tsale / EDR-Telemetry

This project aims to compare and evaluate the telemetry of various EDR products.

1.43k stars 141 forks source link

Fix ESET Inspect inaccuracies #40

Closed j91321 closed 7 months ago

j91321 commented 7 months ago

ESET Inspect inaccuracies

Description

Please provide the below information so we can validate before merging:

Does the proposed EDR feature align with our definition of telemetry?(definition here)
Could you please provide documentation to support the telemetry you are proposing?(If it is held privately, please reach out to me or @inodee)
If no documentation is available for all the categories you are proposing, could you provide screenshots or sanitized logs?

1: (response) YES 2: (response) YES 3: (response) YES

Type of change

Please delete options that are not relevant.

[ ] This change requires a documentation update

Changes

File Modification is supported because of Write File operation as can be seen in docs
Service Creation should be set to partially, as this can be achieved through Registry (same case as with Carbon Black)

tsale commented 7 months ago

Hello @j91321 , thank you for the PR. A couple of notes regarding the file modification: this is related to detection rules and is not provided as part of the raw telemetry; therefore, it is not applicable to this project. CleanShot 2023-12-07 at 02 14 53@2x

For the Service Creation, we are looking for telemetry that generates the relevant events. Is there an event that can provide us with the appropriate telemetry regarding Service Creation?

j91321 commented 7 months ago

Hey, @tsale sorry for not making it clear, yes those docs are related to detections however the "operations" section shows you the types of Raw Event and those are telemetry. I mean the documentation sucks, so it's easy to get confused. Hopefully this screenshot will make it clear when executing following:

whoami.exe > test.txt
whoami.exe >> test.txt

The first one creates the file, event is FileTruncated(on open) while the second appends (modification) is the FileWrite event.

As for services here is the result of AtomicRedTeam T1543.003 Test 2

tsale commented 7 months ago

Thanks for the detailed information, @j91321! Indeed, their documentation is not the best. I can see the file write events and I can change that as suggested.

For the services though, as they don't have a dedicated telemetry for the services, I will leave that out for now. I understand that you're saying this could be viewed through the registry set but this is not telemetry dedicated to service creation. We are looking for dedicated telemetry with the added context.

j91321 commented 7 months ago

Thanks! Sure no problem, I was just wondering regarding that service creation, what is provided by Carbon Black to have "Partial" in this specific telemetry category? I was making the change based on this comment in the google sheet

But didn't find any further details in PRs or the linked Carbon Black documentation. Asking just for consistency sake. I agree that service creation through registry is probably not good enough to be considered telemetry.

tsale commented 7 months ago

@j91321 - I'm looking into it. Thanks

tsale commented 7 months ago

There is a specific searchable field in CB.

Ref: https://developer.carbonblack.com/reference/carbon-black-cloud/platform/latest/platform-search-fields/