hids

package
v1.8.0-beta.5 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Dec 7, 2021 License: Apache-2.0 Imports: 44 Imported by: 0

Documentation

Index

Constants

View Source 
const (
	// Actions
	ActionKill      = "kill"
	ActionBlacklist = "blacklist"
	ActionMemdump   = "memdump"
	ActionFiledump  = "filedump"
	ActionRegdump   = "regdump"
	ActionReport    = "report"
	ActionBrief     = "brief"
)
View Source 
const (
	EdrTraceName        = `EdrTrace`
	EdrTraceGuid        = "{e32c0429-d46b-47a9-ab6c-074012efe5ba}"
	EdrTraceLogFileMode = 0x8001c0
)
View Source 
const (
	SysmonProcessCreate
	SysmonFileTime
	SysmonNetworkConnect
	SysmonServiceStateChange
	SysmonProcessTerminate
	SysmonDriverLoad
	SysmonImageLoad
	SysmonCreateRemoteThread
	SysmonRawAccessRead
	SysmonAccessProcess
	SysmonFileCreate
	SysmonRegKey
	SysmonRegSetValue
	SysmonRegName
	SysmonCreateStreamHash
	SysmonServiceConfigurationChange
	SysmonCreateNamedPipe
	SysmonConnectNamedPipe
	SysmonWMIFilter
	SysmonWMIConsumer
	SysmonWMIBinding
	SysmonDNSQuery
	SysmonFileDelete
	SysmonClipboardChange
	SysmonProcessTampering
	SysmonFileDeleteDetected
)

Sysmon Event IDs

View Source 
const (
	// https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4663
	SecurityAccessObject = 4663
)

Variables

View Source 
var (
	Autologger = etw.AutoLogger{
		Name:        EdrTraceName,
		Guid:        EdrTraceGuid,
		LogFileMode: EdrTraceLogFileMode,
	}
)
View Source 
var (
	AvailableActions = []string{
		ActionKill,
		ActionBlacklist,
		ActionMemdump,
		ActionFiledump,
		ActionRegdump,
		ActionReport,
		ActionBrief,
	}
)
View Source 
var (
	ContainRuleName = "EDR containment"
)
View Source 
var (
	IoCRules = []engine.Rule{
		ruleHashIoC(),
		ruleDomainIoC(),
	}
)

Functions

This section is empty.

Types

type ActionHandler 

type ActionHandler struct {
	// contains filtered or unexported fields
}

func NewActionHandler 

func NewActionHandler(h *HIDS) *ActionHandler

func (*ActionHandler) HandleActions 

func (m *ActionHandler) HandleActions(e *event.EdrEvent)

func (*ActionHandler) Queue 

func (m *ActionHandler) Queue(e *event.EdrEvent)

func (*ActionHandler) Run 

func (m *ActionHandler) Run()

type ActionsConfig 

type ActionsConfig struct {
	AvailableActions []string `` /* 164-byte string literal not displayed */
	Low              []string `toml:"low" comment:"Default actions to be taken when event criticality is in [1; 4]"`
	Medium           []string `toml:"medium" comment:"Default actions to be taken when event criticality is in [5; 7]"`
	High             []string `toml:"high" comment:"Default actions to be taken when event criticality is in [8; 9]"`
	Critical         []string `toml:"critical" comment:"Default actions to be taken when event criticality is 10"`
}

type ActivityTracker 

type ActivityTracker struct {
	sync.RWMutex

	// driver loaded
	Drivers []DriverInfo
	// contains filtered or unexported fields
}

func NewActivityTracker 

func NewActivityTracker() *ActivityTracker

func (*ActivityTracker) Add 

func (pt *ActivityTracker) Add(t *ProcessTrack)

func (*ActivityTracker) Blacklist 

func (pt *ActivityTracker) Blacklist(cmdLine string)

func (*ActivityTracker) CheckDumpCountOrInc 

func (pt *ActivityTracker) CheckDumpCountOrInc(guid string, max int, dfault bool) bool

returns true if DumpCount member of processTrack is below max argument and increments if necessary. This function is used to check whether we should still dump information given a guid

func (*ActivityTracker) ContainsGuid 

func (pt *ActivityTracker) ContainsGuid(guid string) bool

func (*ActivityTracker) ContainsPID 

func (pt *ActivityTracker) ContainsPID(pid int64) bool

func (*ActivityTracker) GetByGuid 

func (pt *ActivityTracker) GetByGuid(guid string) *ProcessTrack

func (*ActivityTracker) GetByPID 

func (pt *ActivityTracker) GetByPID(pid int64) *ProcessTrack

func (*ActivityTracker) GetModuleOrUpdate 

func (pt *ActivityTracker) GetModuleOrUpdate(i *ModuleInfo) *ModuleInfo

GetModuleOrUpdate retrieves an already existing ModuleInfo or updates the map of known ModuleInfo and returns the ModuleInfo updated

func (*ActivityTracker) GetParentByGuid 

func (pt *ActivityTracker) GetParentByGuid(guid string) *ProcessTrack

func (*ActivityTracker) IsBlacklisted 

func (pt *ActivityTracker) IsBlacklisted(cmdLine string) bool

func (*ActivityTracker) IsTerminated 

func (pt *ActivityTracker) IsTerminated(guid string) bool

func (*ActivityTracker) Modules 

func (pt *ActivityTracker) Modules() (s []ModuleInfo)

func (*ActivityTracker) PS 

func (pt *ActivityTracker) PS() map[string]ProcessTrack

func (*ActivityTracker) Terminate 

func (pt *ActivityTracker) Terminate(guid string) error

type AuditConfig 

type AuditConfig struct {
	Enable        bool     `toml:"enable" comment:"Enable following Audit Policies or not"`
	AuditPolicies []string `toml:"audit-policies" comment:"Audit Policies to enable (c.f. auditpol /get /category:* /r)"`
	AuditDirs     []string `` /* 218-byte string literal not displayed */
}

