ipv6 + if: ctx.winlog?.event_data?.SourceIsIpv6 != null && ctx.winlog?.event_data?.SourceIsIpv6 == "true" + - script: + description: | + Splits the QueryResults field that contains the DNS responses. + Example: "type: 5 f2.taboola.map.fastly.net;::ffff:151.101.66.2;::ffff:151.101.130.2;::ffff:151.101.194.2;::ffff:151.101.2.2;" + lang: painless + if: ctx.winlog?.event_data?.QueryResults != null && ctx.winlog?.event_data?.QueryResults != "" + params: + "1": "A" + "2": "NS" + "3": "MD" + "4": "MF" + "5": "CNAME" + "6": "SOA" + "7": "MB" + "8": "MG" + "9": "MR" + "10": "NULL" + "11": "WKS" + "12": "PTR" + "13": "HINFO" + "14": "MINFO" + "15": "MX" + "16": "TXT" + "17": "RP" + "18": "AFSDB" + "19": "X25" + "20": "ISDN" + "21": "RT" + "22": "NSAP" + "23": "NSAPPTR" + "24": "SIG" + "25": "KEY" + "26": "PX" + "27": "GPOS" + "28": "AAAA" + "29": "LOC" + "30": "NXT" + "31": "EID" + "32": "NIMLOC" + "33": "SRV" + "34": "ATMA" + "35": "NAPTR" + "36": "KX" + "37": "CERT" + "38": "A6" + "39": "DNAME" + "40": "SINK" + "41": "OPT" + "43": "DS" + "46": "RRSIG" + "47": "NSEC" + "48": "DNSKEY" + "49": "DHCID" + "100": "UINFO" + "101": "UID" + "102": "GID" + "103": "UNSPEC" + "248": "ADDRS" + "249": "TKEY" + "250": "TSIG" + "251": "IXFR" + "252": "AXFR" + "253": "MAILB" + "254": "MAILA" + "255": "ANY" + "65281": "WINS" + "65282": "WINSR" + source: |- + def results = /;/.split(ctx.winlog.event_data.QueryResults); + def answers = new ArrayList(); + def ips = new ArrayList(); + def relatedHosts = new ArrayList(); + for (def i = 0; i < results.length; i++) { + def answer = results[i]; + if (answer == "") { + continue; + } + + if (answer.startsWith("type:")) { + def parts = /\s+/.split(answer); + if (parts.length < 2) { + throw new Exception("unexpected QueryResult format"); + } + if (parts.length == 3) { + answers.add([ + "type": params[parts[1]], + "data": parts[2] + ]); + relatedHosts.add(parts[2]); + } else { + answers.add([ + "type": params[parts[1]] + ]); + } + } else { + ips.add(answer); + } + } + + if (answers.length > 0) { + ctx.dns.answers = answers; + } + if (ips.length > 0) { + ctx.dns.resolved_ip = ips; + } + if (relatedHosts.length > 0) { + if (ctx.related == null) { + ctx.related = new HashMap(); + } + ctx.related.hosts = relatedHosts; + } + - foreach: + field: dns.answers + if: ctx.dns?.answers instanceof List + ignore_failure: true + processor: + gsub: + field: _ingest._value + pattern: '^\[?::ffff:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)(?:\](?::[0-9]+)?)?$' + replacement: '$1' + - foreach: + field: dns.resolved_ip + if: ctx.dns?.resolved_ip instanceof List + ignore_failure: true + processor: + gsub: + field: _ingest._value + pattern: '^\[?::ffff:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)(?:\](?::[0-9]+)?)?