diff --git a/custom_schemas/custom_api.yml b/custom_schemas/custom_api.yml index d67ac9097..0ce6e34f3 100644 --- a/custom_schemas/custom_api.yml +++ b/custom_schemas/custom_api.yml @@ -18,3 +18,311 @@ type: keyword description: > The name of the API, usually the name of the function or system call. + example: "VirtualAlloc" + + - name: summary + level: custom + type: keyword + description: > + The summary of the API call and its parameters. + example: "VirtualAllocEx( file.exe, NULL, 0x42000, COMMIT|RESERVE, RWX )" + + - name: behaviors + level: custom + type: keyword + short: A list of observed behaviors. + description: | + A list of observed behaviors. + "cross-process" - the observed activity was between two processes + "parent-child" - the observed activity was between a parent process and its child + "native_api" - a call was made directly to the Native API rather than the Win32 API + "direct_syscall" - a syscall instruction originated outside of the Native API layer + "proxy_call" - the call stack may indicate of a proxied API call to mask the true source + "sensitive_api" - executable non-image memory is unexpectedly calling a sensitive API + "shellcode" - suspicious executable non-image memory is calling a sensitive API + "image_hooked" - an entry in the callstack appears to have been hooked + "image_indirect_call" - an entry in the callstack was preceded by a call to a dynamically resolved function + "image_rop" - no call instruction preceded an entry in the call stack + "image_rwx" - an entry in the callstack is writable + "unbacked_rwx" - an entry in the callstack is non-image and writable + "allocate_shellcode" - a region of non-image executable memory allocated more executable memory + "execute_fluctuation" - the PAGE_EXECUTE protection is unexpectedly fluctuating + 'write_fluctuation" - the PAGE_WRITE protection of executable memory is unexpectedly fluctuating + "hook_api" - a change to the memory protection of a small executable image memory region was made + "hollow_image" - a change to the memory protection of a large executable image memory region was made + "hook_unbacked" - a change to the memory protection of a small executable non-image memory was made + 'hollow_unbacked" - a change to the memory protection of a large executable non-image memory was made + "guarded_code" - executable memory was unexpectedly marked as PAGE_GUARD + "hidden_code" - executable memory was unexpectedly marked as PAGE_NOACCESS + "execute_shellcode" - a region of non-image executable memory was unexpectedly transferred control + "hardware_breakpoint_set" - a hardware breakpoint was set + example: [ "cross-process", "native_api", "shellcode" ] + + - name: metadata + level: custom + type: object + description: > + Information related to the API call. + + - name: metadata.target_address_name + level: custom + type: keyword + description: > + The name of the memory region targeted by the API call. + example: "Unbacked" + + - name: metadata.target_address_path + level: custom + type: keyword + description: > + The path of the memory region targeted by the API call. + example: "C:\\programdata\\example.dll" + + - name: parameters + level: custom + type: object + description: > + Parameter values passed to the API call. + + - name: parameters.handle_type + level: custom + type: keyword + description: > + This parameter indicates whether the detected access was attempt against a process or a thread. + example: process + + - name: parameters.desired_access_numeric + level: custom + type: long + description: > + This parameter indicates the numeric value of the `DesiredAccess` field passed to `OpenProcess` or `OpenThread`. + + - name: parameters.desired_access + level: custom + type: keyword + description: > + This parameter indicates the string value of the `DesiredAccess` field to `OpenProcess` or `OpenThread`. + + - name: parameters.address + level: custom + type: unsigned_long + description: > + The target memory address. + example: 2431737462784 + + - name: parameters.size + level: custom + type: unsigned_long + description: > + The size. + example: 4096 + + - name: parameters.protection + level: custom + type: keyword + description: > + The memory protection for the region of pages. Corresponds to `MEMORY_BASIC_INFORMATION.Protect` + example: "RWX|GUARD" + + - name: parameters.protection_old + level: custom + type: keyword + example: "RCX" + description: > + The previous memory protection returned by the API call. Corresponds to `MEMORY_BASIC_INFORMATION.Protect` + + - name: parameters.allocation_type + level: custom + type: keyword + description: > + The type of memory allocation. Corresponds to `MEMORY_BASIC_INFORMATION.State` + example: "COMMIT|RESERVE" + + - name: parameters.procedure + level: custom + type: unsigned_long + description: > + The memory address of the procedure or function. + example: 2431737462784 + + - name: parameters.argument1 + level: custom + type: unsigned_long + description: > + The first argument to the procedure. + example: 1 + + - name: parameters.argument2 + level: custom + type: unsigned_long + description: > + The second argument to the procedure. + example: 2 + + - name: parameters.argument3 + level: custom + type: unsigned_long + description: > + The third argument to the procedure. + example: 3 + + - name: parameters.context_flags + level: custom + type: unsigned_long + description: > + The bitmask of CPU registers operated on by this call. Corresponds to `CONTEXT.ContextFlags` + example: 1048607 + + - name: parameters.rip + level: custom + type: unsigned_long + description: > + The x64 RIP instruction pointer register. + example: 140706153693184 + + - name: parameters.rsp + level: custom + type: unsigned_long + description: > + The x64 RSP stack pointer register. + example: 2431737462784 + + - name: parameters.rax + level: custom + type: unsigned_long + description: > + The x64 RAX general purpose register. Return value in a __fastcall. + example: 0 + + - name: parameters.rcx + level: custom + type: unsigned_long + description: > + The x64 RCX general purpose register. First argument in a __fastcall. + example: 1 + + - name: parameters.rdx + level: custom + type: unsigned_long + description: > + The x64 RDX general purpose register. Second argument in a __fastcall. + example: 2 + + - name: parameters.r8 + level: custom + type: unsigned_long + description: > + The x64 R8 general purpose register. Third argument in a __fastcall. + example: 3 + + - name: parameters.r9 + level: custom + type: unsigned_long + description: > + The x64 R9 general purpose register. Fourth argument in a __fastcall. + example: 4 + + - name: parameters.rbp + level: custom + type: unsigned_long + description: > + The x64 RBP general purpose register. + example: 0 + + - name: parameters.rbx + level: custom + type: keyword + description: > + The x64 RBX general purpose register. + example: 0 + + - name: parameters.rsi + level: custom + type: keyword + description: > + The x64 RSI general purpose register. + example: 0 + + - name: parameters.rdi + level: custom + type: unsigned_long + description: > + The x64 RDI general purpose register. + example: 0 + + - name: parameters.eip + level: custom + type: unsigned_long + description: > + The x86 EIP instruction pointer register. + example: 1472790528 + + - name: parameters.esp + level: custom + type: unsigned_long + description: > + The x86 ESP stack pointer register. + example: 15007744 + + - name: parameters.ebp + level: custom + type: unsigned_long + description: > + The x86 EBP frame pointer register. + example: 15006644 + + - name: parameters.eax + level: custom + type: unsigned_long + description: > + The x86 EAX general purpose register. Return value in __cdecl, __stdcall, __thiscall and __fastcall. + example: 0 + + - name: parameters.ecx + level: custom + type: unsigned_long + description: > + The x86 ECX general purpose register. First argument in __fastcall and __thiscall. + example: 0 + + - name: parameters.edx + level: custom + type: unsigned_long + description: > + The x86 EDX general purpose register. Second argument in a __fastcall. + example: 0 + + - name: parameters.ebx + level: custom + type: unsigned_long + description: > + The x86 EBX general purpose register. + example: 0 + + - name: parameters.esi + level: custom + type: unsigned_long + description: > + The x86 ESI general purpose register. + example: 0 + + - name: parameters.edi + level: custom + type: unsigned_long + description: > + The x86 EDI general purpose register. + example: 0 + + - name: parameters.device + level: custom + type: keyword + description: > + The name of the device object. + example: "\\Device\\NPCAP" + + - name: parameters.driver + level: custom + type: keyword + description: > + The name of the driver object. + example: "\\Driver\\npcap" \ No newline at end of file diff --git a/custom_schemas/custom_api_credential_access.yml