From 79c0b555e065c6662ce75b8cce0794ae16cabe2e Mon Sep 17 00:00:00 2001 From: lvoloshyn-sekoia Date: Wed, 11 Dec 2024 16:59:31 +0200 Subject: [PATCH] Fix parser --- .../ingest/parser.yml | 6 +- .../test_observed_attack_technique_1.json | 43 ++++++++++- .../test_observed_attack_technique_2.json | 62 +++++++++++++++- .../test_observed_attack_technique_3.json | 73 ++++++++++++++++++- 4 files changed, 175 insertions(+), 9 deletions(-) diff --git a/Trend Micro/trend-micro-vision-one-oat/ingest/parser.yml b/Trend Micro/trend-micro-vision-one-oat/ingest/parser.yml index ca5137a4b..48899d3a2 100644 --- a/Trend Micro/trend-micro-vision-one-oat/ingest/parser.yml +++ b/Trend Micro/trend-micro-vision-one-oat/ingest/parser.yml @@ -26,8 +26,8 @@ stages: host.ip: "{{parsed_event.message.endpoint.ips}}" agent.id: "{{parsed_event.message.endpoint.agentGuid}}" - event.start: "{{parsed_event.message.detail.firstSeen}}" - event.end: "{{parsed_event.message.detail.lastSeen}}" + event.start: "{{parsed_event.message.detail.firstSeen | to_rfc3339}}" + event.end: "{{parsed_event.message.detail.lastSeen | to_rfc3339}}" host.id: "{{parsed_event.message.detail.endpointGuid}}" host.os.name: "{{parsed_event.message.detail.osName}}" @@ -38,7 +38,7 @@ stages: process.parent.pid: "{{parsed_event.message.detail.processPid}}" process.parent.user.name: "{{parsed_event.message.detail.processUser}}" process.parent.user.domain: "{{parsed_event.message.detail.processUserDomain}}" - process.parent.start: "{{parsed_event.message.detail.processLaunchTime}}" + process.parent.start: "{{parsed_event.message.detail.processLaunchTime | to_rfc3339}}" process.parent.command_line: "{{parsed_event.message.detail.processCmd}}" process.parent.executable: "{{parsed_event.message.detail.processFilePath}}" process.parent.hash.sha1: "{{parsed_event.message.detail.processFileHashSha1}}" diff --git a/Trend Micro/trend-micro-vision-one-oat/tests/test_observed_attack_technique_1.json b/Trend Micro/trend-micro-vision-one-oat/tests/test_observed_attack_technique_1.json index 0d28969ed..db07963ed 100644 --- a/Trend Micro/trend-micro-vision-one-oat/tests/test_observed_attack_technique_1.json +++ b/Trend Micro/trend-micro-vision-one-oat/tests/test_observed_attack_technique_1.json @@ -8,7 +8,8 @@ "category": [ "intrusion_detection" ], - "kind": "alert", + "end": "2022-04-12T23:43:15Z", + "start": "2022-04-12T23:43:15Z", "type": [ "info" ] @@ -18,20 +19,54 @@ "id": "b1cde761-16ad-4067-9a57-cbea882915df" }, "host": { + "id": "b1cde761-16ad-4067-9a57-cbea882915df", "ip": [ "150.183.13.135", "433e:5c7b:50b0:d145:2c61:9d1d:f317:627e" ], - "name": "LAB-Luwak-1048" + "name": "LAB-Luwak-1048", + "os": { + "full": "Windows 10 Enterprise (64 bit) build 19044", + "name": "Windows", + "version": "10.0.19044" + } }, "observer": { "product": "Vision One", "vendor": "TrendMicro" }, + "process": { + "command_line": "C:\\Windows\\system32\\sppsvc.exe", + "name": "C:\\Windows\\System32\\services.exe", + "parent": { + "command_line": "C:\\Windows\\system32\\services.exe", + "executable": "C:\\Windows\\System32\\services.exe", + "hash": { + "md5": "dac02fbf9bebb39e34afe11bfddf2f83", + "sha1": "a75988a89b1e18c5af82f5f4f5e28f9c91c2cd3e", + "sha256": "ab6acff524930ed8fddd84787a8d65ec9ed0b6b62727dac4a23a1ec7a13b4b08" + }, + "pid": 