EricZimmerman / evtx

C# based evtx parser with lots of extras
MIT License
282 stars 59 forks source link

New map ideas #71

Closed AndrewRathbun closed 3 years ago

AndrewRathbun commented 3 years ago

@hyuunnn @forensenellanebbia and anyone else looking for something to contribute. I want to make sure all the events covered in the link below have maps. These are very common attackers TTPs so the goal is to have the Map Description and as much relevant information mapped out so these events are not overlooked.

https://jpcertcc.github.io/ToolAnalysisResultSheet/

It's simple enough to find an event the site lists for a specific tool and cross reference to see if a map already exists. We also need to make sure this site is listed in Documentation for any event maps that it covers, which is probably a lot of them, but that can happen over time.

I'm always looking for new maps to create but this project should at least give some direction until they are all covered. Not that the maps that've been added lately don't add value, but I figure it might be smart to make sure the ones this project identified as having recorded information relating to common attacker TTPs are covered.

AndrewRathbun commented 3 years ago

Another idea for maps, if you can find/produce examples of the events.

https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-antivirus/troubleshoot-microsoft-defender-antivirus

forensenellanebbia commented 3 years ago

Many useful evtx samples related to different attacks can be found here: https://github.com/sbousseaden/EVTX-ATTACK-SAMPLES

I'll have a look at the Tool Analysis Result Sheet and see what I can do.

AndrewRathbun commented 3 years ago

Many useful evtx samples related to different attacks can be found here: https://github.com/sbousseaden/EVTX-ATTACK-SAMPLES

I'll have a look at the Tool Analysis Result Sheet and see what I can do.

Oh yes. That's where I got the sample events for most of the Sysmon logs. Ultimate Windows Security had me covered on the rest.

Thanks for chipping in as you see fit!

AndrewRathbun commented 3 years ago

Many useful evtx samples related to different attacks can be found here: https://github.com/sbousseaden/EVTX-ATTACK-SAMPLES

I'll have a look at the Tool Analysis Result Sheet and see what I can do.

This morning, I've been going through the CSV output of parsing this entire directory, sorting on blank Map Description, and then filtering on Security, for instance, and just going down the line and creating maps one by one. That's been a pretty effective way to go about it so far, I've found.

forensenellanebbia commented 3 years ago

I've seen a lot of updates going on today! I'm using your same methodology 👍

I guess LogonIDs should have a dedicated Property (like UserName or ExecutableInfo), otherwise they keep being mapped to different columns making them less effective as a filter with TLE.

EricZimmerman commented 3 years ago

Add them into the username field when they exist.

Username (login ID)

AndrewRathbun commented 3 years ago

I've seen a lot of updates going on today! I'm using your same methodology 👍

I guess LogonIDs should have a dedicated Property (like UserName or ExecutableInfo), otherwise they keep being mapped to different columns making them less effective as a filter with TLE.

When we're done with getting more maps created, I do want to take a step back and try to get a bigger picture look at what information is being mapped where. I want to avoid a user's SID being sprayed in all columns throughout all the maps and try to minimize the hopping from column to column for the same info. I tried to do this with the Sysmon logs where if you filtered just on Sysmon you'd hopefully see a lot of the same info stored in one column, rarely two. Different events record different things, of course, but Security events have lots of similar info stored in them so maybe the long term goal is a loose standardization by Channel/Provider grouping. So all Sysmon try to be as uniform as possible, when applicable, Microsoft-Windows-Security-Auditing tries to do the same, etc.

EricZimmerman commented 3 years ago

I really want to avoid adding another 10 columns because then things start becoming empty for maps where those dedicated columns can't be filled.

forensenellanebbia commented 3 years ago

Add them into the username field when they exist.

Username (login ID)

Thanks for the suggestion, but I'll try not to do it. I don't want to flood that field with hundreds of username variations.

AndrewRathbun commented 3 years ago

I really want to avoid adding another 10 columns because then things start becoming empty for maps where those dedicated columns can't be filled.

I totally get that. I'm more referring to the PayloadData columns and what information is currently mapped within the existing columns. I think only once in all the maps I've put together did I wish I had a PayloadData7 column. So I think we are good there.