b/custom_schemas/custom_api_credential_access.yml deleted file mode 100644 index 472383346..000000000 --- a/custom_schemas/custom_api_credential_access.yml +++ /dev/null @@ -1,39 +0,0 @@ ---- -- name: Credential_access - title: Credential_access - group: 2 - short: These fields contain information about API calls related to Credential Access. - description: > - These fields contain information about API calls related to a Credential Access event - on Windows. - - Credential Access events are usually triggered by malicious programs in an attempt to - dump credential stored in the memory of targeted processes, such as `lsass.exe` on - Windows. To do, those programms will invoke specific API calls, such as `OpenProcess` - or `OpenThread` which can be detected. - - reusable: - top_level: true - expected: - - { at: process.Ext.api, as: parameters } - type: group - - fields: - - name: handle_type - level: custom - type: keyword - description: > - This parameter indicates whether the detected access was attempt against a process or a thread. - example: process - - - name: desired_access_numeric - level: custom - type: long - description: > - This parameter indicates the numeric value of the `DesiredAccess` field passed to `OpenProcess` or `OpenThread`. - - - name: desired_access - level: custom - type: keyword - description: > - This parameter indicates the string value of the `DesiredAccess` field to `OpenProcess` or `OpenThread`. diff --git a/custom_schemas/custom_call_stack.yml b/custom_schemas/custom_call_stack.yml index 592054262..4d1efb603 100644 --- a/custom_schemas/custom_call_stack.yml +++ b/custom_schemas/custom_call_stack.yml @@ -10,7 +10,7 @@ order: 1 top_level: false expected: - - process.thread.Ext + - { at: process.thread.Ext, as: call_stack } - process.parent.thread.Ext fields: - name: module_name @@ -70,17 +70,22 @@ level: custom type: keyword description: Hex opcode bytes preceding the callsite - + - name: callsite_trailing_bytes level: custom type: keyword description: Hex opcode bytes after the callsite (where control will return to) - + - name: protection level: custom type: keyword description: Protection of the page containing this instruction. This is `R-X' by default if omitted. - + + - name: protection_provenance + level: custom + type: keyword + description: The name of the memory region that last modified the protection of this page. "Unbacked" can indicate shellcode. + - name: allocation_private_bytes level: custom type: unsigned_long diff --git a/custom_schemas/custom_memory_region.yml b/custom_schemas/custom_memory_region.yml index 749b1ed32..e3dfb7e82 100644 --- a/custom_schemas/custom_memory_region.yml +++ b/custom_schemas/custom_memory_region.yml @@ -126,3 +126,9 @@ index: false description: > Array of strings found within the memory region. + + - name: hash.sha256 + level: custom + type: keyword + description: The sha256 of the memory region. + example: "d25ff1e6c6460a7f9de39198d182058c1712726008d187e1953b83abe977e4a0" diff --git a/custom_schemas/custom_process.yml b/custom_schemas/custom_process.yml index d55852ca7..281e9c5d7 100644 --- a/custom_schemas/custom_process.yml +++ b/custom_schemas/custom_process.yml @@ -143,6 +143,13 @@ description: > The file path of the call_stack_final_user_module. + - name: thread.Ext.call_stack_final_user_module.protection_provenance + level: custom + type: keyword + example: "third_party_hook.dll" + description: > + The name of the memory region that last modified the protection of this page. "Unbacked" may indicate shellcode. + - name: thread.Ext.call_stack_final_user_module.code_signature level: custom type: nested diff --git a/custom_subsets/elastic_endpoint/api/api.yaml b/custom_subsets/elastic_endpoint/api/api.yaml index 296c92d01..adcbddd2a 100644 --- a/custom_subsets/elastic_endpoint/api/api.yaml +++ b/custom_subsets/elastic_endpoint/api/api.yaml @@ -25,8 +25,6 @@ fields: user: fields: domain: {} - email: {} - full_name: {} hash: {} id: {} name: {} @@ -59,12 +57,20 @@ fields: fields: name: {} pid: {} + executable: {} + entity_id: {} + Ext: + fields: + token: + fields: + integrity_level_name: {} process: fields: pid: {} name: {} executable: {} entity_id: {} + command_line: {} thread: fields: id: {} @@ -74,11 +80,16 @@ fields: api: fields: name: {} + summary: {} + behaviors: {} + metadata: + fields: "*" parameters: - fields: - desired_access: {} - desired_access_numeric: {} - handle_type: {} + fields: "*" + token: + fields: + integrity_level_name: {} + protection: {} code_signature: fields: exists: {} @@ -101,8 +112,25 @@ fields: fields: module_path: {} instruction_pointer: {} + allocation_private_bytes: {} + callsite_leading_bytes: {} + callsite_trailing_bytes: {} + protection: {} + protection_provenance: {} + symbol_info: {} call_stack_contains_unbacked: {} call_stack_final_user_module: fields: + name: {} path: {} - + protection_provenance: {} + code_signature: + fields: + exists: {} + status: {} + subject_name: {} + trusted: {} + valid: {} + hash: + fields: + sha256: {} diff --git a/package/endpoint/data_stream/api/fields/fields.yml b/package/endpoint/data_stream/api/fields/fields.yml index 6dc9b9bb5..e989deada 100644 --- a/package/endpoint/data_stream/api/fields/fields.yml +++ b/package/endpoint/data_stream/api/fields/fields.yml @@ -30,6 +30,44 @@ type: group default_field: true fields: + - name: process.Ext + level: custom + type: object + description: Object for all custom defined fields to live in. + default_field: false + - name: process.Ext.token.integrity_level_name + level: custom + type: keyword + ignore_above: 1024 + description: Human readable integrity level. + example: one of "system", "high", "medium", "low", "untrusted" + default_field: false + - name: process.entity_id + level: extended + type: keyword + ignore_above: 1024 + description: 'Unique identifier for the process. + + The implementation of this is specified by the data source, but some examples of what could be used here are a process-generated UUID, Sysmon Process GUIDs, or a hash of some uniquely identifying components of a process. + + Constructing a globally unique identifier is a common practice to mitigate PID reuse as well as to identify a specific process over time, across multiple monitored hosts.' + example: c2c455d9f99375d + default_field: false + - name: process.executable + level: extended + type: keyword + ignore_above: 1024 + multi_fields: + - name: caseless + type: keyword + normalizer: lowercase + ignore_above: 1024 + - name: text + type: text + norms: false + description: Absolute path to the process executable. + example: /usr/bin/ssh + default_field: false - name: process.name level: extended type: keyword @@ -355,11 +393,83 @@ ignore_above: 1024 description: An array of entity_ids indicating the ancestors for this event default_field: false + - name: Ext.api.behaviors + level: custom + type: keyword + ignore_above: 1024 + description: "A list of observed behaviors.\n \"cross-process\" - the observed activity was between two processes\n \"parent-child\" - the observed activity was between a parent process and its child\n \"native_api\" - a call was made directly to the Native API rather than the Win32 API\n \"direct_syscall\" - a syscall instruction originated outside of the Native API layer\n \"proxy_call\" - the call stack may indicate of a proxied API call to mask the true source\n \"sensitive_api\" - executable non-image memory is unexpectedly calling a sensitive API\n \"shellcode\" - suspicious executable non-image memory is calling a sensitive API\n \"image_hooked\" - an entry in the callstack appears to have been hooked\n \"image_indirect_call\" - an entry in the callstack was preceded by a call to a dynamically resolved function\n \"image_rop\" - no call instruction preceded an entry in the call stack\n \"image_rwx\" - an entry in the callstack is writable\n \"unbacked_rwx\" - an entry in the callstack is non-image and writable\n \"allocate_shellcode\" - a region of non-image executable memory allocated more executable memory\n \"execute_fluctuation\" - the PAGE_EXECUTE protection is unexpectedly fluctuating\n 'write_fluctuation\" - the PAGE_WRITE protection of executable memory is unexpectedly fluctuating\n \"hook_api\" - a change to the memory protection of a small executable image memory region was made\n \"hollow_image\" - a change to the memory protection of a large executable image memory region was made\n \"hook_unbacked\" - a change to the memory protection of a small executable non-image memory was made\n 'hollow_unbacked\" - a change to the memory protection of a large executable non-image memory was made\n \"guarded_code\" - executable memory was unexpectedly marked as PAGE_GUARD\n \"hidden_code\" - executable memory was unexpectedly marked as PAGE_NOACCESS\n \"execute_shellcode\" - a region of non-image executable memory was unexpectedly transferred control\n \"hardware_breakpoint_set\" - a