Closed davemcatcisco closed 2 weeks ago
A dedicated Windows event might be the way to go.
However, "services" of some form are relevant on major operating systems. Have you considered creating a more generic "Service Activity" event that isn't specific to Windows?
If such an event isn't descriptive enough then the windows extension could be used to add additional information that doesn't fit well into a generic event.
Even if the current approach is what we go with, it is good to have the reasons why written down in the pull request.
I think the reasons for having a dedicated event were already discussed elsewhere and in the issue linked to above. But...
It certainly would be possible to identify ways in which the Windows service mechanism overlaps with, say, the Linux systemd mechanism, and it would therefore be possible to define a common base event class. But would doing that actually be useful? I often feel that the result of an effort to identify a common base results is something that is vaguely satisfying intellectually but not practically useful and ultimately more trouble than it is worth. The Windows service mechanism has a very tightly defined control interface, lifecycle, and configuration which owes more to its VAX/VMS roots than to Linux.
I've been thinking a lot about this PR since discussing it at the System/Mappings call yesterday. I'm going to look at the possibiltiy of using the existing service object. Please don't spend any time reviewing this for now until I've bottomed out on that.
I've been thinking a lot about this PR since discussing it at the System/Mappings call yesterday. I'm going to look at the possibiltiy of using the existing service object. Please don't spend any time reviewing this for now until I've bottomed out on that.
I've reworked the PR so as to define a new Windows Service
object which extends the pre-existing Service
object. This PR is now ready for review. Marking as such.
Attn. gatekeepers (@floydtree, @pagbabian-splunk, @mikeradka, @Aniak5, @zschmerber): This PR is now ready for review. Thanks.
Attn. @floydtree, @pagbabian-splunk, @mikeradka, @Aniak5, @zschmerber: I still need one more approval on this PR if one of you could do the needful.
Attn. gatekeepers (@floydtree, @pagbabian-splunk, @mikeradka, @Aniak5, @zschmerber): This PR is now approved and ready for merge. Thanks!
Related Issue:
1020
Description of changes:
This schema change introduces a new
Windows Service Activity
event to the Windows extension in theSystem Activity
category. The new event extends theSystem Activity
event only minimally:activity_id
attribute, corresponding to the various actions that a process may perform on a service.win_service
attribute is aWindows Service
object.The
Windows Service
object extends the pre-existingService
object in some important ways:name
attribute is maderequired
so as to reflect the mandatory nature of this attribute when describing behaviour pertaining to a Windows service.service_type_id
attribute and itsservice_type
sibling correspond to thedwServiceType
field in the Win32QUERY_SERVICE_CONFIG
structure.service_start_type_id
attribute and itsservice_start_type
sibling correspond to thedwStartType
field in the Win32QUERY_SERVICE_CONFIG
structure.cmd_line
attribute corresponds to thelpBinaryPathName
field in the Win32QUERY_SERVICE_CONFIG
structure.load_order_group
attribute corresponds to thelpLoadOrderGroup
field in the Win32QUERY_SERVICE_CONFIG
structure.service_dependencies
attribute corresponds to thelpDependencies
field in the Win32QUERY_SERVICE_CONFIG
structure.service_start_name
attribute corresponds to thelpServiceStartName
field in the Win32QUERY_SERVICE_CONFIG
structure.service_error_control
attribute corresponds to thedwErrorControl
field in the Win32QUERY_SERVICE_CONFIG
structure.service_category_id
attribute and itsservice_category
sibling do not directly correspond to any field in the Win32QUERY_SERVICE_CONFIG
structure but instead represent a more coarse-grained categorisation of the information in theservice_type_id
andservice_type
attributes. This is useful in contexts where the precise type of service is unknown and a security product knows only if the activity relates to a kernel mode driver or a user mode service.Because behaviour relating to Windows services is a common trigger for detections, this PR also adds the
win_service
attribute to theWindows Evidence Artifacts
object.