Bir agent yazın. Bu agent Windows ve Linux ortamlarda çalışmaya uygun olmalı. Agent çalıştırıldığında listen modda host’un dosya trafiğini monitor etmeye başlasın. Sisteme yeni bir dosya yazıldığında ya da mevcut dosya modifiye edildiğinde belirleyeceğiniz indikatörleri(hash, değişen byte verisi vs.) Elastic search’e kaydedin. Kibana’da kayıtlı veriler için bir dashboard tasarlayın.
Windows and other applications implement their Providers to enable log/tracing of events. Provider events are then enabled/registered/subscribed via Controller sessions. Consumers select/subscribe to tracing sessions to receive real-time(or from a file) event feed.
logman cli tool can be used to view active tracing sessions, list providers and capabilities etc.
Providers around File/Disk I/O
- Microsoft-Windows-Kernel-File
- Microsoft-Windows-Kernel-Disk
- Microsoft-Windows-Disk
- Microsoft-Windows-FileInfoMinifilter
KrabsETW is a modern C++ wrapper around the low-level ETW trace consumption functions, by Microsoft.
!Missing Events
!Common Bypasses
- Can’t trace bytes written/changes? Snapshot and diff changes?
- It’s known to be used by EDR’s and there are some easy evading techniques that should be checked
Normal user space programs use Windows API calls to do os/kernel stuff. These API’s can be hooked with various methods to trace/control/inspect calls
- It’s a well known and well studied method. With known options to Evade it.
Checking if the API’s are hooked:
by comparing in memory methods to dll file methods
by checking target methods first insturctions for jmps
doing direct syscalls instead of using API’s
indirect syscalls
Import Adress Table (IAT)
Export Adress Table (EAT)
Inline Hooking
Interrup Descriptor Table (IDT) (?)
? pipe to custom app to consume ? does it really provide more stuff + protection compared to etw ?
Looks like Procmon for Linux use this method.
If not using VMI or File System Filter Drivers like deep methods, the optimal way to cover the most seems to me that:
ETW for File I/O + Weird Syscalls(like Hunt-Weird-Syscalls) with ETW Evasion checks
user space API Hooking to trace changes (optional if the targets behaviour changes on hook detection)
Snapshotting and diffing files to trace changes
rust agent
I made a simple rust agent that creates an etw sesssion to consume and feed the events to an elastic agents’ tcp module. Since it’s currently synchronous its likely to clog.
Elasticsearch agent
I test windows functions locally. Elastic Agent defaults its target localhost to inside docker network ip, to be able to connect from the host windows instead, I need to route that ip to localhost for the windows network. Agent Output IP Address is found at Fleet > Settings > Outputs.
netsh int ip sh int #find loopback idx
netsh int ip add addr [idx] [targetip]/32 st=ac sk=tr
#st=ac -> store active, means it will disappear after boot
#sk=tr -> skipassource: Do not use the address as source address for any outgoing packet unless explicitly specified. The default value is false
I couldn’t get Custom Windows Event Logs integration to work with Microsoft-Windows-Kernel-File/Analytic or Microsoft-Windows-FileInfoMinifilter/Operational. It might be because they are realtime ETW traces and Custom Windows Event Logs only support event logs? Currently they’re about to add ETW tracing functionality to Filebeats and eventually Kibana. elastic/beats#36914 elastic/beats#36915 elastic/integrations#8839
Since Filebeats functionality is merged recently i’ll try building from source. My other tool was using Windows API to create and listen to the ETW Trace then send events to Fleet Agent’s custom TCP port with a TCP connection. It’s limitations are that it’s all sync at the moment so when there are lots of events it seemed to clog.
Current commit is in x-pack directory and it seems that it has different licensing for now.
After building the new filebeat binary. We need to configure a filebeat.yml for the agents configuration. Buildtool also creates a filebeat.reference.yml for reference.
Creating users/roles for granting access to the agent for modifying indexes/inputting new data;
Fleet agent with File Integrity Monitor monitors file changes
- seems to be missing reads
- does not provide process id
ETW with filebeat on Windows monitors file access through Microsoft-Windows-Kernel-File Events
FileName can be linked through FileKey => FileObject:FileName but i couldn’t query/join docs. Example: Doc1{FileKey:“123”, OtherEventData:{}..}, Doc2{FileObject:“123”, FileName:“C:\asd.txt”} then Doc1 is also an event on asd.txt details:
does not provide Process Name. Could be resolved with another module tracking/snapshotting active pid and processnames to later map event pids