search

Yamato-Security / hayabusa

Hayabusa (隼) is a sigma-based threat hunting and fast forensics timeline generator for Windows event logs.
GNU Affero General Public License v3.0
2.26k stars 200 forks source link

`null` channel output with `./hayabusa-1.7.0-mac-intel -d ../hayabusa-sample-evtx -M` #727

Closed hitenkoku closed 2 years ago

hitenkoku commented 2 years ago 
    別件ですが、`./hayabusa-1.7.0-mac-intel -d ../hayabusa-sample-evtx -M`を実行したら
Screen Shot 2022-10-02 at 4 14 37

上位2件のChannelがnullになっていますが、空のチャンネル名は無いはずです。(私の認識では) このEIDは何なのか分かりますか? @hitenkoku

Originally posted by @YamatoSecurity in https://github.com/Yamato-Security/hayabusa/issues/463#issuecomment-1264458394

hitenkoku commented 2 years ago

@YamatoSecurity デバッグで出力させたところ、そもそも対象のログにChannelが存在しないことが原因のようです。 対象データにchannelがないことは確認できましたので、問題なければcloseをお願い致します。

dbg stats evtx file name "..\\hayabusa-sample-evtx\\EVTX-ATTACK-SAMPLES\\Credential Access\\CA_PetiPotam_etw_rpc_efsr_5_6.evtx"  | channel Some(Null) | | record Object {"Event": Object {"EventData": Object {"AuthenticationLevel": Number(6), "AuthenticationService": Number(20), "Endpoint": String("ntsvcs"), "ImpersonationLevel": Number(3), "InterfaceUuid": String("367ABB81-9844-35F1-AD32-98F038001003"), "NetworkAddress": String("NULL"), "Options": String("NULL"), "ProcNum": Number(64), "Protocol": Number(3)}, "System": Object {"Channel": Null, "Computer": String("LAPTOP-JU4M3I0E"), "Correlation_attributes": Object {"ActivityID": String("24196B4B-473B-4086-8865-EA08EBA12645")}, "EventID": Number(5), "EventRecordID": Number(20), "Execution_attributes": Object {"ProcessID": Number(5048), "ThreadID": Number(10364)}, "Keywords": String("0x4000000000000000"), "Level": Number(4), "Opcode": Number(1), "Provider_attributes": Object {"Guid": String("{6ad52b32-d609-4be9-ae07-ce8dae937e39}"), "Name": String("Microsoft-Windows-RPC")}, "Security": Null, "Task": Number(1), "TimeCreated_attributes": Object {"SystemTime": String("2021-08-17T12:26:48.578840Z")}, "Version": Number(1)}}, "Event_attributes": Object {"xmlns": String("http://schemas.microsoft.com/win/2004/08/events/event")}}
dbg stats evtx file name "..\\hayabusa-sample-evtx\\EVTX-ATTACK-SAMPLES\\Credential Access\\CA_PetiPotam_etw_rpc_efsr_5_6.evtx"  | channel Some(Null) | | record Object {"Event": Object {"EventData": Object {"AuthenticationLevel": Number(6), "AuthenticationService": Number(20), "Endpoint": String("ntsvcs"), "ImpersonationLevel": Number(3), "InterfaceUuid": String("367ABB81-9844-35F1-AD32-98F038001003"), "NetworkAddress": String("NULL"), "Options": String("NULL"), "ProcNum": Number(42), "Protocol": Number(3)}, "System": Object {"Channel": Null, "Computer": String("LAPTOP-JU4M3I0E"), "Correlation_attributes": Object {"ActivityID": String("8579DCC0-F2C8-4F4C-B236-E483842FDEAE")}, "EventID": Number(5), "EventRecordID": Number(41), "Execution_attributes": Object {"ProcessID": Number(5048), "ThreadID": Number(11828)}, "Keywords": String("0x4000000000000000"), "Level": Number(4), "Opcode": Number(1), "Provider_attributes": Object {"Guid": String("{6ad52b32-d609-4be9-ae07-ce8dae937e39}"), "Name": String("Microsoft-Windows-RPC")}, "Security": Null, "Task": Number(1), "TimeCreated_attributes": Object {"SystemTime": String("2021-08-17T12:26:48.579018Z")}, "Version": Number(1)}}, "Event_attributes": Object {"xmlns": String("http://schemas.microsoft.com/win/2004/08/events/event")}}
