Please provide the below information so we can validate before merging:
Does the proposed EDR feature align with our definition of telemetry?(definition here)
Could you please provide documentation to support the telemetry you are proposing?
If no documentation is available for all the categories you are proposing, could you provide screenshots or sanitized logs?
1: Yes
2:
Process Creation, Process Termination - Yes
Process Access - Partially, implemented only for "lsass.exe"
Image/Library Load - Yes, see operations table
Remote Thread Creation - Yes
File Creation - Partially, the ModuleDrop event is created when executable is created on filesystem
File Deletion - Yes
File Renaming - Yes
Local Account Creation - Yes
Local Account Modification - Yes
Local Account Deletion - Yes
Account Login - Yes
Account Logoff - Yes
TCP Connection - Yes
URL - Yes
DNS Query - Yes
File Downloaded - Yes or Partially (again this applies for executables)
MD5 - Yes
SHA - Yes
Key/Value Creation - Yes, this depends on interpretation, Creation can be seen as setting of empty value.
Key/Value Modification - Yes
Key/Value Deletion - Yes
Driver Loaded - Yes
Named Pipe Creation - Yes, operations table
Agent Install - Yes
Agent Uninstall - Yes
Agent Tampering - Yes, although I'd like more explanation what exactly are you looking for here. ESET agents, all three of them are protected by the HIPS Self-Defense module. Does it generate specific telemetry messages? I don't think so. However there are specific rules that monitor changes of ESET configuration files and registry keys, these fall more into the detection category, since they just work over the WriteFile and RegSet operations.
Agent Keep-Alive - Yes. in the sense that you can see last connection time and last event received time, but the messages are not stored, meaning you can't plot a graph of agent uptime. I think it qualifies under your definition, since it doesn't say the messages must be stored, but I can also see argument for putting "No" here.
Agent Errors - Yes
WmiEventConsumerToFilter, WmiEventConsumer, WmiEventFilter - Yes, grouped under one event WmiPersistence
Script-Block Activity - Yes, not implemented through Script-Block logging, but directly through AMSI shouldn't make much difference.
3:
I did screenshots for most of these or at least for those that are not mentioned in documentation or are mentioned insufficiently.
Process Creation, Termination - Atomic Red Team T1218.001 Test 11
Process Access - Atomic Red Team T1003.001 Test 4
Image/Library Load - Atomic Red Team T1218.001 Test 12
Remote Thread Creation - Atomic Red Team T1055 Test 3
File Creation + File Download - Atomic Red Team T1003.001 Test 4 GetPrereqs
File Deletion+File Renaming - Manual on output from ART test artifact.
Local Account Creation, Local Account Modification, Account Login, Account Logoff - Atomic Red Team T1078.003 Test 1
Local Account Deletion - Atomic Red Team T1078.003 Test 1 Cleanup
TCP Connection, URL - Atomic Red Team T1003.001 Test Cleanup
DNS Query - Manual
Driver Load - Manual through Process Hacker
Agent Install, Agent Keep-Alive
Not sure if this qualifies, for the telemetry, but in the Protect console you can see products installed on endpoint and also have information about the last time the agent connected.
Agent Error
WmiEventConsumerToFilter WmiEventConsumer, WmiFilter - Atomic Red Team T1546.003 Test 1
Script-Block - Atomic Red Team T1055 Test 3
Type of change
Please delete options that are not relevant.
[ ] New feature (adding additional EDR product or proposing new event categories/sub-categories)
How Has This Been Tested?
Please describe the tests that you ran to verify your changes. Provide instructions so we can reproduce. Please also list any relevant details for your test configuration.