hardware breakpoint was set" + example: + - cross-process + - native_api + - shellcode + default_field: false + - name: Ext.api.metadata + level: custom + type: object + description: Information related to the API call. + default_field: false + - name: Ext.api.metadata.target_address_name + level: custom + type: keyword + ignore_above: 1024 + description: The name of the memory region targeted by the API call. + example: Unbacked + default_field: false + - name: Ext.api.metadata.target_address_path + level: custom + type: keyword + ignore_above: 1024 + description: The path of the memory region targeted by the API call. + example: C:\programdata\example.dll + default_field: false - name: Ext.api.name level: custom type: keyword ignore_above: 1024 description: The name of the API, usually the name of the function or system call. + example: VirtualAlloc + default_field: false + - name: Ext.api.parameters + level: custom + type: object + description: Parameter values passed to the API call. + default_field: false + - name: Ext.api.parameters.address + level: custom + type: unsigned_long + description: The target memory address. + example: 2431737462784 + default_field: false + - name: Ext.api.parameters.allocation_type + level: custom + type: keyword + ignore_above: 1024 + description: The type of memory allocation. Corresponds to `MEMORY_BASIC_INFORMATION.State` + example: COMMIT|RESERVE + default_field: false + - name: Ext.api.parameters.argument1 + level: custom + type: unsigned_long + description: The first argument to the procedure. + example: 1 + default_field: false + - name: Ext.api.parameters.argument2 + level: custom + type: unsigned_long + description: The second argument to the procedure. + example: 2 + default_field: false + - name: Ext.api.parameters.argument3 + level: custom + type: unsigned_long + description: The third argument to the procedure. + example: 3 + default_field: false + - name: Ext.api.parameters.context_flags + level: custom + type: unsigned_long + description: The bitmask of CPU registers operated on by this call. Corresponds to `CONTEXT.ContextFlags` + example: 1048607 default_field: false - name: Ext.api.parameters.desired_access level: custom @@ -372,6 +482,74 @@ type: long description: This parameter indicates the numeric value of the `DesiredAccess` field passed to `OpenProcess` or `OpenThread`. default_field: false + - name: Ext.api.parameters.device + level: custom + type: keyword + ignore_above: 1024 + description: The name of the device object. + example: \Device\NPCAP + default_field: false + - name: Ext.api.parameters.driver + level: custom + type: keyword + ignore_above: 1024 + description: The name of the driver object. + example: \Driver\npcap + default_field: false + - name: Ext.api.parameters.eax + level: custom + type: unsigned_long + description: The x86 EAX general purpose register. Return value in __cdecl, __stdcall, __thiscall and __fastcall. + example: 0 + default_field: false + - name: Ext.api.parameters.ebp + level: custom + type: unsigned_long + description: The x86 EBP frame pointer register. + example: 15006644 + default_field: false + - name: Ext.api.parameters.ebx + level: custom + type: unsigned_long + description: The x86 EBX general purpose register. + example: 0 + default_field: false + - name: Ext.api.parameters.ecx + level: custom + type: unsigned_long + description: The x86 ECX general purpose register. First argument in __fastcall and __thiscall. + example: 0 + default_field: false + - name: Ext.api.parameters.edi + level: custom + type: unsigned_long + description: The x86 EDI general purpose register. + example: 0 + default_field: false + - name: Ext.api.parameters.edx + level: custom + type: unsigned_long + description: The x86 EDX general purpose register. Second argument in a __fastcall. + example: 0 + default_field: false + - name: Ext.api.parameters.eip + level: custom + type: unsigned_long + description: The x86 EIP instruction pointer register. + example: 1472790528 + default_field: false + - name: Ext.api.parameters.esi + level: custom + type: unsigned_long + description: The x86 ESI general purpose register. + example: 0 + default_field: false + - name: Ext.api.parameters.esp + level: custom + type: unsigned_long + description: The x86 ESP stack pointer register. + example: 15007744 + default_field: false - name: Ext.api.parameters.handle_type level: custom type: keyword @@ -379,6 +557,107 @@ description: This parameter indicates whether the detected access was attempt against a process or a thread. example: process default_field: false + - name: Ext.api.parameters.procedure + level: custom + type: unsigned_long + description: The memory address of the procedure or function. + example: 2431737462784 + default_field: false + - name: Ext.api.parameters.protection + level: custom + type: keyword + ignore_above: 1024 + description: The memory protection for the region of pages. Corresponds to `MEMORY_BASIC_INFORMATION.Protect` + example: RWX|GUARD + default_field: false + - name: Ext.api.parameters.protection_old + level: custom + type: keyword + ignore_above: 1024 + description: The previous memory protection returned by the API call. Corresponds to `MEMORY_BASIC_INFORMATION.Protect` + example: RCX + default_field: false + - name: Ext.api.parameters.r8 + level: custom + type: unsigned_long + description: The x64 R8 general purpose register. Third argument in a __fastcall. + example: 3 + default_field: false + - name: Ext.api.parameters.r9 + level: custom + type: unsigned_long + description: The x64 R9 general purpose register. Fourth argument in a __fastcall. + example: 4 + default_field: false + - name: Ext.api.parameters.rax + level: custom + type: unsigned_long + description: The x64 RAX general purpose register. Return value in a __fastcall. + example: 0 + default_field: false + - name: Ext.api.parameters.rbp + level: custom + type: unsigned_long + description: The x64 RBP general purpose register. + example: 0 + default_field: false + - name: Ext.api.parameters.rbx + level: custom + type: keyword + ignore_above: 1024 + description: The x64 RBX general purpose register. + example: 0 + default_field: false + - name: Ext.api.parameters.rcx + level: custom + type: unsigned_long + description: The x64 RCX general purpose register. First argument in a __fastcall. + example: 1 + default_field: false + - name: Ext.api.parameters.rdi + level: custom + type: unsigned_long + description: The x64 RDI general purpose register. + example: 0 + default_field: false + - name: Ext.api.parameters.rdx + level: custom + type: unsigned_long + description: The x64 RDX general purpose register. Second argument in a __fastcall. + example: 2 + default_field: false + - name: Ext.api.parameters.rip + level: custom + type: unsigned_long + description: The x64 RIP instruction pointer register. + example: 140706153693184 + default_field: false + - name: Ext.api.parameters.rsi + level: custom + type: keyword + ignore_above: 1024 + description: The x64 RSI general purpose register. + example: 0 + default_field: false + - name: Ext.api.parameters.rsp + level: custom + type: unsigned_long + description: The x64 RSP stack pointer register. + example: 2431737462784 + default_field: false + - name: Ext.api.parameters.size + level: custom + type: unsigned_long + description: The size. + example: 4096 + default_field: false + - name: Ext.api.summary + level: custom + type: keyword + ignore_above: 1024 + description: The summary of the API call and its parameters. + example: VirtualAllocEx( file.exe, NULL, 0x42000, COMMIT|RESERVE, RWX ) + default_field: false - name: Ext.code_signature level: custom type: nested @@ -414,6 +693,19 @@ Validating the trust of the certificate chain may be complicated, and this field should only be populated by tools that actively check the status.' example: 'true' default_field: false + - name: Ext.protection + level: custom + type: keyword + ignore_above: 1024 + description: Indicates the protection level of this process. Uses the same syntax as Process Explorer. Examples include PsProtectedSignerWinTcb, PsProtectedSignerWinTcb-Light, and PsProtectedSignerWindows-Light. + default_field: false + - name: Ext.token.integrity_level_name + level: custom + type: keyword + ignore_above: 1024 + description: Human readable integrity level. + example: one of "system", "high", "medium", "low", "untrusted" + default_field: false - name: code_signature.exists level: core type: boolean @@ -444,6 +736,22 @@ Validating the trust of the certificate chain may be complicated, and this field should only be populated by tools that actively check the status.' example: 'true' default_field: false + - name: command_line + level: extended + type: wildcard + multi_fields: + - name: caseless + type: keyword + normalizer: lowercase + ignore_above: 1024 + - name: text + type: text + norms: false + description: 'Full