dbg stats evtx file name "..\\hayabusa-sample-evtx\\EVTX-ATTACK-SAMPLES\\Credential Access\\CA_PetiPotam_etw_rpc_efsr_5_6.evtx"  | channel Some(Null) | | record Object {"Event": Object {"EventData": Object {"AuthenticationLevel": Number(6), "AuthenticationService": Number(20), "Endpoint": String("ntsvcs"), "ImpersonationLevel": Number(3), "InterfaceUuid": String("367ABB81-9844-35F1-AD32-98F038001003"), "NetworkAddress": String("NULL"), "Options": String("NULL"), "ProcNum": Number(42), "Protocol": Number(3)}, "System": Object {"Channel": Null, "Computer": String("LAPTOP-JU4M3I0E"), "Correlation_attributes": Object {"ActivityID": String("611D3027-025E-48DE-ACAD-B66FB0CB3AC8")}, "EventID": Number(5), "EventRecordID": Number(63), "Execution_attributes": Object {"ProcessID": Number(5048), "ThreadID": Number(10364)}, "Keywords": String("0x4000000000000000"), "Level": Number(4), "Opcode": Number(1), "Provider_attributes": Object {"Guid": String("{6ad52b32-d609-4be9-ae07-ce8dae937e39}"), "Name": String("Microsoft-Windows-RPC")}, "Security": Null, "Task": Number(1), "TimeCreated_attributes": Object {"SystemTime": String("2021-08-17T12:26:48.579202Z")}, "Version": Number(1)}}, "Event_attributes": Object {"xmlns": String("http://schemas.microsoft.com/win/2004/08/events/event")}}
dbg stats evtx file name "..\\hayabusa-sample-evtx\\EVTX-ATTACK-SAMPLES\\Credential Access\\CA_PetiPotam_etw_rpc_efsr_5_6.evtx"  | channel Some(Null) | | record Object {"Event": Object {"EventData": Object {"AuthenticationLevel": Number(6), "AuthenticationService": Number(20), "Endpoint": String("ntsvcs"), "ImpersonationLevel": Number(3), "InterfaceUuid": String("367ABB81-9844-35F1-AD32-98F038001003"), "NetworkAddress": String("NULL"), "Options": String("NULL"), "ProcNum": Number(42), "Protocol": Number(3)}, "System": Object {"Channel": Null, "Computer": String("LAPTOP-JU4M3I0E"), "Correlation_attributes": Object {"ActivityID": String("31C225D7-EB73-42D6-BC47-12E3FAB8A46F")}, "EventID": Number(5), "EventRecordID": Number(72), "Execution_attributes": Object {"ProcessID": Number(5048), "ThreadID": Number(2120)}, "Keywords": String("0x4000000000000000"), "Level": Number(4), "Opcode": Number(1), "Provider_attributes": Object {"Guid": String("{6ad52b32-d609-4be9-ae07-ce8dae937e39}"), "Name": String("Microsoft-Windows-RPC")}, "Security": Null, "Task": Number(1), "TimeCreated_attributes": Object {"SystemTime": String("2021-08-17T12:26:48.579277Z")}, "Version": Number(1)}}, "Event_attributes": Object {"xmlns": String("http://schemas.microsoft.com/win/2004/08/events/event")}}
dbg stats evtx file name "..\\hayabusa-sample-evtx\\EVTX-ATTACK-SAMPLES\\Credential Access\\CA_PetiPotam_etw_rpc_efsr_5_6.evtx"  | channel Some(Null) | | record Object {"Event": Object {"EventData": Object {"AuthenticationLevel": Number(6), "AuthenticationService": Number(20), "Endpoint": String("ntsvcs"), "ImpersonationLevel": Number(3), "InterfaceUuid": String("367ABB81-9844-35F1-AD32-98F038001003"), "NetworkAddress": String("NULL"), "Options": String("NULL"), "ProcNum": Number(42), "Protocol": Number(3)}, "System": Object {"Channel": Null, "Computer": String("LAPTOP-JU4M3I0E"), "Correlation_attributes": Object {"ActivityID": String("7EABE13B-56BA-47BA-B87C-31D54ECF4228")}, "EventID": Number(5), "EventRecordID": Number(108), "Execution_attributes": Object {"ProcessID": Number(5048), "ThreadID": Number(10364)}, "Keywords": String("0x4000000000000000"), "Level": Number(4), "Opcode": Number(1), "Provider_attributes": Object {"Guid": String("{6ad52b32-d609-4be9-ae07-ce8dae937e39}"), "Name": String("Microsoft-Windows-RPC")}, "Security": Null, "Task": Number(1), "TimeCreated_attributes": Object {"SystemTime": String("2021-08-17T12:26:48.580746Z")}, "Version": Number(1)}}, "Event_attributes": Object {"xmlns": String("http://schemas.microsoft.com/win/2004/08/events/event")}}