672, + "start": "2022-03-09T11:43:02.237000Z", + "user": { + "domain": "NT AUTHORITY", + "name": "SYSTEM" + } + }, + "pid": 3832 + }, "related": { + "hash": [ + "a75988a89b1e18c5af82f5f4f5e28f9c91c2cd3e", + "ab6acff524930ed8fddd84787a8d65ec9ed0b6b62727dac4a23a1ec7a13b4b08", + "dac02fbf9bebb39e34afe11bfddf2f83" + ], "ip": [ "150.183.13.135", "433e:5c7b:50b0:d145:2c61:9d1d:f317:627e" + ], + "user": [ + "NETWORK SERVICE" ] }, "threat": { @@ -48,6 +83,10 @@ ] } } + }, + "user": { + "domain": "NT AUTHORITY", + "name": "NETWORK SERVICE" } } } \ No newline at end of file diff --git a/Trend Micro/trend-micro-vision-one-oat/tests/test_observed_attack_technique_2.json b/Trend Micro/trend-micro-vision-one-oat/tests/test_observed_attack_technique_2.json index 8fdb4ce20..8c7b1898d 100644 --- a/Trend Micro/trend-micro-vision-one-oat/tests/test_observed_attack_technique_2.json +++ b/Trend Micro/trend-micro-vision-one-oat/tests/test_observed_attack_technique_2.json @@ -8,7 +8,8 @@ "category": [ "intrusion_detection" ], - "kind": "alert", + "end": "2024-11-26T16:45:02.571000Z", + "start": "2024-11-26T16:45:02.571000Z", "type": [ "info" ] @@ -17,21 +18,74 @@ "agent": { "id": "9f6b89c4-c3b2-4b9f-9401-dae324506ceb" }, + "group": { + "id": "3927f750-c536-480a-ae9f-d9ede20f4a9e" + }, "host": { + "id": "1c7a31e1-89e1-4192-aa7b-a341e6a8ebf1", "ip": [ "1802:d896:65fe:b84:742d:615:f69b:6600", "239.144.71.57" ], - "name": "Windows10" + "name": "Windows10", + "os": { + "full": "Windows 10 Pro (64 bit) build 19045", + "name": "Windows", + "version": "10.0.19045" + } }, "observer": { "product": "Vision One", "vendor": "TrendMicro" }, + "process": { + "command_line": "\"C:\\Windows\\system32\\klist.exe\"", + "name": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell_ise.exe", + "parent": { + "command_line": "\"C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\PowerShell_ISE.exe\" ", + "executable": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell_ise.exe", + "hash": { + "md5": "fe6a3a98112b13aaad196444afcc041c", + "sha1": "0aea4fdd45c998bcf774e85ec478ab2e71fb8b4b", + "sha256": "09f94c21bc54d3de56b4007b0d650cb54a1dbbb91dc1d537426ac442448c4eed" + }, + "parent": { + "command_line": "C:\\Windows\\Explorer.EXE", + "executable": "C:\\Windows\\explorer.exe", + "hash": { + "md5": "a377274ae8e84c7e8ff5fd1b3bb9d080", + "sha1": "b1db7fd8ea0d2fb6ca854609c9ff7de5a822b316", + "sha256": "4e5fe7cf2873f4e4157d6592154179f6efe0b200dbb72fbdca039e4e4c72d4ac" + }, + "name": "C:\\Windows\\explorer.exe", + "pid": "9920", + "start": "1732638953785", + "user": { + "domain": "Windows10", + "name": "jdoe" + } + }, + "pid": 5040, + "start": "2024-11-26T16:37:55.967000Z", + "user": { + "domain": "Windows10", + "name": "jdoe" + } + }, + "pid": 3464 + }, "related": { + "hash": [ + "09f94c21bc54d3de56b4007b0d650cb54a1dbbb91dc1d537426ac442448c4eed", + "0aea4fdd45c998bcf774e85ec478ab2e71fb8b4b", + "fe6a3a98112b13aaad196444afcc041c" + ], "ip": [ "1802:d896:65fe:b84:742d:615:f69b:6600", "239.144.71.57" + ], + "user": [ + "jdoe" ] }, "threat": { @@ -48,6 +102,10 @@ "id": [] } } + }, + "user": { + "domain": "Windows10", + "name": "jdoe" } } } \ No newline at end of file diff --git a/Trend