search

olafhartong / ThreatHunting

A Splunk app mapped to MITRE ATT&CK to guide your threat hunts
MIT License
1.12k stars 177 forks source link

Missing definitions in ./default/props.conf #55

Closed sebastiendamaye closed 3 years ago

sebastiendamaye commented 4 years ago

The Intial_Access widget is not updating despite data that should contribute to increasing the number of events. I searched in the source file and saw that the panel is based on saved searches to monitor file creation and registry entries creation. For file creation, the search is:

search = `indextime` `sysmon` event_id=11 (file_name="*.docm" OR file_name="*.xlsm" OR file_name="*.pptm" OR file_name="*.ps1" OR file_name="*.py" OR file_name="*.js" OR file_name="*.vbs" OR file_name="*.hta" OR file_name="*.bat" OR file_name="*.slk" OR file_name="*.jspx" OR file_name="*.cmd" OR file_name="*.php" OR file_name="*.pyw" OR file_name="*.xla" OR file_name="*.application" OR file_name="*.potm" OR file_name="*.csproj" OR file_name="*.aspx" OR file_name="*.exe") \
| eval mitre_technique_id="T1193" \
| `file_create_whitelist`\
| eval indextime = _indextime | convert ctime(indextime) | table _time indextime event_description host_fqdn process_path process_guid process_id file_name file_path

The problem is that it filters on a field that does not exist (file_name). Here (https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=90011) is the definition of the available fields for event_id 11, and the appropriate field would be "TargetFilename" (and not file_name).

Am I missing anything? Thx

sebastiendamaye commented 4 years ago

I'm a bit confused because this seems to be affecting many fields in the default/savedsearches.conf file. Another example (file_path doesn't exist for sysmon event_id=11):

search = `indextime` search `sysmon` event_id=11 (file_path="*.lnk" OR file_path="*.scf")\
| eval mitre_technique_id="T1187" \
| `file_create_whitelist`\
| eval indextime = _indextime | convert ctime(indextime) | table _time indextime event_description host_fqdn process_path file_path process_guid process_id

Is it fine to manually remap all fields so that they fit with correct field names? Or am I missing any automatic transformation from the application? I may have missed something.... Can you please let me know?

sebastiendamaye commented 4 years ago

After investigation, I understood where the issue is. This is due to missing definitions in ./default/props.conf.

For example, the following definition is missing in props.conf:

EVAL-file_name = OriginalFileName

Adding this definition at line 202 of the props.conf file solved my issue. I'll continue my investigation on other fields as I suspect there are other incorrect or missing definitions.

olafhartong commented 4 years ago

Interestingly I do have these fields, which version of the Sysmon-Ta do you have?

sebastiendamaye commented 4 years ago

I have the latest one (https://splunkbase.splunk.com/app/1914/): Microsoft Sysmon Add-on | TA-microsoft-sysmon | 10.6.2

zwar77 commented 4 years ago

I have EVAL-original_file_name = OriginalFileName no mention of file_name in props.conf Added it in on props and it works fine now!

OutpostSecurity commented 3 years ago

I think i figured out what was happening and made a pull request to the props.conf to handle this.

olafhartong commented 3 years ago

Thanks for flagging and fixing it!