dbg stats evtx file name "..\\hayabusa-sample-evtx\\EVTX-ATTACK-SAMPLES\\Credential Access\\CA_PetiPotam_etw_rpc_efsr_5_6.evtx"  | channel Some(Null) | | record Object {"Event": Object {"EventData": Object {"AuthenticationLevel": Number(6), "AuthenticationService": Number(20), "Endpoint": String("ntsvcs"), "ImpersonationLevel": Number(3), "InterfaceUuid": String("367ABB81-9844-35F1-AD32-98F038001003"), "NetworkAddress": String("NULL"), "Options": String("NULL"), "ProcNum": Number(42), "Protocol": Number(3)}, "System": Object {"Channel": Null, "Computer": String("LAPTOP-JU4M3I0E"), "Correlation_attributes": Object {"ActivityID": String("CC0593DA-18F5-4D38-9BE2-8DAD09E07393")}, "EventID": Number(5), "EventRecordID": Number(127), "Execution_attributes": Object {"ProcessID": Number(5048), "ThreadID": Number(2120)}, "Keywords": String("0x4000000000000000"), "Level": Number(4), "Opcode": Number(1), "Provider_attributes": Object {"Guid": String("{6ad52b32-d609-4be9-ae07-ce8dae937e39}"), "Name": String("Microsoft-Windows-RPC")}, "Security": Null, "Task": Number(1), "TimeCreated_attributes": Object {"SystemTime": String("2021-08-17T12:26:48.580841Z")}, "Version": Number(1)}}, "Event_attributes": Object {"xmlns": String("http://schemas.microsoft.com/win/2004/08/events/event")}}
dbg stats evtx file name "..\\hayabusa-sample-evtx\\EVTX-ATTACK-SAMPLES\\Credential Access\\CA_PetiPotam_etw_rpc_efsr_5_6.evtx"  | channel Some(Null) | | record Object {"Event": Object {"EventData": Object {"AuthenticationLevel": Number(6), "AuthenticationService": Number(20), "Endpoint": String("ntsvcs"), "ImpersonationLevel": Number(0), "InterfaceUuid": String("367ABB81-9844-35F1-AD32-98F038001003"), "NetworkAddress": String("NULL"), "Options": String("NULL"), "ProcNum": Number(42), "Protocol": Number(3)}, "System": Object {"Channel": Null, "Computer": String("LAPTOP-JU4M3I0E"), "Correlation_attributes": Object {"ActivityID": String("3E67E902-90D3-4BAB-94A9-69707CC1FB5E")}, "EventID": Number(6), "EventRecordID": Number(136), "Execution_attributes": Object {"ProcessID": Number(976), "ThreadID": Number(23712)}, "Keywords": String("0x4000000000000000"), "Level": Number(4), "Opcode": Number(1), "Provider_attributes": Object {"Guid": String("{6ad52b32-d609-4be9-ae07-ce8dae937e39}"), "Name": String("Microsoft-Windows-RPC")}, "Security": Null, "Task": Number(2), "TimeCreated_attributes": Object {"SystemTime": String("2021-08-17T12:26:48.581025Z")}, "Version": Number(1)}}, "Event_attributes": Object {"xmlns": String("http://schemas.microsoft.com/win/2004/08/events/event")}}
dbg stats evtx file name "..\\hayabusa-sample-evtx\\EVTX-ATTACK-SAMPLES\\Credential Access\\CA_PetiPotam_etw_rpc_efsr_5_6.evtx"  | channel Some(Null) | | record Object {"Event": Object {"EventData": Object {"AuthenticationLevel": Number(6), "AuthenticationService": Number(20), "Endpoint": String("ntsvcs"), "ImpersonationLevel": Number(0), "InterfaceUuid": String("367ABB81-9844-35F1-AD32-98F038001003"), "NetworkAddress": String("NULL"), "Options": String("NULL"), "ProcNum": Number(42), "Protocol": Number(3)}, "System": Object {"Channel": Null, "Computer": String("LAPTOP-JU4M3I0E"), "Correlation_attributes": Object {"ActivityID": String("1CFF6F2A-54C1-4F13-9AA6-1CE30BAF3ABF")}, "EventID": Number(6), "EventRecordID": Number(139), "Execution_attributes": Object {"ProcessID": Number(976), "ThreadID": Number(20240)}, "Keywords": String("0x4000000000000000"), "Level": Number(4), "Opcode": Number(1), "Provider_attributes": Object {"Guid": String("{6ad52b32-d609-4be9-ae07-ce8dae937e39}"), "Name": String("Microsoft-Windows-RPC")}, "Security": Null, "Task": Number(2), "TimeCreated_attributes": Object {"SystemTime": String("2021-08-17T12:26:48.581034Z")}, "Version": Number(1)}}, "Event_attributes": Object {"xmlns": String("http://schemas.microsoft.com/win/2004/08/events/event")}}