Micro/trend-micro-vision-one-oat/tests/test_observed_attack_technique_3.json b/Trend Micro/trend-micro-vision-one-oat/tests/test_observed_attack_technique_3.json index bd467af87..c482f07d9 100644 --- a/Trend Micro/trend-micro-vision-one-oat/tests/test_observed_attack_technique_3.json +++ b/Trend Micro/trend-micro-vision-one-oat/tests/test_observed_attack_technique_3.json @@ -8,27 +8,96 @@ "category": [ "intrusion_detection" ], - "kind": "alert", + "end": "2024-11-26T16:45:03.446000Z", + "start": "2024-11-26T16:45:01.774000Z", "type": [ "info" ] }, "@timestamp": "2024-11-26T16:45:01Z", + "action": { + "properties": { + "ScriptBlockText": [ + "\r\n $_.PSParentPath.Replace(\"Microsoft.PowerShell.Core\\FileSystem::\", \"\")\r\n ", + "\r\n [String]::Format(\"{0,10} {1,8}\", $_.LastWriteTime.ToString(\"d\"), $_.LastWriteTime.ToString(\"t\"))\r\n ", + "\r\n if ($_.FullyQualifiedErrorId -ne \"NativeCommandErrorMessage\" -and $ErrorView -ne \"CategoryView\")\r\n {\r\n $myinv = $_.InvocationInfo\r\n if ($myinv -and $myinv.MyCommand)\r\n {\r\n switch -regex ( $myinv.MyCommand.CommandType )\r\n {\r\n ([System.Management.Automation.CommandTypes]::ExternalScript)\r\n {\r\n if ($myinv.MyCommand.Path)\r\n {\r\n $myinv.MyCommand.Path + \" : \"\r\n }\r\n break\r\n }\r\n ([System.Management.Automation.CommandTypes]::Script)\r\n {\r\n if ($myinv.MyCommand.ScriptBlock)\r\n {\r\n $myinv.MyCommand.ScriptBlock.ToString() + \" : \"\r\n }\r\n break\r\n }\r\n default\r\n {\r\n if ($myinv.InvocationName -match '^[&\\.]?$')\r\n {\r\n if ($myinv.MyCommand.Name)\r\n {\r\n $myinv.MyCommand.Name + \" : \"\r\n }\r\n }\r\n else\r\n {\r\n $myinv.InvocationName + \" : \"\r\n }\r\n break\r\n }\r\n }\r\n }\r\n elseif ($myinv -and $myinv.InvocationName)\r\n {\r\n $myinv.InvocationName + \" : \"\r\n }\r\n }\r\n ", + "\r\n if ($_.FullyQualifiedErrorId -eq \"NativeCommandErrorMessage\") {\r\n $_.Exception.Message \r\n }\r\n else\r\n {\r\n $myinv = $_.InvocationInfo\r\n if ($myinv -and ($myinv.MyCommand -or ($_.CategoryInfo.Category -ne 'ParserError'))) {\r\n $posmsg = $myinv.PositionMessage\r\n } else {\r\n $posmsg = \"\"\r\n }\r\n \r\n if ($posmsg -ne \"\")\r\n {\r\n $posmsg = \"`n\" + $posmsg\r\n }\r\n \t\t\t\t \r\n if ( & { Set-StrictMode -Version 1; $_.PSMessageDetails } ) {\r\n $posmsg = \" : \" + $_.PSMessageDetails + $posmsg \r\n }\r\n\r\n $indent = 4\r\n $width = $host.UI.RawUI.BufferSize.Width - $indent - 2\r\n\r\n $errorCategoryMsg = & { Set-StrictMode -Version 1; $_.ErrorCategory_Message }\r\n if ($errorCategoryMsg -ne $null)\r\n {\r\n $indentString = \"+ CategoryInfo : \" + $_.ErrorCategory_Message\r\n }\r\n else\r\n {\r\n $indentString = \"+ CategoryInfo : \" + $_.CategoryInfo\r\n }\r\n $posmsg += \"`n\"\r\n foreach($line in @($indentString -split \"(.{$width})\")) { if($line) { $posmsg += (\" \" * $indent + $line) } }\r\n\r\n $indentString = \"+ FullyQualifiedErrorId : \" + $_.FullyQualifiedErrorId\r\n $posmsg += \"`n\"\r\n foreach($line in @($indentString -split \"(.{$width})\")) { if($line) { $posmsg += (\" \" * $indent + $line) } }\r\n\r\n $originInfo = & { Set-StrictMode -Version 1; $_.OriginInfo }\r\n if (($originInfo -ne $null) -and ($originInfo.PSComputerName -ne $null))\r\n {\r\n $indentString = \"+ PSComputerName : \" + $originInfo.PSComputerName\r\n $posmsg += \"`n\"\r\n foreach($line in @($indentString -split \"(.