$' + replacement: '$1' + - foreach: + field: dns.resolved_ip + ignore_missing: true + processor: + convert: + field: _ingest._value + type: ip + on_failure: + - remove: + field: _ingest._value + - script: + description: Convert V4MAPPED addresses. + lang: painless + if: ctx.dns?.resolved_ip != null + source: |- + if (ctx.dns.answers == null) { + ctx.dns.answers = new ArrayList(); + } + for (def i = 0; i < ctx.dns.resolved_ip.length; i++) { + def ip = ctx.dns.resolved_ip[i]; + if (ip == null) { + ctx.dns.resolved_ip.remove(i); + continue; + } + + // Synthesize record type based on IP address type. + def type = "A"; + if (ip.indexOf(":") != -1) { + type = "AAAA"; + } + ctx.dns.answers.add([ + "type": type, + "data": ip + ]); + } + - registered_domain: + field: dns.question.name + target_field: dns.question + ignore_failure: true + ignore_missing: true + - append: + field: related.hosts + value: "{{dns.question.name}}" + allow_duplicates: false + if: ctx.dns?.question?.name != null && ctx.dns?.question?.name != "" + - remove: + description: Remove dns.question.domain because it is not part of ECS and is redundant with dns.question.name. + field: dns.question.domain + ignore_missing: true + ignore_failure: true + - foreach: + field: dns.resolved_ip + ignore_missing: true + processor: + append: + field: related.ip + value: "{{_ingest._value}}" + allow_duplicates: false + ignore_failure: true + - community_id: + ignore_failure: true + ignore_missing: false + +## User fields + + - set: + field: user.id + copy_from: winlog.user.identifier + ignore_empty_value: true + ignore_failure: true + - split: + field: winlog.event_data.User + target_field: "_temp.user_parts" + separator: '\\' + if: ctx.winlog?.event_data?.User != null + - set: + field: user.domain + value: "{{_temp.user_parts.0}}" + ignore_failure: true + ignore_empty_value: true + if: ctx._temp?.user_parts != null && ctx._temp.user_parts.size() == 2 + - set: + field: user.name + value: "{{_temp.user_parts.1}}" + ignore_failure: true + ignore_empty_value: true + if: ctx._temp?.user_parts != null && ctx._temp.user_parts.size() == 2 + # Get user details from the translate_sid processor enrichment + # if they are available and we don't already have them. + - rename: + field: winlog.event_data._MemberUserName + target_field: user.name + ignore_failure: true + ignore_missing: true + - rename: + field: winlog.event_data._MemberDomain + target_field: user.domain + ignore_failure: true + ignore_missing: true + - append: + value: '{{{winlog.event_data._MemberAccountType}}}' + field: user.roles + ignore_failure: true + allow_duplicates: false + if: ctx.winlog?.event_data?._MemberAccountType != null + - remove: + field: winlog.event_data._MemberAccountType + ignore_missing: true + ignore_failure: true + if: ctx.user?.roles != null && ctx.winlog?.event_data?._MemberAccountType != null && ctx.user.roles.contains(ctx.winlog.event_data._MemberAccountType) + +## Sysmon fields + + - rename: + field: winlog.event_data.QueryStatus + target_field: sysmon.dns.status + ignore_missing: true + ignore_failure: true + if: ctx.winlog?.event_data?.QueryStatus != null && ctx.winlog?.event_data?.QueryStatus != "" + - script: + description: Translate DNS Query status. + lang: painless + params: + "5": "ERROR_ACCESS_DENIED" + "0": "SUCCESS" + "8": "ERROR_NOT_ENOUGH_MEMORY" + "13": "ERROR_INVALID_DATA" + "14": "ERROR_OUTOFMEMORY" + "123": "ERROR_INVALID_NAME" + "1214": "ERROR_INVALID_NETNAME" + "1223": "ERROR_CANCELLED" + "1460": "ERROR_TIMEOUT" + "4312": "ERROR_OBJECT_NOT_FOUND" + "9001": "DNS_ERROR_RCODE_FORMAT_ERROR" + "9002": "DNS_ERROR_RCODE_SERVER_FAILURE" + "9003": "DNS_ERROR_RCODE_NAME_ERROR" + "9004": "DNS_ERROR_RCODE_NOT_IMPLEMENTED" + "9005": "DNS_ERROR_RCODE_REFUSED" + "9006": "DNS_ERROR_RCODE_YXDOMAIN" + "9007": "DNS_ERROR_RCODE_YXRRSET" + "9008": "DNS_ERROR_RCODE_NXRRSET" + "9009": "DNS_ERROR_RCODE_NOTAUTH" + "9010": "DNS_ERROR_RCODE_NOTZONE" + "9016": "DNS_ERROR_RCODE_BADSIG" + "9017": "DNS_ERROR_RCODE_BADKEY" + "9018": "DNS_ERROR_RCODE_BADTIME" + "9101": "DNS_ERROR_KEYMASTER_REQUIRED" + "9102": "DNS_ERROR_NOT_ALLOWED_ON_SIGNED_ZONE" + "9103": "DNS_ERROR_NSEC3_INCOMPATIBLE_WITH_RSA_SHA1" + "9104": "DNS_ERROR_NOT_ENOUGH_SIGNING_KEY_DESCRIPTORS" + "9105": "DNS_ERROR_UNSUPPORTED_ALGORITHM" + "9106": "DNS_ERROR_INVALID_KEY_SIZE" + "9107": "DNS_ERROR_SIGNING_KEY_NOT_ACCESSIBLE" + "9108": "DNS_ERROR_KSP_DOES_NOT_SUPPORT_PROTECTION" + "9109": "DNS_ERROR_UNEXPECTED_DATA_PROTECTION_ERROR" + "9110": "DNS_ERROR_UNEXPECTED_CNG_ERROR" + "9111": "DNS_ERROR_UNKNOWN_SIGNING_PARAMETER_VERSION" + "9112": "DNS_ERROR_KSP_NOT_ACCESSIBLE" + "9113": "DNS_ERROR_TOO_MANY_SKDS" + "9114": "DNS_ERROR_INVALID_ROLLOVER_PERIOD" + "9115": "DNS_ERROR_INVALID_INITIAL_ROLLOVER_OFFSET" + "9116": "DNS_ERROR_ROLLOVER_IN_PROGRESS" + "9117": "DNS_ERROR_STANDBY_KEY_NOT_PRESENT" + "9118": "DNS_ERROR_NOT_ALLOWED_ON_ZSK" + "9119": "DNS_ERROR_NOT_ALLOWED_ON_ACTIVE_SKD" + "9120": "DNS_ERROR_ROLLOVER_ALREADY_QUEUED" + "9121": "DNS_ERROR_NOT_ALLOWED_ON_UNSIGNED_ZONE" + "9122": "DNS_ERROR_BAD_KEYMASTER" + "9123": "DNS_ERROR_INVALID_SIGNATURE_VALIDITY_PERIOD" + "9124": "DNS_ERROR_INVALID_NSEC3_ITERATION_COUNT" + "9125": "DNS_ERROR_DNSSEC_IS_DISABLED" + "9126": "DNS_ERROR_INVALID_XML" + "9127": "DNS_ERROR_NO_VALID_TRUST_ANCHORS" + "9128": "DNS_ERROR_ROLLOVER_NOT_POKEABLE" + "9129": "DNS_ERROR_NSEC3_NAME_COLLISION" + "9130": "DNS_ERROR_NSEC_INCOMPATIBLE_WITH_NSEC3_RSA_SHA1" + "9501": "DNS_INFO_NO_RECORDS" + "9502": "DNS_ERROR_BAD_PACKET" + "9503": "DNS_ERROR_NO_PACKET" + "9504": "DNS_ERROR_RCODE" + "9505": "DNS_ERROR_UNSECURE_PACKET" + "9506": "DNS_REQUEST_PENDING" + "9551": "DNS_ERROR_INVALID_TYPE" + "9552": "DNS_ERROR_INVALID_IP_ADDRESS" + "9553": "DNS_ERROR_INVALID_PROPERTY" + "9554": "DNS_ERROR_TRY_AGAIN_LATER" + "9555": "DNS_ERROR_NOT_UNIQUE" + "9556": "DNS_ERROR_NON_RFC_NAME" + "9557": "DNS_STATUS_FQDN" + "9558": "DNS_STATUS_DOTTED_NAME" + "9559": "DNS_STATUS_SINGLE_PART_NAME" + "9560": "DNS_ERROR_INVALID_NAME_CHAR" + "9561": "DNS_ERROR_NUMERIC_NAME" + "9562": "DNS_ERROR_NOT_ALLOWED_ON_ROOT_SERVER" + "9563": "DNS_ERROR_NOT_ALLOWED_UNDER_DELEGATION" + "9564": "DNS_ERROR_CANNOT_FIND_ROOT_HINTS" + "9565": "DNS_ERROR_INCONSISTENT_ROOT_HINTS" + "9566": "DNS_ERROR_DWORD_VALUE_TOO_SMALL" + "9567": "DNS_ERROR_DWORD_VALUE_TOO_LARGE" + "9568": "DNS_ERROR_BACKGROUND_LOADING" + "9569": "DNS_ERROR_NOT_ALLOWED_ON_RODC" + "9570": "DNS_ERROR_NOT_ALLOWED_UNDER_DNAME" + "9571": "DNS_ERROR_DELEGATION_REQUIRED" + "9572": "DNS_ERROR_INVALID_POLICY_TABLE" + "9573": "DNS_ERROR_ADDRESS_REQUIRED" + "9601": "DNS_ERROR_ZONE_DOES_NOT_EXIST" + "9602": "DNS_ERROR_NO_ZONE_INFO" + "9603": "DNS_ERROR_INVALID_ZONE_OPERATION" + "9604": "DNS_ERROR_ZONE_CONFIGURATION_ERROR" + "9605": "DNS_ERROR_ZONE_HAS_NO_SOA_RECORD" + "9606": "DNS_ERROR_ZONE_HAS_NO_NS_RECORDS" + "9607": "DNS_ERROR_ZONE_LOCKED" + "9608": "DNS_ERROR_ZONE_CREATION_FAILED" + "9609": "DNS_ERROR_ZONE_ALREADY_EXISTS" + "9610": "DNS_ERROR_AUTOZONE_ALREADY_EXISTS" + "9611": "DNS_ERROR_INVALID_ZONE_TYPE" + "9612": "DNS_ERROR_SECONDARY_REQUIRES_MASTER_IP" + "9613": "DNS_ERROR_ZONE_NOT_SECONDARY" + "9614": "DNS_ERROR_NEED_SECONDARY_ADDRESSES" + "9615": "DNS_ERROR_WINS_INIT_FAILED" + "9616": "DNS_ERROR_NEED_WINS_SERVERS" + "9617": "DNS_ERROR_NBSTAT_INIT_FAILED" + "9618": "DNS_ERROR_SOA_DELETE_INVALID" + "9619": "DNS_ERROR_FORWARDER_ALREADY_EXISTS" + "9620": "DNS_ERROR_ZONE_REQUIRES_MASTER_IP" + "9621": "DNS_ERROR_ZONE_IS_SHUTDOWN" + "9622": "DNS_ERROR_ZONE_LOCKED_FOR_SIGNING" + "9651": "DNS_ERROR_PRIMARY_REQUIRES_DATAFILE" + "9652": "DNS_ERROR_INVALID_DATAFILE_NAME" + "9653": "DNS_ERROR_DATAFILE_OPEN_FAILURE" + "9654": "DNS_ERROR_FILE_WRITEBACK_FAILED" + "9655": "DNS_ERROR_DATAFILE_PARSING" + "9701": "DNS_ERROR_RECORD_DOES_NOT_EXIST" + "9702": "DNS_ERROR_RECORD_FORMAT" + "9703": "DNS_ERROR_NODE_CREATION_FAILED" + "9704": "DNS_ERROR_UNKNOWN_RECORD_TYPE" + "9705": "DNS_ERROR_RECORD_TIMED_OUT" + "9706": "DNS_ERROR_NAME_NOT_IN_ZONE" + "9707": "DNS_ERROR_CNAME_LOOP" + "9708": "DNS_ERROR_NODE_IS_CNAME" + "9709": "DNS_ERROR_CNAME_COLLISION" + "9710": "DNS_ERROR_RECORD_ONLY_AT_ZONE_ROOT" + "9711": "DNS_ERROR_RECORD_ALREADY_EXISTS" + "9712": "DNS_ERROR_SECONDARY_DATA" + "9713": "DNS_ERROR_NO_CREATE_CACHE_DATA" + "9714": "DNS_ERROR_NAME_DOES_NOT_EXIST" + "9715": "DNS_WARNING_PTR_CREATE_FAILED" + "9716": "DNS_WARNING_DOMAIN_UNDELETED" + "9717": "DNS_ERROR_DS_UNAVAILABLE" + "9718": "DNS_ERROR_DS_ZONE_ALREADY_EXISTS" + "9719": "DNS_ERROR_NO_BOOTFILE_IF_DS_ZONE" + "9720": "DNS_ERROR_NODE_IS_DNAME" + "9721": "DNS_ERROR_DNAME_COLLISION" + "9722": "DNS_ERROR_ALIAS_LOOP" + "9751": "DNS_INFO_AXFR_COMPLETE" + "9752": "DNS_ERROR_AXFR" + "9753": "DNS_INFO_ADDED_LOCAL_WINS" + "9801": "DNS_STATUS_CONTINUE_NEEDED" + "9851": "DNS_ERROR_NO_TCPIP" + "9852": "DNS_ERROR_NO_DNS_SERVERS" + "9901": "DNS_ERROR_DP_DOES_NOT_EXIST" + "9902": "DNS_ERROR_DP_ALREADY_EXISTS" + "9903": "DNS_ERROR_DP_NOT_ENLISTED" + "9904": "DNS_ERROR_DP_ALREADY_ENLISTED" + "9905": "DNS_ERROR_DP_NOT_AVAILABLE" + "9906": "DNS_ERROR_DP_FSMO_ERROR" + "9911": "DNS_ERROR_RRL_NOT_ENABLED" + "9912": "DNS_ERROR_RRL_INVALID_WINDOW_SIZE" + "9913": "DNS_ERROR_RRL_INVALID_IPV4_PREFIX" + "9914": "DNS_ERROR_RRL_INVALID_IPV6_PREFIX" + "9915": "DNS_ERROR_RRL_INVALID_TC_RATE" + "9916": "DNS_ERROR_RRL_INVALID_LEAK_RATE" + "9917": "DNS_ERROR_RRL_LEAK_RATE_LESSTHAN_TC_RATE" + "9921": "DNS_ERROR_VIRTUALIZATION_INSTANCE_ALREADY_EXISTS" + "9922": "DNS_ERROR_VIRTUALIZATION_INSTANCE_DOES_NOT_EXIST" + "9923": "DNS_ERROR_VIRTUALIZATION_TREE_LOCKED" + "9924": "DNS_ERROR_INVAILD_VIRTUALIZATION_INSTANCE_NAME" + "9925": "DNS_ERROR_DEFAULT_VIRTUALIZATION_INSTANCE" + "9951": "DNS_ERROR_ZONESCOPE_ALREADY_EXISTS" + "9952": "DNS_ERROR_ZONESCOPE_DOES_NOT_EXIST" + "9953": "DNS_ERROR_DEFAULT_ZONESCOPE" + "9954": "DNS_ERROR_INVALID_ZONESCOPE_NAME" + "9955": "DNS_ERROR_NOT_ALLOWED_WITH_ZONESCOPES" + "9956": "DNS_ERROR_LOAD_ZONESCOPE_FAILED" + "9957": "DNS_ERROR_ZONESCOPE_FILE_WRITEBACK_FAILED" + "9958": "DNS_ERROR_INVALID_SCOPE_NAME" + "9959": "DNS_ERROR_SCOPE_DOES_NOT_EXIST" + "9960": "DNS_ERROR_DEFAULT_SCOPE" + "9961": "DNS_ERROR_INVALID_SCOPE_OPERATION" + "9962": "DNS_ERROR_SCOPE_LOCKED" + "9963": "DNS_ERROR_SCOPE_ALREADY_EXISTS" + "9971": "DNS_ERROR_POLICY_ALREADY_EXISTS" + "9972": "DNS_ERROR_POLICY_DOES_NOT_EXIST" + "9973": "DNS_ERROR_POLICY_INVALID_CRITERIA" + "9974": "DNS_ERROR_POLICY_INVALID_SETTINGS" + "9975": "DNS_ERROR_CLIENT_SUBNET_IS_ACCESSED" + "9976": "DNS_ERROR_CLIENT_SUBNET_DOES_NOT_EXIST" + "9977": "DNS_ERROR_CLIENT_SUBNET_ALREADY_EXISTS" + "9978": "DNS_ERROR_SUBNET_DOES_NOT_EXIST" + "9979": "DNS_ERROR_SUBNET_ALREADY_EXISTS" + "9980": "DNS_ERROR_POLICY_LOCKED" + "9981": "DNS_ERROR_POLICY_INVALID_WEIGHT" + "9982": "DNS_ERROR_POLICY_INVALID_NAME" + "9983": "DNS_ERROR_POLICY_MISSING_CRITERIA" + "9984": "DNS_ERROR_INVALID_CLIENT_SUBNET_NAME" + "9985": "DNS_ERROR_POLICY_PROCESSING_ORDER_INVALID" + "9986": "DNS_ERROR_POLICY_SCOPE_MISSING" + "9987": "DNS_ERROR_POLICY_SCOPE_NOT_ALLOWED" + "9988": "DNS_ERROR_SERVERSCOPE_IS_REFERENCED" + "9989": "DNS_ERROR_ZONESCOPE_IS_REFERENCED" + "9990": "DNS_ERROR_POLICY_INVALID_CRITERIA_CLIENT_SUBNET" + "9991": "DNS_ERROR_POLICY_INVALID_CRITERIA_TRANSPORT_PROTOCOL" + "9992": "DNS_ERROR_POLICY_INVALID_CRITERIA_NETWORK_PROTOCOL" + "9993": "DNS_ERROR_POLICY_INVALID_CRITERIA_INTERFACE" + "9994": "DNS_ERROR_POLICY_INVALID_CRITERIA_FQDN" + "9995": "DNS_ERROR_POLICY_INVALID_CRITERIA_QUERY_TYPE" + "9996": "DNS_ERROR_POLICY_INVALID_CRITERIA_TIME_OF_DAY" + "10054": "WSAECONNRESET" + "10055": "WSAENOBUFS" + "10060": "WSAETIMEDOUT" + if: ctx.sysmon?.dns?.status != null && ctx.sysmon?.dns?.status != "" + source: |- + def status = params[ctx.sysmon.dns.status]; + if (status != null) { + ctx.sysmon.dns.status = status; + } + - convert: + field: winlog.event_data.Archived + target_field: sysmon.file.archived + type: boolean + ignore_missing: true + ignore_failure: true + if: ctx.winlog?.event_data?.Archived != null && ctx.winlog?.event_data?.Archived != "" + - convert: + field: winlog.event_data.IsExecutable + target_field: sysmon.file.is_executable + type: boolean + ignore_missing: true + ignore_failure: true + if: ctx.winlog?.event_data?.IsExecutable != null && ctx.winlog?.event_data?.IsExecutable != "" + - convert: + field: error.code + type: string + ignore_missing: true + +## Related fields + + - append: + field: related.user + value: "{{user.name}}" + ignore_failure: true + allow_duplicates: false + if: ctx.user?.name != null && ctx.user.name != "" + - append: + field: related.ip + value: "{{source.ip}}" + ignore_failure: true + allow_duplicates: false + if: ctx.source?.ip != null && ctx.source.ip != "" + - append: + field: related.ip + value: "{{destination.ip}}" + ignore_failure: true + allow_duplicates: false + if: ctx.destination?.ip != null && ctx.destination.ip != "" + +## Registry fields + + - script: + description: Set registry fields. + lang: painless + if: |- + ctx.winlog?.event_data?.TargetObject != null && ctx.winlog?.event_data?.TargetObject != "" && + ["12", "13", "14"].contains(ctx.event.code) + params: + HKEY_CLASSES_ROOT: "HKCR" + HKCR: "HKCR" + HKEY_CURRENT_CONFIG: "HKCC" + HKCC: "HKCC" + HKEY_CURRENT_USER: "HKCU" + HKCU: "HKCU" + HKEY_DYN_DATA: "HKDD" + HKDD: "HKDD" + HKEY_LOCAL_MACHINE: "HKLM" + HKLM: "HKLM" + HKEY_PERFORMANCE_DATA: "HKPD" + HKPD: "HKPD" + HKEY_USERS: "HKU" + HKU: "HKU" + source: |- + ctx.registry = new HashMap(); + Pattern qwordRegex = /(?i)QWORD \(((0x[0-9A-F]{8})-(0x[0-9A-F]{8}))\)/; + Pattern dwordRegex = /(?i)DWORD \((0x[0-9A-F]{8})\)/; + Pattern binDataRegex = /Binary Data/; + + def path = ctx.winlog.event_data.TargetObject; + ctx.registry.path = path; + + def pathTokens = Arrays.asList(/\\/.split(path)); + def hive = params[pathTokens[0]]; + if (hive != null) { + ctx.registry.hive = hive; + if (pathTokens.length > 1) { + ctx.registry.key = pathTokens.subList(1, pathTokens.length).join("\\"); + } + } + + def value = pathTokens[pathTokens.length - 1]; + ctx.registry.value = value; + + def data = ctx.winlog?.event_data?.Details; + if (data != null && data != "") { + def prefixLen = 2; // to remove 0x prefix + def dataValue = ""; + def dataType = ""; + def matcher = qwordRegex.matcher(data); + if (matcher.matches()) { + def parsedHighByte = Long.parseLong(matcher.group(2).substring(prefixLen), 16); + def parsedLowByte = Long.parseLong(matcher.group(3).substring(prefixLen), 16); + if (!Double.isNaN(parsedHighByte) && !Double.isNaN(parsedLowByte)) { + dataType = "SZ_QWORD"; + dataValue = Long.toString(((parsedHighByte << 8) + parsedLowByte)); + ctx.registry.data = [ + "strings": [dataValue], + "type": dataType + ]; + } + return; + } + + matcher = dwordRegex.matcher(data); + if (matcher.matches()) { + def parsedValue = Long.parseLong(matcher.group(1).substring(prefixLen), 16); + if (!Double.isNaN(parsedValue)) { + dataType = "SZ_DWORD"; + dataValue = Long.toString(parsedValue); + ctx.registry.data = [ + "strings": [dataValue], + "type": dataType + ]; + } + return; + } + + matcher = binDataRegex.matcher(data); + if (matcher.matches()) { + // Data type could be REG_BINARY or REG_MULTI_SZ + ctx.registry.data = [ + "strings": [data], + "type": "REG_BINARY" + ]; + return; + } + + // REG_SZ or REG_EXPAND_SZ + ctx.registry.data = [ + "strings": [data], + "type": "REG_SZ" + ]; + } + + +## Conformity + - rename: + field: winlog.event_data.TargetProcessGuid + target_field: winlog.event_data.TargetProcessGUID + if: ctx.winlog?.event_data?.TargetProcessGuid != null + +## Cleanup + + - remove: + field: + - _temp + - winlog.event_data.ProcessId + - winlog.event_data.ParentProcessId + - winlog.event_data.SourceProcessId + - winlog.event_data.SourceThreadId + - winlog.event_data.SourceIp + - winlog.event_data.SourcePort + - winlog.event_data.SourcePortName + - winlog.event_data.DestinationIp + - winlog.event_data.DestinationPort + - winlog.event_data.DestinationPortName + - winlog.event_data.RuleName + - winlog.event_data.User + - winlog.event_data.Initiated + - winlog.event_data.SourceIsIpv6 + - winlog.event_data.DestinationIsIpv6 + - winlog.event_data.QueryStatus + - winlog.event_data.Archived + - winlog.event_data.IsExecutable + - winlog.event_data.QueryResults + - winlog.event_data.UtcTime + - winlog.event_data.Hash + - winlog.event_data.Hashes + - winlog.event_data.TargetObject + - winlog.event_data.Details + - winlog.time_created + - winlog.level + ignore_failure: true + ignore_missing: true + - script: + description: Remove all empty values from event_data. + lang: painless + source: ctx.winlog?.event_data?.entrySet().removeIf(entry -> entry.getValue() == null || entry.getValue().equals("") || entry.getValue().equals("-")); + if: ctx.winlog?.event_data != null + - remove: + description: Remove empty event data. + field: winlog.event_data + ignore_missing: true + ignore_failure: true + if: ctx.winlog?.event_data != null && ctx.winlog.event_data.size() == 0 + +on_failure: + - set: + field: event.kind + value: pipeline_error + - append: + field: error.message + value: "{{{ _ingest.on_failure_message }}}"