ablescia
commented
3 weeks ago Dear @rabbitstack, I review the code and test in my environment; it works!
Below some events with the process flag enrichment:
{
"seq": 278856,
"pid": 5348,
"tid": 8848,
"cpu": 1,
"name": "CreateProcess",
"category": "process",
"description": "Creates a new process and its primary thread",
"host": "windows10",
"timestamp": "2024-09-24T10:42:59.5018966+02:00",
"kparams": {
"cmdline": "\"C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\powershell.exe\" ",
"directory_table_base": "10a9ba000",
"domain": "WINDOWS10",
"exe": "C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\powershell.exe",
"exit_status": "Success",
"flags": "WOW64",
"kproc": "ffffb20157f41340",
"name": "powershell.exe",
"pid": 3112,
"ppid": 5348,
"real_ppid": 5348,
"session_id": 1,
"sid": "S-1-5-21-1109721004-853119447-282637926-1000",
"start_time": "2024-09-24 10:42:59.5018575 +0200 CEST",
"username": "authority"
},
"meta": {},
"ps": {
"pid": 5348,
"ppid": 5312,
"name": "explorer.exe",
"cmdline": "C:\\Windows\\Explorer.EXE",
"exe": "C:\\Windows\\Explorer.EXE",
"cwd": "C:\\Windows\\system32\\",
"sid": "S-1-5-21-1109721004-853119447-282637926-1000",
"args": [
"C:\\Windows\\Explorer.EXE"
],
"sessionid": 1,
"envs": {
"HOMEPATH": "\\Users\\authority",
"LOCALAPPDATA": "C:\\Users\\authority\\AppData\\Local",
"PROCESSOR_REVISION": "9a04",
"PSModulePath": "C:\\Program Files\\WindowsPowerShell\\Modules;C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules",
"windir": "C:\\Windows",
"ALLUSERSPROFILE": "C:\\ProgramData",
"HOMEDRIVE": "C:",
"ProgramFiles(x86)": "C:\\Program Files (x86)",
"CommonProgramFiles(x86)": "C:\\Program Files (x86)\\Common Files",
"PKG_CONFIG_PATH": "C:\\Users\\authority\\Downloads\\fibratus-master\\pkg-config",
"PROCESSOR_LEVEL": "6",
"ProgramW6432": "C:\\Program Files",
"PUBLIC": "C:\\Users\\Public",
"SystemDrive": "C:",
"TMP": "C:\\Users\\AUTHOR~1\\AppData\\Local\\Temp",
"USERDOMAIN": "WINDOWS10",
"GOPATH": "C:\\Users\\authority\\go",
"USERPROFILE": "C:\\Users\\authority",
"USERNAME": "authority",
"NUMBER_OF_PROCESSORS": "4",
"PATHEXT": ".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC",
"PROCESSOR_IDENTIFIER": "Intel64 Family 6 Model 154 Stepping 4, GenuineIntel",
"DriverData": "C:\\Windows\\System32\\Drivers\\DriverData",
"ProgramData": "C:\\ProgramData",
"CommonProgramW6432": "C:\\Program Files\\Common Files",
"ComSpec": "C:\\Windows\\system32\\cmd.exe",
"OS": "Windows_NT",
"SESSIONNAME": "Console",
"SystemRoot": "C:\\Windows",
"CommonProgramFiles": "C:\\Program Files\\Common Files",
"ProgramFiles": "C:\\Program Files",
"TEMP": "C:\\Users\\AUTHOR~1\\AppData\\Local\\Temp",
"USERDOMAIN_ROAMINGPROFILE": "WINDOWS10",
"COMPUTERNAME": "WINDOWS10",
"LOGONSERVER": "\\\\WINDOWS10",
"OneDrive": "C:\\Users\\authority\\OneDrive",
"Path": "C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\;C:\\Windows\\System32\\OpenSSH\\;C:\\Program Files\\Go\\bin;C:\\Program Files\\dotnet\\;C:\\Users\\authority\\AppData\\Local\\Programs\\Python\\Python37\\Scripts\\;C:\\Users\\authority\\AppData\\Local\\Programs\\Python\\Python37\\;C:\\Users\\authority\\AppData\\Local\\Microsoft\\WindowsApps;C:\\Users\\authority\\go\\bin;C:\\Users\\authority\\.dotnet\\tools",
"PROCESSOR_ARCHITECTURE": "AMD64",
"APPDATA": "C:\\Users\\authority\\AppData\\Roaming"
}
}
}and
{
"seq": 251951,
"pid": 5000,
"tid": 8244,
"cpu": 0,
"name": "TerminateProcess",
"category": "process",
"description": "Terminates the process and all of its threads",
"host": "windows10",
"timestamp": "2024-09-24T10:36:54.4055879+02:00",
"kparams": {
"cmdline": "\"C:\\Windows\\system32\\backgroundTaskHost.exe\" -ServerName:App.AppXe9cvj1thv1hmcw0cs98xm3r97tyzy2xs.mca\u0000Microsoft.WindowsStore_22408.1401.5.0_x64__8wekyb3d8bbwe\u0000A",
"directory_table_base": "bc4b000",
"exe": "C:\\Windows\\system32\\backgroundTaskHost.exe",
"exit_status": "Success",
"flags": "APPLICATION_ID|PACKAGED",