dbg stats evtx file name "..\\hayabusa-sample-evtx\\EVTX-ATTACK-SAMPLES\\Credential Access\\CA_PetiPotam_etw_rpc_efsr_5_6.evtx"  | channel Some(Null) | | record Object {"Event": Object {"EventData": Object {"AuthenticationLevel": Number(6), "AuthenticationService": Number(20), "Endpoint": String("ntsvcs"), "ImpersonationLevel": Number(3), "InterfaceUuid": String("367ABB81-9844-35F1-AD32-98F038001003"), "NetworkAddress": String("NULL"), "Options": String("NULL"), "ProcNum": Number(0), "Protocol": Number(3)}, "System": Object {"Channel": Null, "Computer": String("LAPTOP-JU4M3I0E"), "Correlation_attributes": Object {"ActivityID": String("AF739CF1-ED89-4E1E-96B6-EF61D9351D29")}, "EventID": Number(5), "EventRecordID": Number(144), "Execution_attributes": Object {"ProcessID": Number(5048), "ThreadID": Number(11828)}, "Keywords": String("0x4000000000000000"), "Level": Number(4), "Opcode": Number(1), "Provider_attributes": Object {"Guid": String("{6ad52b32-d609-4be9-ae07-ce8dae937e39}"), "Name": String("Microsoft-Windows-RPC")}, "Security": Null, "Task": Number(1), "TimeCreated_attributes": Object {"SystemTime": String("2021-08-17T12:26:48.581202Z")}, "Version": Number(1)}}, "Event_attributes": Object {"xmlns": String("http://schemas.microsoft.com/win/2004/08/events/event")}}
dbg stats evtx file name "..\\hayabusa-sample-evtx\\EVTX-ATTACK-SAMPLES\\Credential Access\\CA_PetiPotam_etw_rpc_efsr_5_6.evtx"  | channel Some(Null) | | record Object {"Event": Object {"EventData": Object {"AuthenticationLevel": Number(6), "AuthenticationService": Number(20), "Endpoint": String("ntsvcs"), "ImpersonationLevel": Number(0), "InterfaceUuid": String("367ABB81-9844-35F1-AD32-98F038001003"), "NetworkAddress": String("NULL"), "Options": String("NULL"), "ProcNum": Number(0), "Protocol": Number(3)}, "System": Object {"Channel": Null, "Computer": String("LAPTOP-JU4M3I0E"), "Correlation_attributes": Object {"ActivityID": String("8DFBC847-6151-42DB-AB88-0D501CB9D6E7")}, "EventID": Number(6), "EventRecordID": Number(153), "Execution_attributes": Object {"ProcessID": Number(976), "ThreadID": Number(24544)}, "Keywords": String("0x4000000000000000"), "Level": Number(4), "Opcode": Number(1), "Provider_attributes": Object {"Guid": String("{6ad52b32-d609-4be9-ae07-ce8dae937e39}"), "Name": String("Microsoft-Windows-RPC")}, "Security": Null, "Task": Number(2), "TimeCreated_attributes": Object {"SystemTime": String("2021-08-17T12:26:48.581268Z")}, "Version": Number(1)}}, "Event_attributes": Object {"xmlns": String("http://schemas.microsoft.com/win/2004/08/events/event")}}
dbg stats evtx file name "..\\hayabusa-sample-evtx\\EVTX-ATTACK-SAMPLES\\Credential Access\\CA_PetiPotam_etw_rpc_efsr_5_6.evtx"  | channel Some(Null) | | record Object {"Event": Object {"EventData": Object {"AuthenticationLevel": Number(6), "AuthenticationService": Number(20), "Endpoint": String("lsasspirpc"), "ImpersonationLevel": Number(0), "InterfaceUuid": String("4F32ADC8-6052-4A04-8701-293CCF2096F0"), "NetworkAddress": String("NULL"), "Options": String("NULL"), "ProcNum": Number(14), "Protocol": Number(3)}, "System": Object {"Channel": Null, "Computer": String("LAPTOP-JU4M3I0E"), "Correlation_attributes": Object {"ActivityID": String("A52F3A60-89A2-4543-A6CC-A328950434A9")}, "EventID": Number(5), "EventRecordID": Number(172), "Execution_attributes": Object {"ProcessID": Number(24712), "ThreadID": Number(6976)}, "Keywords": String("0x4000000000000000"), "Level": Number(4), "Opcode": Number(1), "Provider_attributes": Object {"Guid": String("{6ad52b32-d609-4be9-ae07-ce8dae937e39}"), "Name": String("Microsoft-Windows-RPC")}, "Security": Null, "Task": Number(1), "TimeCreated_attributes": Object {"SystemTime": String("2021-08-17T12:26:48.581597Z")}, "Version": Number(1)}}, "Event_attributes": Object {"xmlns": String("http://schemas.microsoft.com/win/2004/08/events/event")}}
YamatoSecurity commented 2 years ago