[ ] Atomic Red Team
Test Configuration:
EDR version:
ESET Endpoint Security 10.0.2045.0
ESET Management Agent 10.0.1126.0
ESET Inspect Connector 1.10.2664.0
Operating System version:
Windows 10 Pro 19045.2846
Checklist:
[ ] My code follows the style guidelines of this project
[ ] I have performed a self-review of my own code
[ ] I have made corresponding changes to the documentation
[ ] I have added tests that prove my corrections or additions are accurate
[ ] I have checked my code and corrected any misspellings
Don't stress yourself out, just answer the above to the best of your ability and we can discuss in the comments 🙂
Description
Please provide the below information so we can validate before merging:
1: Yes
2: Process Creation, Process Termination - Yes Process Access - Partially, implemented only for "lsass.exe" Image/Library Load - Yes, see operations table Remote Thread Creation - Yes File Creation - Partially, the ModuleDrop event is created when executable is created on filesystem File Deletion - Yes File Renaming - Yes Local Account Creation - Yes Local Account Modification - Yes Local Account Deletion - Yes Account Login - Yes Account Logoff - Yes TCP Connection - Yes URL - Yes DNS Query - Yes File Downloaded - Yes or Partially (again this applies for executables) MD5 - Yes SHA - Yes Key/Value Creation - Yes, this depends on interpretation, Creation can be seen as setting of empty value. Key/Value Modification - Yes Key/Value Deletion - Yes Driver Loaded - Yes Named Pipe Creation - Yes, operations table Agent Install - Yes Agent Uninstall - Yes Agent Tampering - Yes, although I'd like more explanation what exactly are you looking for here. ESET agents, all three of them are protected by the HIPS Self-Defense module. Does it generate specific telemetry messages? I don't think so. However there are specific rules that monitor changes of ESET configuration files and registry keys, these fall more into the detection category, since they just work over the WriteFile and RegSet operations. Agent Keep-Alive - Yes. in the sense that you can see last connection time and last event received time, but the messages are not stored, meaning you can't plot a graph of agent uptime. I think it qualifies under your definition, since it doesn't say the messages must be stored, but I can also see argument for putting "No" here. Agent Errors - Yes WmiEventConsumerToFilter, WmiEventConsumer, WmiEventFilter - Yes, grouped under one event WmiPersistence Script-Block Activity - Yes, not implemented through Script-Block logging, but directly through AMSI shouldn't make much difference.
3: I did screenshots for most of these or at least for those that are not mentioned in documentation or are mentioned insufficiently.
Process Creation, Termination - Atomic Red Team T1218.001 Test 11
Process Access - Atomic Red Team T1003.001 Test 4
Image/Library Load - Atomic Red Team T1218.001 Test 12
Remote Thread Creation - Atomic Red Team T1055 Test 3
File Creation + File Download - Atomic Red Team T1003.001 Test 4 GetPrereqs
File Deletion+File Renaming - Manual on output from ART test artifact.
Local Account Creation, Local Account Modification, Account Login, Account Logoff - Atomic Red Team T1078.003 Test 1
Local Account Deletion - Atomic Red Team T1078.003 Test 1 Cleanup
TCP Connection, URL - Atomic Red Team T1003.001 Test Cleanup
DNS Query - Manual
Driver Load - Manual through Process Hacker
Agent Install, Agent Keep-Alive Not sure if this qualifies, for the telemetry, but in the Protect console you can see products installed on endpoint and also have information about the last time the agent connected.
Agent Error
WmiEventConsumerToFilter WmiEventConsumer, WmiFilter - Atomic Red Team T1546.003 Test 1
Script-Block - Atomic Red Team T1055 Test 3
Type of change
Please delete options that are not relevant.
How Has This Been Tested?
Please describe the tests that you ran to verify your changes. Provide instructions so we can reproduce. Please also list any relevant details for your test configuration.
Test Configuration:
EDR version:
ESET Endpoint Security 10.0.2045.0
ESET Management Agent 10.0.1126.0
ESET Inspect Connector 1.10.2664.0
Operating System version: Windows 10 Pro 19045.2846
Checklist:
Don't stress yourself out, just answer the above to the best of your ability and we can discuss in the comments 🙂