"kproc": "ffffb20152f9a0c0",
"name": "backgroundTaskHost.exe",
"pid": 5000,
"ppid": 820,
"real_ppid": 5000,
"session_id": 1,
"sid": "S-1-5-21-1109721004-853119447-282637926-1000"
},
"meta": {},
"ps": {
"pid": 5000,
"ppid": 820,
"name": "backgroundTaskHost.exe",
"cmdline": "\"C:\\Windows\\system32\\backgroundTaskHost.exe\" -ServerName:App.AppXe9cvj1thv1hmcw0cs98xm3r97tyzy2xs.mca\u0000Microsoft.WindowsStore_22408.1401.5.0_x64__8wekyb3d8bbwe\u0000A",
"exe": "C:\\Windows\\system32\\backgroundTaskHost.exe",
"cwd": "C:\\Program Files\\WindowsApps\\Microsoft.WindowsStore_22408.1401.5.0_x64__8wekyb3d8bbwe\\",
"sid": "S-1-5-21-1109721004-853119447-282637926-1000",
"args": [
"\"C:\\Windows\\system32\\backgroundTaskHost.exe\"",
"-ServerName:App.AppXe9cvj1thv1hmcw0cs98xm3r97tyzy2xs.mca\u0000Microsoft.WindowsStore_22408.1401.5.0_x64__8wekyb3d8bbwe\u0000A"
],
"sessionid": 1,
"parent": {
"name": "svchost.exe",
"cmdline": "C:\\Windows\\system32\\svchost.exe -k DcomLaunch -p",
"exe": "C:\\Windows\\system32\\svchost.exe",
"cwd": "C:\\Windows\\system32\\",
"sid": "S-1-5-18"
},
"envs": {
"FPS_BROWSER_USER_PROFILE_STRING": "Default",
"PATHEXT": ".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC",
"PKG_CONFIG_PATH": "C:\\Users\\authority\\Downloads\\fibratus-master\\pkg-config",
"CommonProgramFiles(x86)": "C:\\Program Files (x86)\\Common Files",
"PROCESSOR_REVISION": "9a04",
"USERDOMAIN_ROAMINGPROFILE": "WINDOWS10",
"CommonProgramFiles": "C:\\Program Files\\Common Files",
"GOPATH": "C:\\Users\\authority\\go",
"LOCALAPPDATA": "C:\\Users\\authority\\AppData\\Local\\Packages\\microsoft.windowsstore_8wekyb3d8bbwe\\AC",
"Path": "C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\;C:\\Windows\\System32\\OpenSSH\\;C:\\Program Files\\Go\\bin;C:\\Program Files\\dotnet\\;C:\\Users\\authority\\AppData\\Local\\Programs\\Python\\Python37\\Scripts\\;C:\\Users\\authority\\AppData\\Local\\Programs\\Python\\Python37\\;C:\\Users\\authority\\AppData\\Local\\Microsoft\\WindowsApps;C:\\Users\\authority\\go\\bin;C:\\Users\\authority\\.dotnet\\tools",
"ProgramFiles": "C:\\Program Files",
"PSModulePath": "%ProgramFiles%\\WindowsPowerShell\\Modules;C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules",
"LOGONSERVER": "\\\\WINDOWS10",
"PROCESSOR_IDENTIFIER": "Intel64 Family 6 Model 154 Stepping 4, GenuineIntel",
"PROCESSOR_LEVEL": "6",
"SystemDrive": "C:",
"USERDOMAIN": "WINDOWS10",
"PUBLIC": "C:\\Users\\Public",
"NUMBER_OF_PROCESSORS": "4",
"ProgramFiles(x86)": "C:\\Program Files (x86)",
"TEMP": "C:\\Users\\authority\\AppData\\Local\\Packages\\microsoft.windowsstore_8wekyb3d8bbwe\\AC\\Temp",
"USERNAME": "authority",
"ProgramData": "C:\\ProgramData",
"TMP": "C:\\Users\\authority\\AppData\\Local\\Packages\\microsoft.windowsstore_8wekyb3d8bbwe\\AC\\Temp",
"ALLUSERSPROFILE": "C:\\ProgramData",
"APPDATA": "C:\\Users\\authority\\AppData\\Roaming",
"COMPUTERNAME": "WINDOWS10",
"FPS_BROWSER_APP_PROFILE_STRING": "Internet Explorer",
"HOMEDRIVE": "C:",
"OS": "Windows_NT",
"USERPROFILE": "C:\\Users\\authority",
"ProgramW6432": "C:\\Program Files",
"SystemRoot": "C:\\Windows",
"CommonProgramW6432": "C:\\Program Files\\Common Files",
"ComSpec": "C:\\Windows\\system32\\cmd.exe",
"DriverData": "C:\\Windows\\System32\\Drivers\\DriverData",
"HOMEPATH": "\\Users\\authority",
"OneDrive": "C:\\Users\\authority\\OneDrive",
"PROCESSOR_ARCHITECTURE": "AMD64",
"windir": "C:\\Windows"
}
}
}Great job!
rabbitstack
What is the purpose of this PR / why it is needed?
Process rundown, create, and terminate events are enriched with additional flags that may indicate if the created process is WoW-originated, protected, or packaged.
What type of change does this PR introduce?
Any specific area of the project related to this PR?
Does this PR introduce a user-facing change?
The process flags parameter needs to be reflected in the documentation. The parameter will serve as a backbone for building the new filter fields.