command line that started the process, including the absolute path to the executable, and all arguments. + + Some arguments may be filtered to protect sensitive information.' + example: /usr/bin/ssh -l user 10.0.0.16 + default_field: false - name: entity_id level: extended type: keyword @@ -506,6 +814,23 @@ description: Fields describing a stack frame. call_stack is expected to be an array where each array element represents a stack frame. enabled: false default_field: false + - name: thread.Ext.call_stack.allocation_private_bytes + level: custom + type: unsigned_long + description: The number of bytes in this memory allocation/image that are both +X and non-shareable. Non-zero values can indicate code hooking, patching, or hollowing. + default_field: false + - name: thread.Ext.call_stack.callsite_leading_bytes + level: custom + type: keyword + ignore_above: 1024 + description: Hex opcode bytes preceding the callsite + default_field: false + - name: thread.Ext.call_stack.callsite_trailing_bytes + level: custom + type: keyword + ignore_above: 1024 + description: Hex opcode bytes after the callsite (where control will return to) + default_field: false - name: thread.Ext.call_stack.instruction_pointer level: custom type: keyword @@ -518,6 +843,24 @@ ignore_above: 1024 description: The path to the DLL/module containing `instruction_pointer`. default_field: false + - name: thread.Ext.call_stack.protection + level: custom + type: keyword + ignore_above: 1024 + description: Protection of the page containing this instruction. This is `R-X' by default if omitted. + default_field: false + - name: thread.Ext.call_stack.protection_provenance + level: custom + type: keyword + ignore_above: 1024 + description: The name of the memory region that last modified the protection of this page. "Unbacked" can indicate shellcode. + default_field: false + - name: thread.Ext.call_stack.symbol_info + level: custom + type: keyword + ignore_above: 1024 + description: The nearest symbol for `instruction_pointer`. + default_field: false - name: thread.Ext.call_stack_contains_unbacked level: custom type: boolean @@ -528,6 +871,68 @@ type: nested description: The final non-win32 module in the call stack. default_field: false + - name: thread.Ext.call_stack_final_user_module.code_signature + level: custom + type: nested + description: Code signature of the call_stack_final_user_module. + default_field: false + - name: thread.Ext.call_stack_final_user_module.code_signature.exists + level: custom + type: boolean + description: Boolean to capture if a signature is present. + example: 'true' + default_field: false + - name: thread.Ext.call_stack_final_user_module.code_signature.status + level: custom + type: keyword + ignore_above: 1024 + description: 'Additional information about the certificate status. + + This is useful for logging cryptographic errors with the certificate validity or trust status. Leave unpopulated if the validity or trust of the certificate was unchecked.' + example: ERROR_UNTRUSTED_ROOT + default_field: false + - name: thread.Ext.call_stack_final_user_module.code_signature.subject_name + level: custom + type: keyword + ignore_above: 1024 + description: Subject name of the code signer + example: Microsoft Corporation + default_field: false + - name: thread.Ext.call_stack_final_user_module.code_signature.trusted + level: custom + type: boolean + description: 'Stores the trust status of the certificate chain. + + Validating the trust of the certificate chain may be complicated, and this field should only be populated by tools that actively check the status.' + example: 'true' + default_field: false + - name: thread.Ext.call_stack_final_user_module.code_signature.valid + level: custom + type: boolean + description: 'Boolean to capture if the digital signature is verified against the binary content. + + Leave unpopulated if a certificate was unchecked.' + example: 'true' + default_field: false + - name: thread.Ext.call_stack_final_user_module.hash + level: custom + type: object + description: Hashes of the call_stack_final_user_module. + default_field: false + - name: thread.Ext.call_stack_final_user_module.hash.sha256 + level: custom + type: keyword + ignore_above: 1024 + description: The sha256 of the call_stack_final_user_module. + example: d25ff1e6c6460a7f9de39198d182058c1712726008d187e1953b83abe977e4a0 + default_field: false + - name: thread.Ext.call_stack_final_user_module.name + level: custom + type: keyword + ignore_above: 1024 + description: The file name of the call_stack_final_user_module. + example: example.dll + default_field: false - name: thread.Ext.call_stack_final_user_module.path level: custom type: keyword @@ -535,6 +940,13 @@ description: The file path of the call_stack_final_user_module. example: C:\Program Files\Example\example.dll default_field: false + - name: thread.Ext.call_stack_final_user_module.protection_provenance + level: custom + type: keyword + ignore_above: 1024 + description: The name of the memory region that last modified the protection of this page. "Unbacked" may indicate shellcode. + example: third_party_hook.dll + default_field: false - name: thread.id level: extended type: long @@ -557,21 +969,6 @@ description: 'Name of the directory the user is a member of. For example, an LDAP or Active Directory domain name.' - - name: email - level: extended - type: keyword - ignore_above: 1024 - description: User email address. - - name: full_name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: match_only_text - default_field: false - description: User's full name, if available. - example: Albert Einstein - name: hash level: extended type: keyword diff --git a/schemas/examples/v1/api_event_virtualprotect_windows.json b/schemas/examples/v1/api_event_virtualprotect_windows.json new file mode 100644 index 000000000..fe5eaac6a --- /dev/null +++ b/schemas/examples/v1/api_event_virtualprotect_windows.json @@ -0,0 +1,165 @@ +{ + "@timestamp": "2023-09-28T18:05:30.2669822Z", + "Target": { + "process": { + "pid": 9176 + } + }, + "_label": "labels_state_0", + "_state": 0, + "event": { + "category": [ + "api", + "intrusion_detection" + ], + "created": "2023-09-28T18:05:30.2669822Z", + "id": "NFL+DWc/3/kJDvWp++++++GV", + "kind": "event", + "outcome": "success", + "provider": "Microsoft-Windows-Threat-Intelligence", + "type": [ + "change" + ] + }, + "host": { + "architecture": "x86_64", + "hostname": "hostname", + "id": "dabadaba-0000-0000-0000-000000000000", + "ip": [ + "127.0.0.1", + "::1" + ], + "mac": [ + "00-00-00-00-00-00", + "00-00-00-00-00-01" + ], + "name": "system-name", + "os": { + "Ext": { + "variant": "Windows 10 Pro" + }, + "family": "windows", + "full": "Windows 10 Pro 22H2 (10.0.19045.3448)", + "kernel": "22H2 (10.0.19045.3448)", + "name": "Windows", + "platform": "windows", + "type": "windows", + "version": "22H2 (10.0.19045.3448)" + } + }, + "message": "Endpoint API event - VirtualProtect", + "process": { + "Ext": { + "ancestry": [ + "YWFhYWFhYWEtYWFhYS1hYWFhLWFhYWEtYWFhYWFhYWFhYWFhLTEwMTE2LTE2OTU5MjQyMTQuODgzNTAwMTAw", + "YWFhYWFhYWEtYWFhYS1hYWFhLWFhYWEtYWFhYWFhYWFhYWFhLTIwMjAtMTY5NTkyNDIxNC44NjMxMjk3MDA=", + "YWFhYWFhYWEtYWFhYS1hYWFhLWFhYWEtYWFhYWFhYWFhYWFhLTQ4OC0xNjk1NzU3MTk0LjY1NzA3NDEwMA==", + "YWFhYWFhYWEtYWFhYS1hYWFhLWFhYWEtYWFhYWFhYWFhYWFhLTU1MjQtMTY5NTc1NzEwOS4zNjU0MDcxMDA=", + "YWFhYWFhYWEtYWFhYS1hYWFhLWFhYWEtYWFhYWFhYWFhYWFhLTk0OTItMTY5NTkyNDIxNC44NzcyNDY3MDA=" + ], + "api": { + "behaviors": [ + "hollow_image" + ], + "metadata": { + "target_address_name": "clr.dll", + "target_address_path": "c:\\windows\\microsoft.net\\framework64\\v4.0.30319\\clr.dll" + }, + "name": "VirtualProtect", + "parameters": { + "address": 140710045929472, + "name": "clr.dll", + "protection": "RWX", + "protection_old": "R-X", + "size": 272 + }, + "summary": "VirtualProtect( clr.dll, 0x110, RWX, R-X )" + }, + "code_signature": [], + "token": { + "integrity_level_name": "high" + } + }, + "code_signature": { + "exists": false + }, + "command_line": "c:\\temp\\LfsFileDeps\\Tools\\Tamper\\TamperETW.exe", + "entity_id": "YWFhYWFhYWEtYWFhYS1hYWFhLWFhYWEtYWFhYWFhYWFhYWFhLTkxNzYtMTY5NTkyNDMzMC4yMTc5MDE5MDA=", + "executable": "c:\\temp\\LfsFileDeps\\Tools\\Tamper\\TamperETW.exe", + "name": "TamperETW.exe", + "parent": { + "executable": "C:\\Program Files\\Python38\\python.exe" + }, + "pid": 9176, + "thread": { + "Ext": { + "call_stack": [ + { + "symbol_info": "c:\\windows\\system32\\ntdll.dll!ZwProtectVirtualMemory+0x14" + }, + { + "symbol_info": "c:\\windows\\system32\\kernelbase.dll!VirtualProtect+0x36" + }, + { + "symbol_info": "c:\\windows\\microsoft.net\\framework64\\v4.0.30319\\clr.dll!StrongNameFreeBuffer+0xaae" + }, + { + "symbol_info": "c:\\windows\\microsoft.net\\framework64\\v4.0.30319\\clr.dll!StrongNameSignatureVerification+0xed2f" + }, + { + "symbol_info": "c:\\windows\\microsoft.net\\framework64\\v4.0.30319\\clr.dll!StrongNameSignatureVerification+0xe850" + }, + { + "symbol_info": "c:\\windows\\microsoft.net\\framework64\\v4.0.30319\\clr.dll!LogHelp_TerminateOnAssert+0x55361" + }, + { + "symbol_info": "c:\\windows\\microsoft.net\\framework64\\v4.0.30319\\clr.dll!IEE+0x2fed" + }, + { + "symbol_info": "c:\\windows\\microsoft.net\\framework64\\v4.0.30319\\clr.dll!LogHelp_TerminateOnAssert+0x34389" + }, + { + "symbol_info": "c:\\windows\\microsoft.net\\framework64\\v4.0.30319\\clr.dll!GetClassActivatorForApplicationImpl+0x70d3" + }, + { + "symbol_info": "c:\\windows\\microsoft.net\\framework64\\v4.0.30319\\clr.dll!GetClassActivatorForApplicationImpl+0x6f8e" + }, + { + "symbol_info": "c:\\temp\\lfsfiledeps\\tools\\tamper\\tamperetw.exe+0x13c9" + }, + { + "symbol_info": "c:\\temp\\lfsfiledeps\\tools\\tamper\\tamperetw.exe+0x1794" + }, + { + "symbol_info": "c:\\windows\\system32\\kernel32.dll!BaseThreadInitThunk+0x14" + }, + { + "symbol_info": "c:\\windows\\system32\\ntdll.dll!RtlUserThreadStart+0x21" + } + ], + "call_stack_final_user_module": { + "code_signature": [ + { + "exists": true, + "status": "trusted", + "subject_name": "Microsoft Corporation", + "trusted": true + } + ], + "hash": { + "sha256": "157ac3f5978f8561b9d3d0951e13501baeb8b0a7400d85b92878758ab2137b94" + }, + "name": "clr.dll", + "path": "c:\\windows\\microsoft.net\\framework64\\v4.0.30319\\clr.dll" + }, + "call_stack_summary": "ntdll.dll|kernelbase.dll|clr.dll|tamperetw.exe|kernel32.dll|ntdll.dll" + }, + "id": 8580 + } + }, + "user": { + "domain": "SYSTEM-NAME", + "id": "S-1-2-3-4-5-6-1001", + "name": "user" + } +} \ No newline at end of file diff --git a/schemas/v1/api/api.yaml b/schemas/v1/api/api.yaml index e4bcf09fa..4c034f073 100644 --- a/schemas/v1/api/api.yaml +++ b/schemas/v1/api/api.yaml @@ -17,6 +17,70 @@ required: true short: Date/time when the event originated. type: date +Target.process.Ext: + dashed_name: Target-process-Ext + description: Object for all custom defined fields to live in. + flat_name: Target.process.Ext + level: custom + name: Ext + normalize: [] + original_fieldset: process + short: Object for all custom defined fields to live in. + type: object +Target.process.Ext.token.integrity_level_name: + dashed_name: Target-process-Ext-token-integrity-level-name + description: Human readable integrity level. + example: one of "system", "high", "medium", "low", "untrusted" + flat_name: Target.process.Ext.token.integrity_level_name + ignore_above: 1024 + level: custom + name: integrity_level_name + normalize: [] + original_fieldset: token + short: Human readable integrity level. + type: keyword +Target.process.entity_id: + dashed_name: Target-process-entity-id + description: 'Unique identifier for the process. + + The implementation of this is specified by the data source, but some examples + of what could be used here are a process-generated UUID, Sysmon Process GUIDs, + or a hash of some uniquely identifying components of a process. + + Constructing a globally unique identifier is a common practice to mitigate PID + reuse as well as to identify a specific process over time, across multiple monitored + hosts.' + example: c2c455d9f99375d + flat_name: Target.process.entity_id + ignore_above: 1024 + level: extended + name: entity_id + normalize: [] + original_fieldset: process + short: Unique identifier for the process. + type: keyword +Target.process.executable: + dashed_name: Target-process-executable + description: Absolute path to the process executable. + example: /usr/bin/ssh + flat_name: Target.process.executable + ignore_above: 1024 + level: extended + multi_fields: + - flat_name: Target.process.executable.caseless + ignore_above: 1024 + name: caseless + normalizer: lowercase + type: keyword + - flat_name: Target.process.executable.text + name: text + norms: false + type: text + name: executable + normalize: [] + original_fieldset: process + short: Absolute path to the process executable. + type: keyword Target.process.name: dashed_name: Target-process-name description: 'Process name. @@ -904,9 +968,85 @@ process.Ext.ancestry: normalize: [] short: An array of entity_ids indicating the ancestors for this event type: keyword +process.Ext.api.behaviors: + dashed_name: process-Ext-api-behaviors + description: "A list of observed behaviors.\n \"cross-process\" - the observed\ + \ activity was between two processes\n \"parent-child\" - the observed activity\ + \ was between a parent process and its child\n \"native_api\" - a call was made\ + \ directly to the Native API rather than the Win32 API\n \"direct_syscall\" -\ + \ a syscall instruction originated outside of the Native API layer\n \"proxy_call\"\ + \ - the call stack may indicate of a proxied API call to mask the true source\n\ + \ \"sensitive_api\" - executable non-image memory is unexpectedly calling a sensitive\ + \ API\n \"shellcode\" - suspicious executable non-image memory is calling a sensitive\ + \ API\n \"image_hooked\" - an entry in the callstack appears to have been hooked\n\ + \ \"image_indirect_call\" - an entry in the callstack was preceded by a call\ + \ to a dynamically resolved function\n \"image_rop\" - no call instruction preceded\ + \ an entry in the call stack\n \"image_rwx\" - an entry in the callstack is writable\n\ + \ \"unbacked_rwx\" - an entry in the callstack is non-image and writable\n \"\ + allocate_shellcode\" - a region of non-image executable memory allocated more\ + \ executable memory\n \"execute_fluctuation\" - the PAGE_EXECUTE protection is\ + \ unexpectedly fluctuating\n 'write_fluctuation\" - the PAGE_WRITE protection\ + \ of executable memory is unexpectedly fluctuating\n \"hook_api\" - a change\ + \ to the memory protection of a small executable image memory region was made\n\ + \ \"hollow_image\" - a change to the memory protection of a large executable\ + \ image memory region was made\n \"hook_unbacked\" - a change to the memory protection\ + \ of a small executable non-image memory was made\n 'hollow_unbacked\" - a change\ + \ to the memory protection of a large executable non-image memory was made\n \ + \ \"guarded_code\" - executable memory was unexpectedly marked as PAGE_GUARD\n\ + \ \"hidden_code\" - executable memory was unexpectedly marked as PAGE_NOACCESS\n\ + \ \"execute_shellcode\" - a region of non-image executable memory was unexpectedly\ + \ transferred control\n \"hardware_breakpoint_set\" - a hardware breakpoint was\ + \ set" + example: + - cross-process + - native_api + - shellcode + flat_name: process.Ext.api.behaviors + ignore_above: 1024 + level: custom + name: behaviors + normalize: [] + original_fieldset: api + short: A list of observed behaviors. + type: keyword +process.Ext.api.metadata: + dashed_name: process-Ext-api-metadata + description: Information related to the API call. + flat_name: process.Ext.api.metadata + level: custom + name: metadata + normalize: [] + original_fieldset: api + short: Information related to the API call. + type: object +process.Ext.api.metadata.target_address_name: + dashed_name: process-Ext-api-metadata-target-address-name + description: The name of the memory region targeted by the API call. + example: Unbacked + flat_name: process.Ext.api.metadata.target_address_name + ignore_above: 1024 + level: custom + name: metadata.target_address_name + normalize: [] + original_fieldset: api + short: The name of the memory region targeted by the API call. + type: keyword +process.Ext.api.metadata.target_address_path: + dashed_name: process-Ext-api-metadata-target-address-path + description: The path of the memory region targeted by the API call. + example: C:\programdata\example.dll + flat_name: process.Ext.api.metadata.target_address_path + ignore_above: 1024 + level: custom + name: metadata.target_address_path + normalize: [] + original_fieldset: api + short: The path of the memory region targeted by the API call. + type: keyword process.Ext.api.name: dashed_name: process-Ext-api-name description: The name of the API, usually the name of the function or system call. + example: VirtualAlloc flat_name: process.Ext.api.name ignore_above: 1024 level: custom @@ -915,6 +1055,84 @@ process.Ext.api.name: original_fieldset: api short: The name of the API, usually the name of the function or system call. type: keyword +process.Ext.api.parameters: + dashed_name: process-Ext-api-parameters + description: Parameter values passed to the API call. + flat_name: process.Ext.api.parameters + level: custom + name: parameters + normalize: [] + original_fieldset: api + short: Parameter values passed to the API call. + type: object +process.Ext.api.parameters.address: + dashed_name: process-Ext-api-parameters-address + description: The target memory address. + example: 2431737462784 + flat_name: process.Ext.api.parameters.address + level: custom + name: parameters.address + normalize: [] + original_fieldset: api + short: The target memory address. + type: unsigned_long +process.Ext.api.parameters.allocation_type: + dashed_name: process-Ext-api-parameters-allocation-type + description: The type of memory allocation. Corresponds to `MEMORY_BASIC_INFORMATION.State` + example: COMMIT|RESERVE + flat_name: process.Ext.api.parameters.allocation_type + ignore_above: 1024 + level: custom + name: parameters.allocation_type + normalize: [] + original_fieldset: api + short: The type of memory allocation. Corresponds to `MEMORY_BASIC_INFORMATION.State` + type: keyword +process.Ext.api.parameters.argument1: + dashed_name: process-Ext-api-parameters-argument1 + description: The first argument to the procedure. + example: 1 + flat_name: process.Ext.api.parameters.argument1 + level: custom + name: parameters.argument1 + normalize: [] + original_fieldset: api + short: The first argument to the procedure. + type: unsigned_long +process.Ext.api.parameters.argument2: + dashed_name: process-Ext-api-parameters-argument2 + description: The second argument to the procedure. + example: 2 + flat_name: process.Ext.api.parameters.argument2 + level: custom + name: parameters.argument2 + normalize: [] + original_fieldset: api + short: The second argument to the procedure. + type: unsigned_long +process.Ext.api.parameters.argument3: + dashed_name: process-Ext-api-parameters-argument3 + description: The third argument to the procedure. + example: 3 + flat_name: process.Ext.api.parameters.argument3 + level: custom + name: parameters.argument3 + normalize: [] + original_fieldset: api + short: The third argument to the procedure. + type: unsigned_long +process.Ext.api.parameters.context_flags: + dashed_name: process-Ext-api-parameters-context-flags + description: The bitmask of CPU registers operated on by this call. Corresponds + to `CONTEXT.ContextFlags` + example: 1048607 + flat_name: process.Ext.api.parameters.context_flags + level: custom + name: parameters.context_flags + normalize: [] + original_fieldset: api + short: The bitmask of CPU registers operated on by this call. Corresponds to `CONTEXT.ContextFlags` + type: unsigned_long process.Ext.api.parameters.desired_access: dashed_name: process-Ext-api-parameters-desired-access description: This parameter indicates the string value of the `DesiredAccess` field to @@ -922,9 +1140,9 @@ process.Ext.api.parameters.desired_access: flat_name: process.Ext.api.parameters.desired_access ignore_above: 1024 level: custom - name: desired_access + name: parameters.desired_access normalize: [] - original_fieldset: Credential_access + original_fieldset: api short: This parameter indicates the string value of the `DesiredAccess` field to `OpenProcess` or `OpenThread`. type: keyword @@ -934,12 +1152,138 @@ process.Ext.api.parameters.desired_access_numeric: passed to `OpenProcess` or `OpenThread`. flat_name: process.Ext.api.parameters.desired_access_numeric level: custom - name: desired_access_numeric + name: parameters.desired_access_numeric normalize: [] - original_fieldset: Credential_access + original_fieldset: api short: This parameter indicates the numeric value of the `DesiredAccess` field passed to `OpenProcess` or `OpenThread`. type: long +process.Ext.api.parameters.device: + dashed_name: process-Ext-api-parameters-device + description: The name of the device object. + example: \Device\NPCAP + flat_name: process.Ext.api.parameters.device + ignore_above: 1024 + level: custom + name: parameters.device + normalize: [] + original_fieldset: api + short: The name of the device object. + type: keyword +process.Ext.api.parameters.driver: + dashed_name: process-Ext-api-parameters-driver + description: The name of the driver object. + example: \Driver\npcap + flat_name: process.Ext.api.parameters.driver + ignore_above: 1024 + level: custom + name: parameters.driver + normalize: [] + original_fieldset: api + short: The name of the driver object. + type: keyword +process.Ext.api.parameters.eax: + dashed_name: process-Ext-api-parameters-eax + description: The x86 EAX general purpose register. Return value in __cdecl, __stdcall, + __thiscall and __fastcall. + example: 0 + flat_name: process.Ext.api.parameters.eax + level: custom + name: parameters.eax + normalize: [] + original_fieldset: api + short: The x86 EAX general purpose register. Return value in __cdecl, __stdcall, + __thiscall and __fastcall. + type: unsigned_long +process.Ext.api.parameters.ebp: + dashed_name: process-Ext-api-parameters-ebp + description: The x86 EBP frame pointer register. + example: 15006644 + flat_name: process.Ext.api.parameters.ebp + level: custom + name: parameters.ebp + normalize: [] + original_fieldset: api + short: The x86 EBP frame pointer register. + type: unsigned_long +process.Ext.api.parameters.ebx: + dashed_name: process-Ext-api-parameters-ebx + description: The x86 EBX general purpose register. + example: 0 + flat_name: process.Ext.api.parameters.ebx + level: custom + name: parameters.ebx + normalize: [] + original_fieldset: api + short: The x86 EBX general purpose register. + type: unsigned_long +process.Ext.api.parameters.ecx: + dashed_name: process-Ext-api-parameters-ecx + description: The x86 ECX general purpose register. First argument in __fastcall + and __thiscall. + example: 0 + flat_name: process.Ext.api.parameters.ecx + level: custom + name: parameters.ecx + normalize: [] + original_fieldset: api + short: The x86 ECX general purpose register. First argument in __fastcall and __thiscall. + type: unsigned_long +process.Ext.api.parameters.edi: + dashed_name: process-Ext-api-parameters-edi + description: The x86 EDI general purpose register. + example: 0 + flat_name: process.Ext.api.parameters.edi + level: custom + name: parameters.edi + normalize: [] + original_fieldset: api + short: The x86 EDI general purpose register. + type: unsigned_long +process.Ext.api.parameters.edx: + dashed_name: process-Ext-api-parameters-edx + description: The x86 EDX general purpose register. Second argument in a __fastcall. + example: 0 + flat_name: process.Ext.api.parameters.edx + level: custom + name: parameters.edx + normalize: [] + original_fieldset: api + short: The x86 EDX general purpose register. Second argument in a __fastcall. + type: unsigned_long +process.Ext.api.parameters.eip: + dashed_name: process-Ext-api-parameters-eip + description: The x86 EIP instruction pointer register. + example: 1472790528 + flat_name: process.Ext.api.parameters.eip + level: custom + name: parameters.eip + normalize: [] + original_fieldset: api + short: The x86 EIP instruction pointer register. + type: unsigned_long +process.Ext.api.parameters.esi: + dashed_name: process-Ext-api-parameters-esi + description: The x86 ESI general purpose register. + example: 0 + flat_name: process.Ext.api.parameters.esi + level: custom + name: parameters.esi + normalize: [] + original_fieldset: api + short: The x86 ESI general purpose register. + type: unsigned_long +process.Ext.api.parameters.esp: + dashed_name: process-Ext-api-parameters-esp + description: The x86 ESP stack pointer register. + example: 15007744 + flat_name: process.Ext.api.parameters.esp + level: custom + name: parameters.esp + normalize: [] + original_fieldset: api + short: The x86 ESP stack pointer register. + type: unsigned_long process.Ext.api.parameters.handle_type: dashed_name: process-Ext-api-parameters-handle-type description: This parameter indicates whether the detected access was attempt against @@ -948,12 +1292,194 @@ process.Ext.api.parameters.handle_type: flat_name: process.Ext.api.parameters.handle_type ignore_above: 1024 level: custom - name: handle_type + name: parameters.handle_type normalize: [] - original_fieldset: Credential_access + original_fieldset: api short: This parameter indicates whether the detected access was attempt against a process or a thread. type: keyword +process.Ext.api.parameters.procedure: + dashed_name: process-Ext-api-parameters-procedure + description: The memory address of the procedure or function. + example: 2431737462784 + flat_name: process.Ext.api.parameters.procedure + level: custom + name: parameters.procedure + normalize: [] + original_fieldset: api + short: The memory address of the procedure or function. + type: unsigned_long +process.Ext.api.parameters.protection: + dashed_name: process-Ext-api-parameters-protection + description: The memory protection for the region of pages. Corresponds to `MEMORY_BASIC_INFORMATION.Protect` + example: RWX|GUARD + flat_name: process.Ext.api.parameters.protection + ignore_above: 1024 + level: custom + name: parameters.protection + normalize: [] + original_fieldset: api + short: The memory protection for the region of pages. Corresponds to `MEMORY_BASIC_INFORMATION.Protect` + type: keyword +process.Ext.api.parameters.protection_old: + dashed_name: process-Ext-api-parameters-protection-old + description: The previous memory protection returned by the API call. Corresponds + to `MEMORY_BASIC_INFORMATION.Protect` + example: RCX + flat_name: process.Ext.api.parameters.protection_old + ignore_above: 1024 + level: custom + name: parameters.protection_old + normalize: [] + original_fieldset: api + short: The previous memory protection returned by the API call. Corresponds to `MEMORY_BASIC_INFORMATION.Protect` + type: keyword +process.Ext.api.parameters.r8: + dashed_name: process-Ext-api-parameters-r8 + description: The x64 R8 general purpose register. Third argument in a __fastcall. + example: 3 + flat_name: process.Ext.api.parameters.r8 + level: custom + name: parameters.r8 + normalize: [] + original_fieldset: api + short: The x64 R8 general purpose register. Third argument in a __fastcall. + type: unsigned_long +process.Ext.api.parameters.r9: + dashed_name: process-Ext-api-parameters-r9 + description: The x64 R9 general purpose register. Fourth argument in a __fastcall. + example: 4 + flat_name: process.Ext.api.parameters.r9 + level: custom + name: parameters.r9 + normalize: [] + original_fieldset: api + short: The x64 R9 general purpose register. Fourth argument in a __fastcall. + type: unsigned_long +process.Ext.api.parameters.rax: + dashed_name: process-Ext-api-parameters-rax + description: The x64 RAX general purpose register. Return value in a __fastcall. + example: 0 + flat_name: process.Ext.api.parameters.rax + level: custom + name: parameters.rax + normalize: [] + original_fieldset: api + short: The x64 RAX general purpose register. Return value in a __fastcall. + type: unsigned_long +process.Ext.api.parameters.rbp: + dashed_name: process-Ext-api-parameters-rbp + description: The x64 RBP general purpose register. + example: 0 + flat_name: process.Ext.api.parameters.rbp + level: custom + name: parameters.rbp + normalize: [] + original_fieldset: api + short: The x64 RBP general purpose register. + type: unsigned_long +process.Ext.api.parameters.rbx: + dashed_name: process-Ext-api-parameters-rbx + description: The x64 RBX general purpose register. + example: 0 + flat_name: process.Ext.api.parameters.rbx + ignore_above: 1024 + level: custom + name: parameters.rbx + normalize: [] + original_fieldset: api + short: The x64 RBX general purpose register. + type: keyword +process.Ext.api.parameters.rcx: + dashed_name: process-Ext-api-parameters-rcx + description: The x64 RCX general purpose register. First argument in a __fastcall. + example: 1 + flat_name: process.Ext.api.parameters.rcx + level: custom + name: parameters.rcx + normalize: [] + original_fieldset: api + short: The x64 RCX general purpose register. First argument in a __fastcall. + type: unsigned_long +process.Ext.api.parameters.rdi: + dashed_name: process-Ext-api-parameters-rdi + description: The x64 RDI general purpose register. + example: 0 + flat_name: process.Ext.api.parameters.rdi + level: custom + name: parameters.rdi + normalize: [] + original_fieldset: api + short: The x64 RDI general purpose register. + type: unsigned_long +process.Ext.api.parameters.rdx: + dashed_name: process-Ext-api-parameters-rdx + description: The x64 RDX general purpose register. Second argument in a __fastcall. + example: 2 + flat_name: process.Ext.api.parameters.rdx + level: custom + name: parameters.rdx + normalize: [] + original_fieldset: api + short: The x64 RDX general purpose register. Second argument in a __fastcall. + type: unsigned_long +process.Ext.api.parameters.rip: + dashed_name: process-Ext-api-parameters-rip + description: The x64 RIP instruction pointer register. + example: 140706153693184 + flat_name: process.Ext.api.parameters.rip + level: custom + name: parameters.rip + normalize: [] + original_fieldset: api + short: The x64 RIP instruction pointer register. + type: unsigned_long +process.Ext.api.parameters.rsi: + dashed_name: process-Ext-api-parameters-rsi + description: The x64 RSI general purpose register. + example: 0 + flat_name: process.Ext.api.parameters.rsi + ignore_above: 1024 + level: custom + name: parameters.rsi + normalize: [] + original_fieldset: api + short: The x64 RSI general purpose register. + type: keyword +process.Ext.api.parameters.rsp: + dashed_name: process-Ext-api-parameters-rsp + description: The x64 RSP stack pointer register. + example: 2431737462784 + flat_name: process.Ext.api.parameters.rsp + level: custom + name: parameters.rsp + normalize: [] + original_fieldset: api + short: The x64 RSP stack pointer register. + type: unsigned_long +process.Ext.api.parameters.size: + dashed_name: process-Ext-api-parameters-size + description: The size. + example: 4096 + flat_name: process.Ext.api.parameters.size + level: custom + name: parameters.size + normalize: [] + original_fieldset: api + short: The size. + type: unsigned_long +process.Ext.api.summary: + dashed_name: process-Ext-api-summary + description: The summary of the API call and its parameters. + example: VirtualAllocEx( file.exe, NULL, 0x42000, COMMIT|RESERVE, RWX ) + flat_name: process.Ext.api.summary + ignore_above: 1024 + level: custom + name: summary + normalize: [] + original_fieldset: api + short: The summary of the API call and its parameters. + type: keyword process.Ext.code_signature: dashed_name: process-Ext-code-signature description: Nested version of ECS code_signature fieldset. @@ -1012,6 +1538,30 @@ process.Ext.code_signature.trusted: normalize: [] short: Stores the trust status of the certificate chain. type: boolean +process.Ext.protection: + dashed_name: process-Ext-protection + description: Indicates the protection level of this process. Uses the same syntax + as Process Explorer. Examples include PsProtectedSignerWinTcb, PsProtectedSignerWinTcb-Light, + and PsProtectedSignerWindows-Light. + flat_name: process.Ext.protection + ignore_above: 1024 + level: custom + name: Ext.protection + normalize: [] + short: OS-level protections granted to this process + type: keyword +process.Ext.token.integrity_level_name: + dashed_name: process-Ext-token-integrity-level-name + description: Human readable integrity level. + example: one of "system", "high", "medium", "low", "untrusted" + flat_name: process.Ext.token.integrity_level_name + ignore_above: 1024 + level: custom + name: integrity_level_name + normalize: [] + original_fieldset: token + short: Human readable integrity level. + type: keyword process.code_signature.exists: dashed_name: process-code-signature-exists description: Boolean to capture if a signature is present. @@ -1065,6 +1615,29 @@ process.code_signature.trusted: original_fieldset: code_signature short: Stores the trust status of the certificate chain. type: boolean +process.command_line: + dashed_name: process-command-line + description: 'Full command line that started the process, including the absolute + path to the executable, and all arguments. + + Some arguments may be filtered to protect sensitive information.' + example: /usr/bin/ssh -l user 10.0.0.16 + flat_name: process.command_line + level: extended + multi_fields: + - flat_name: process.command_line.caseless + ignore_above: 1024 + name: caseless + normalizer: lowercase + type: keyword + - flat_name: process.command_line.text + name: text + norms: false + type: text + name: command_line + normalize: [] + short: Full command line that started the process. + type: wildcard process.entity_id: dashed_name: process-entity-id description: 'Unique identifier for the process. @@ -1160,6 +1733,40 @@ process.thread.Ext.call_stack: original_fieldset: call_stack short: Fields describing a stack frame. type: object +process.thread.Ext.call_stack.allocation_private_bytes: + dashed_name: process-thread-Ext-call-stack-allocation-private-bytes + description: The number of bytes in this memory allocation/image that are both +X + and non-shareable. Non-zero values can indicate code hooking, patching, or hollowing. + flat_name: process.thread.Ext.call_stack.allocation_private_bytes + level: custom + name: allocation_private_bytes + normalize: [] + original_fieldset: call_stack + short: The number of bytes in this memory allocation/image that are both +X and + non-shareable. Non-zero values can indicate code hooking, patching, or hollowing. + type: unsigned_long +process.thread.Ext.call_stack.callsite_leading_bytes: + dashed_name: process-thread-Ext-call-stack-callsite-leading-bytes + description: Hex opcode bytes preceding the callsite + flat_name: process.thread.Ext.call_stack.callsite_leading_bytes + ignore_above: 1024 + level: custom + name: callsite_leading_bytes + normalize: [] + original_fieldset: call_stack + short: Hex opcode bytes preceding the callsite + type: keyword +process.thread.Ext.call_stack.callsite_trailing_bytes: + dashed_name: process-thread-Ext-call-stack-callsite-trailing-bytes + description: Hex opcode bytes after the callsite (where control will return to) + flat_name: process.thread.Ext.call_stack.callsite_trailing_bytes + ignore_above: 1024 + level: custom + name: callsite_trailing_bytes + normalize: [] + original_fieldset: call_stack + short: Hex opcode bytes after the callsite (where control will