For example, I'm more talking about SID being mapped to PD1 for one map, PD2 for another map, attached to Domain/user (SID) in some, etc. I think keeping it standardized within a Channel/Provider grouping makes the most sense since standardizing it across all maps/Channels would be a) impossible and b) way too hard to do given the various Channels and Providers and what data is stored for each.

hyuunnn commented 3 years ago

https://github.com/nsacyber/Event-Forwarding-Guidance/tree/master/Events 👍

AndrewRathbun commented 3 years ago

https://github.com/nsacyber/Event-Forwarding-Guidance/tree/master/Events 👍

Nice link! I'll use this as well. I do most of my map making on weekends. Thanks for all of the help so far!

AndrewRathbun commented 3 years ago

@hyuunnn that link has been very helpful. Thankfully, Microsoft has a lot of examples of these events on their documentation site.

AndrewRathbun commented 3 years ago

The new Sysmon 24 (Clipboard Contents) and 25 (ProcessTampering) events were added. Still working through the links posted here. I'm also working on a spreadsheet to see where things are currently mapped in each column so down the road we can have cleaner output. That's a longer term goal, though. Still adding maps in the meantime to flesh out those that could potentially be relevant during an incident.

AndrewRathbun commented 3 years ago

https://github.com/gingerknight/Windows-IR-Forensics/blob/master/Windows%20Event%20Logs.txt

More ideas!

lnk-0 commented 3 years ago

Created a rough map for ScreenConnect events from the Application.evtx to help with Map Description filtering. Feel free to tweak and add to the existing Maps. Application_ScreenConnect-Client_0.txt

AndrewRathbun commented 3 years ago

Created a rough map for ScreenConnect events from the Application.evtx to help with Map Description filtering. Feel free to tweak and add to the existing Maps. Application_ScreenConnect-Client_0.txt

Thanks for doing this. The only way I could tweak is to have a .evtx file with this exact event in it. Do you have one you can share? Also, you're welcome to do a PR yourself.

lnk-0 commented 3 years ago

Created a rough map for ScreenConnect events from the Application.evtx to help with Map Description filtering. Feel free to tweak and add to the existing Maps. Application_ScreenConnect-Client_0.txt

Thanks for doing this. The only way I could tweak is to have a .evtx file with this exact event in it. Do you have one you can share? Also, you're welcome to do a PR yourself.

Hi @rathbuna, I do not have one that is sterilized at this time but can get one when time permits. Is there any functionality to wildcard in the "Provider:" field in the maps? ScreenConnect adds a thumbprint value (16 numbers/letters) to the provider field. Example. Provider: ScreenConnect Client (4f1287b1262a719e)

AndrewRathbun commented 3 years ago

Created a rough map for ScreenConnect events from the Application.evtx to help with Map Description filtering. Feel free to tweak and add to the existing Maps. Application_ScreenConnect-Client_0.txt

Thanks for doing this. The only way I could tweak is to have a .evtx file with this exact event in it. Do you have one you can share? Also, you're welcome to do a PR yourself.

Hi @rathbuna, I do not have one that is sterilized at this time but can get one when time permits. Is there any functionality to wildcard in the "Provider:" field in the maps? ScreenConnect adds a thumbprint value (16 numbers/letters) to the provider field. Example. Provider: ScreenConnect Client (4f1287b1262a719e)

I think I've noticed this before as well. That's something for @EricZimmerman to chime in on.

hyuunnn commented 3 years ago

https://github.com/stuhli/awesome-event-ids new link :)

EricZimmerman commented 3 years ago

cant we just do multiple maps, one per provider? (assuming this is still an issue)

AndrewRathbun commented 3 years ago

https://github.com/stuhli/awesome-event-ids new link :)

Thanks for the link, just did a PR to add a link to the Maps directory on this repo.

AndrewRathbun commented 3 years ago

Also, new Map Ideas should go here: https://github.com/EricZimmerman/evtx/projects/1

AndrewRathbun commented 3 years ago

Closing this since we have this project board now