{$width})\")) { if($line) { $posmsg += (\" \" * $indent + $line) } }\r\n }\r\n\r\n if ($ErrorView -eq \"CategoryView\") {\r\n $_.CategoryInfo.GetMessage()\r\n }\r\n elseif (! $_.ErrorDetails -or ! $_.ErrorDetails.Message) {\r\n $_.Exception.Message + $posmsg + \"`n \"\r\n } else {\r\n $_.ErrorDetails.Message + $posmsg\r\n }\r\n }\r\n ", + "if ($_ -is [System.IO.DirectoryInfo]) { return '' }\r\nif ($_.Attributes -band [System.IO.FileAttributes]::Offline)\r\n{\r\n return '({0})' -f $_.Length\r\n}\r\nreturn $_.Length", + "{\n $passwordFound = Get-Content $path.FullName -ErrorAction SilentlyContinue -Force | Select-String $regexSearch[$_] -Context 1, 1\n if ($passwordFound) {\n Write-Host \"Possible Password found: $_\" -ForegroundColor Yellow\n Write-Host $Path.FullName\n Write-Host -ForegroundColor Blue \"$_ triggered\"\n Write-Host $passwordFound -ForegroundColor Red\n }\n }", + "{\n $path = $_\n #Exclude files/folders with 'lang' in the name\n if ($Path.FullName | select-string \"(?i).*lang.*\") {\n #Write-Host \"$($_.FullName) found!\" -ForegroundColor red\n }\n if($Path.FullName | Select-String \"(?i).:\\\\.*\\\\.*Pass.*\"){\n write-host -ForegroundColor Blue \"$($path.FullName) contains the word 'pass'\"\n }\n if($Path.FullName | Select-String \".:\\\\.*\\\\.*user.*\" ){\n Write-Host -ForegroundColor Blue \"$($path.FullName) contains the word 'user' -excluding the 'users' directory\"\n }\n # If path name ends with common excel extensions\n elseif ($Path.FullName | Select-String \".*\\.xls\",\".*\\.xlsm\",\".*\\.xlsx\") {\n if ($ReadExcel -and $Excel) {\n Search-Excel -Source $Path.FullName -SearchText \"user\"\n Search-Excel -Source $Path.FullName -SearchText \"pass\"\n }\n }\n else {\n if ($path.Length -gt 0) {\n # Write-Host -ForegroundColor Blue \"Path name matches extension search: $path\"\n }\n if ($path.FullName | Select-String \"(?i).*SiteList\\.xml\") {\n Write-Host \"Possible MCaffee Site List Found: $($_.FullName)\"\n Write-Host \"Just going to leave this here: https://github.com/funoverip/mcafee-sitelist-pwd-decryption\" -ForegroundColor Yellow\n }\n $regexSearch.keys | ForEach-Object {\n $passwordFound = Get-Content $path.FullName -ErrorAction SilentlyContinue -Force | Select-String $regexSearch[$_] -Context 1, 1\n if ($passwordFound) {\n Write-Host \"Possible Password found: $_\" -ForegroundColor Yellow\n Write-Host $Path.FullName\n Write-Host -ForegroundColor Blue \"$_ triggered\"\n Write-Host $passwordFound -ForegroundColor Red\n }\n }\n } \n }", + "{\n Write-Host $_.FullName\n }", + "{\n $Drive = $_\n Get-ChildItem $Drive -Recurse -Include $fileExtensions -ErrorAction SilentlyContinue -Force | ForEach-Object {\n $path = $_\n #Exclude files/folders with 'lang' in the name\n if ($Path.FullName | select-string \"(?i).*lang.*\") {\n #Write-Host \"$($_.FullName) found!\" -ForegroundColor red\n }\n if($Path.FullName | Select-String \"(?i).:\\\\.*\\\\.*Pass.*\"){\n write-host -ForegroundColor Blue \"$($path.FullName) contains the word 'pass'\"\n }\n if($Path.FullName | Select-String \".:\\\\.*\\\\.*user.*\" ){\n Write-Host -ForegroundColor Blue \"$($path.FullName) contains the word 'user' -excluding the 'users' directory\"\n }\n # If path name ends with common excel extensions\n elseif ($Path.FullName | Select-String \".*\\.xls\",\".*\\.xlsm\",\".*\\.xlsx\") {\n if ($ReadExcel -and $Excel) {\n Search-Excel -Source $Path.FullName -SearchText \"user\"\n Search-Excel -Source $Path.FullName -SearchText \"pass\"\n }\n }\n else {\n if ($path.Length -gt 0) {\n # Write-Host -ForegroundColor Blue \"Path name matches extension search: $path\"\n }\n if ($path.FullName | Select-String \"(?i).*SiteList\\.xml\") {\n Write-Host \"Possible MCaffee Site List Found: $($_.FullName)\"\n Write-Host \"Just going to leave this here: https://github.com/funoverip/mcafee-sitelist-pwd-decryption\" -ForegroundColor Yellow\n }\n $regexSearch.keys | ForEach-Object {\n $passwordFound = Get-Content $path.FullName -ErrorAction SilentlyContinue -Force | Select-String $regexSearch[$_] -Context 1, 1\n if ($passwordFound) {\n Write-Host \"Possible Password found: $_\" -ForegroundColor Yellow\n Write-Host $Path.FullName\n Write-Host -ForegroundColor Blue \"$_ triggered\"\n Write-Host $passwordFound -ForegroundColor Red\n }\n }\n } \n }\n}", + "{\n if (Test-Path $_ -ErrorAction SilentlyContinue) {\n Write-Host \"$_ Found!\" -ForegroundColor red\n }\n}", + "{\n if (Test-Path $_) {\n Write-Host \"$_ found.\"\n }\n}", + "{ Set-StrictMode -Version 1; $_.ErrorCategory_Message }", + "{ Set-StrictMode -Version 1; $_.OriginInfo }", + "{ Set-StrictMode -Version 1; $_.PSMessageDetails }" + ] + } + }, "agent": { "id": "8e53268d-8348-4fd4-a314-b742448960c9" }, + "group": { + "id": "a1c0d757-0961-40a4-8a00-bf9b2922d5de" + }, "host": { + "id": "9567d4bc-ce0b-45cf-b259-138beb4c80c3", "ip": [ "1802:d896:65fe:b84:742d:615:f69b:6600", "193.103.164.106" ], - "name": "Windows10" + "name": "Windows10", + "os": { + "full": "Windows 10 Pro (64 bit) build 19045", + "name": "Windows", + "version": "10.0.19045" + } }, "observer": { "product": "Vision One", "vendor": "TrendMicro" }, + "process": { + "name": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell_ise.exe", + "parent": { + "command_line": "\"C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\PowerShell_ISE.exe\" ", + "executable": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell_ise.exe", + "hash": { + "md5": "bd5cf4568d83088240e3b33f9f9838b1", + "sha1": "b1692a60d67dc55538f9a25ad3874a6a8f6bb089", + "sha256": "4388c298be8260741724ebf8b414ca063247d6a0d5d5aa5318f90edda3189cd2" + }, + "parent": { + "command_line": "C:\\Windows\\Explorer.EXE", + "executable": "C:\\Windows\\explorer.exe", + "hash": { + "md5": "f8ad78f2ad64799786242d69ef77edd7", + "sha1": "f021ca2dca81ee77aa80467096a804a26cd11364", + "sha256": "f2e4604dfae18859b13a4efee601df6937e99dd96251c11205c30022b308868f" + }, + "name": "C:\\Windows\\explorer.exe", + "pid": "9920", + "start": "1732638953785", + "user": { + "domain": "Windows10", + "name": "jdoe" + } + }, + "pid": 5040, + "start": "2024-11-26T16:37:55.967000Z", + "user": { + "domain": "Windows10", + "name": "jdoe" + } + } + }, "related": { + "hash": [ + "4388c298be8260741724ebf8b414ca063247d6a0d5d5aa5318f90edda3189cd2", + "b1692a60d67dc55538f9a25ad3874a6a8f6bb089", + "bd5cf4568d83088240e3b33f9f9838b1" + ], "ip": [ "1802:d896:65fe:b84:742d:615:f69b:6600", "193.103.164.106"