return to) + type: keyword process.thread.Ext.call_stack.instruction_pointer: dashed_name: process-thread-Ext-call-stack-instruction-pointer description: The return address of this stack frame. @@ -1182,6 +1789,43 @@ process.thread.Ext.call_stack.module_path: original_fieldset: call_stack short: The path to the DLL/module containing `instruction_pointer`. type: keyword +process.thread.Ext.call_stack.protection: + dashed_name: process-thread-Ext-call-stack-protection + description: Protection of the page containing this instruction. This is `R-X' + by default if omitted. + flat_name: process.thread.Ext.call_stack.protection + ignore_above: 1024 + level: custom + name: protection + normalize: [] + original_fieldset: call_stack + short: Protection of the page containing this instruction. This is `R-X' by default + if omitted. + type: keyword +process.thread.Ext.call_stack.protection_provenance: + dashed_name: process-thread-Ext-call-stack-protection-provenance + description: The name of the memory region that last modified the protection of + this page. "Unbacked" can indicate shellcode. + flat_name: process.thread.Ext.call_stack.protection_provenance + ignore_above: 1024 + level: custom + name: protection_provenance + normalize: [] + original_fieldset: call_stack + short: The name of the memory region that last modified the protection of this page. "Unbacked" + can indicate shellcode. + type: keyword +process.thread.Ext.call_stack.symbol_info: + dashed_name: process-thread-Ext-call-stack-symbol-info + description: The nearest symbol for `instruction_pointer`. + flat_name: process.thread.Ext.call_stack.symbol_info + ignore_above: 1024 + level: custom + name: symbol_info + normalize: [] + original_fieldset: call_stack + short: The nearest symbol for `instruction_pointer`. + type: keyword process.thread.Ext.call_stack_contains_unbacked: dashed_name: process-thread-Ext-call-stack-contains-unbacked description: Indicates whether the creating thread's stack contains frames pointing @@ -1202,6 +1846,109 @@ process.thread.Ext.call_stack_final_user_module: normalize: [] short: The final non-win32 module in the call stack. type: nested +process.thread.Ext.call_stack_final_user_module.code_signature: + dashed_name: process-thread-Ext-call-stack-final-user-module-code-signature + description: Code signature of the call_stack_final_user_module. + flat_name: process.thread.Ext.call_stack_final_user_module.code_signature + level: custom + name: thread.Ext.call_stack_final_user_module.code_signature + normalize: [] + short: Code signature of the call_stack_final_user_module. + type: nested +process.thread.Ext.call_stack_final_user_module.code_signature.exists: + dashed_name: process-thread-Ext-call-stack-final-user-module-code-signature-exists + description: Boolean to capture if a signature is present. + example: 'true' + flat_name: process.thread.Ext.call_stack_final_user_module.code_signature.exists + level: custom + name: thread.Ext.call_stack_final_user_module.code_signature.exists + normalize: [] + short: Boolean to capture if a signature is present. + type: boolean +process.thread.Ext.call_stack_final_user_module.code_signature.status: + dashed_name: process-thread-Ext-call-stack-final-user-module-code-signature-status + description: 'Additional information about the certificate status. + + This is useful for logging cryptographic errors with the certificate validity + or trust status. Leave unpopulated if the validity or trust of the certificate + was unchecked.' + example: ERROR_UNTRUSTED_ROOT + flat_name: process.thread.Ext.call_stack_final_user_module.code_signature.status + ignore_above: 1024 + level: custom + name: thread.Ext.call_stack_final_user_module.code_signature.status + normalize: [] + short: Additional information about the certificate status. + type: keyword +process.thread.Ext.call_stack_final_user_module.code_signature.subject_name: + dashed_name: process-thread-Ext-call-stack-final-user-module-code-signature-subject-name + description: Subject name of the code signer + example: Microsoft Corporation + flat_name: process.thread.Ext.call_stack_final_user_module.code_signature.subject_name + ignore_above: 1024 + level: custom + name: thread.Ext.call_stack_final_user_module.code_signature.subject_name + normalize: [] + short: Subject name of the code signer + type: keyword +process.thread.Ext.call_stack_final_user_module.code_signature.trusted: + dashed_name: process-thread-Ext-call-stack-final-user-module-code-signature-trusted + description: 'Stores the trust status of the certificate chain. + + Validating the trust of the certificate chain may be complicated, and this field + should only be populated by tools that actively check the status.' + example: 'true' + flat_name: process.thread.Ext.call_stack_final_user_module.code_signature.trusted + level: custom + name: thread.Ext.call_stack_final_user_module.code_signature.trusted + normalize: [] + short: Stores the trust status of the certificate chain. + type: boolean +process.thread.Ext.call_stack_final_user_module.code_signature.valid: + dashed_name: process-thread-Ext-call-stack-final-user-module-code-signature-valid + description: 'Boolean to capture if the digital signature is verified against the + binary content. + + Leave unpopulated if a certificate was unchecked.' + example: 'true' + flat_name: process.thread.Ext.call_stack_final_user_module.code_signature.valid + level: custom + name: thread.Ext.call_stack_final_user_module.code_signature.valid + normalize: [] + short: Boolean to capture if the digital signature is verified against the binary + content. + type: boolean +process.thread.Ext.call_stack_final_user_module.hash: + dashed_name: process-thread-Ext-call-stack-final-user-module-hash + description: Hashes of the call_stack_final_user_module. + flat_name: process.thread.Ext.call_stack_final_user_module.hash + level: custom + name: thread.Ext.call_stack_final_user_module.hash + normalize: [] + short: Hashes of the call_stack_final_user_module. + type: object +process.thread.Ext.call_stack_final_user_module.hash.sha256: + dashed_name: process-thread-Ext-call-stack-final-user-module-hash-sha256 + description: The sha256 of the call_stack_final_user_module. + example: d25ff1e6c6460a7f9de39198d182058c1712726008d187e1953b83abe977e4a0 + flat_name: process.thread.Ext.call_stack_final_user_module.hash.sha256 + ignore_above: 1024 + level: custom + name: thread.Ext.call_stack_final_user_module.hash.sha256 + normalize: [] + short: The sha256 of the call_stack_final_user_module. + type: keyword +process.thread.Ext.call_stack_final_user_module.name: + dashed_name: process-thread-Ext-call-stack-final-user-module-name + description: The file name of the call_stack_final_user_module. + example: example.dll + flat_name: process.thread.Ext.call_stack_final_user_module.name + ignore_above: 1024 + level: custom + name: thread.Ext.call_stack_final_user_module.name + normalize: [] + short: The file name of the call_stack_final_user_module. + type: keyword process.thread.Ext.call_stack_final_user_module.path: dashed_name: process-thread-Ext-call-stack-final-user-module-path description: The file path of the call_stack_final_user_module. @@ -1213,6 +1960,19 @@ process.thread.Ext.call_stack_final_user_module.path: normalize: [] short: The file path of the call_stack_final_user_module. type: keyword +process.thread.Ext.call_stack_final_user_module.protection_provenance: + dashed_name: process-thread-Ext-call-stack-final-user-module-protection-provenance + description: The name of the memory region that last modified the protection of + this page. "Unbacked" may indicate shellcode. + example: third_party_hook.dll + flat_name: process.thread.Ext.call_stack_final_user_module.protection_provenance + ignore_above: 1024 + level: custom + name: thread.Ext.call_stack_final_user_module.protection_provenance + normalize: [] + short: The name of the memory region that last modified the protection of this page. + "Unbacked" may indicate shellcode. + type: keyword process.thread.id: dashed_name: process-thread-id description: Thread ID. @@ -1236,31 +1996,6 @@ user.domain: normalize: [] short: Name of the directory the user is a member of. type: keyword -user.email: - dashed_name: user-email - description: User email address. - flat_name: user.email - ignore_above: 1024 - level: extended - name: email - normalize: [] - short: User email address. - type: keyword -user.full_name: - dashed_name: user-full-name - description: User's full name, if available. - example: Albert Einstein - flat_name: user.full_name - ignore_above: 1024 - level: extended - multi_fields: - - flat_name: user.full_name.text - name: text - type: match_only_text - name: full_name - normalize: [] - short: User's full name, if available. - type: keyword user.hash: dashed_name: user-hash description: 'Unique user hash to correlate information for a user in anonymized