原因特定、ありがとうございました! ETWファイルがだったんですね。EVTXではないので、sample-evtxの方から削除しておきました。

YamatoSecurity commented 2 years ago

@hitenkoku すみません。ETW等のチャンネルがヌルのイベントをhayabusa-sample-evtxレポジトリから削除して解決しようと思っていましたが、世の中のユーザがETWイベントが入っているEVTXに対してスキャンすることがありそうなので、チャンネル名がヌルの場合は無視するように対応したいですが、お願いできますか?

hitenkoku commented 2 years ago

@YamatoSecurity チャンネル名がヌルの場合は集計から削除するということでよろしいでしょうか。

hitenkoku commented 2 years ago

あとは現状ETWであっても検知はしているはずなのですが、そちらのほうはどうしましょうか。 「無視」というと結果としても表示せずに破棄するようにも見えますが、どのようにしたいですか?

YamatoSecurity commented 2 years ago

@YamatoSecurity チャンネル名がヌルの場合は集計から削除するということでよろしいでしょうか。

そうです。

あとは現状ETWであっても検知はしているはずなのですが、そちらのほうはどうしましょうか。 「無視」というと結果としても表示せずに破棄するようにも見えますが、どのようにしたいですか?

なるほど。そうですね。スキャン時は基本的にチャンネル名が条件になっているので、ルールが引っかからないはずのと、ETWルールが無いので、スキャン時もイベントを読み込む時にチャンネル名がヌルのイベントを無視したいです。(遅くなるだけなので)

hitenkoku commented 2 years ago

承りました。検知についてもチャンネル名がnullの場合はevtx読み込み時に検知調査対象から外すように致します