AuditConfig holds Windows audit configuration

func (*AuditConfig) Configure 

func (c *AuditConfig) Configure()

Configure configures the desired audit policies

func (*AuditConfig) Restore 

func (c *AuditConfig) Restore()

Restore the audit policies

type CanariesConfig 

type CanariesConfig struct {
	Enable    bool      `toml:"enable" comment:"Enable canary files management"`
	Actions   []string  `toml:"actions" comment:"Actions to apply when a canary file is touched"`
	Whitelist []string  `toml:"whitelist" comment:"Process images being allowed to touch the canaries"`
	Canaries  []*Canary `toml:"group" comment:"Canary files to create at every run"`
}

CanariesConfig structure holding canary configuration

func (*CanariesConfig) Clean 

func (c *CanariesConfig) Clean()

Clean cleans up the canaries

func (*CanariesConfig) Configure 

func (c *CanariesConfig) Configure()

Configure creates canaries and set ACLs if needed

func (*CanariesConfig) GenRuleFSAudit 

func (c *CanariesConfig) GenRuleFSAudit() (r engine.Rule)

GenRuleFSAudit generate a rule matching FS Audit events for the configured canaries

func (*CanariesConfig) GenRuleSysmon 

func (c *CanariesConfig) GenRuleSysmon() (r engine.Rule)

GenRuleSysmon generate a rule matching sysmon events for the configured canaries

func (*CanariesConfig) RestoreACLs 

func (c *CanariesConfig) RestoreACLs()

RestoreACLs restore EDR configured ACLs

type Canary 

type Canary struct {
	HideFiles       bool     `toml:"hide-files" comment:"Flag to set to hide files"`
	HideDirectories bool     `toml:"hide-dirs" comment:"Flag to set to hide directories"`
	SetAuditACL     bool     `` /* 231-byte string literal not displayed */
	Directories     []string `toml:"directories" comment:"Directories where canary files will be created"`
	Files           []string `toml:"files" comment:"Canary files to monitor. Files will be created if not existing"`
	Delete          bool     `toml:"delete" comment:"Whether to delete or not the canary files when service stops"`
	// contains filtered or unexported fields
}

Canary configuration

type ConStat 

type ConStat struct {
	FirstSeen string          `json:"first-seen"`
	LastSeen  string          `json:"last-seen"`
	Resolved  map[string]uint `json:"resolved"`
	Ports     map[uint16]uint `json:"ports"`
	Count     int             `json:"count"`
}

type Config 

type Config struct {
	//Channels        []string             `toml:"channels" comment:"Windows log channels to listen to. Either channel names\n can be used (i.e. Microsoft-Windows-Sysmon/Operational) or aliases"`
	CritTresh       int                  `` /* 140-byte string literal not displayed */
	EnableHooks     bool                 `toml:"en-hooks" comment:"Enable enrichment hooks and dump hooks"`
	EnableFiltering bool                 ``                                                                              /* 143-byte string literal not displayed */
	Logfile         string               `toml:"logfile" comment:"Logfile used to log messages generated by the engine"` // for WHIDS log messages (not alerts)
	LogAll          bool                 `toml:"log-all" comment:"Log any incoming event passing through the engine"`    // log all events to logfile (used for debugging)
	Endpoint        bool                 ``                                                                              /* 135-byte string literal not displayed */
	EtwConfig       *EtwConfig           `toml:"etw" comment:"ETW configuration"`
	FwdConfig       *api.ForwarderConfig `toml:"forwarder" comment:"Forwarder configuration"`
	Sysmon          *SysmonConfig        `toml:"sysmon" comment:"Sysmon related settings"`
	Actions         *ActionsConfig       `toml:"actions" comment:"Default actions to apply to events, depending on their criticality"`
	Dump            *DumpConfig          `toml:"dump" comment:"Dump related settings"`
	Report          *ReportConfig        `toml:"reporting" comment:"Reporting related settings"`
	RulesConfig     *RulesConfig         `` /* 154-byte string literal not displayed */
	AuditConfig     *AuditConfig         `toml:"audit" comment:"Windows auditing configuration"`
	CanariesConfig  *CanariesConfig      `toml:"canaries" comment:"Canary files configuration"`
}

Config structure

func LoadsHIDSConfig 

func LoadsHIDSConfig(path string) (c Config, err error)

LoadsHIDSConfig loads a HIDS configuration from a file

func (*Config) IsForwardingEnabled 

func (c *Config) IsForwardingEnabled() bool

IsForwardingEnabled returns true if a forwarder is actually configured to forward logs

func (*Config) Prepare 

func (c *Config) Prepare()

Prepare creates directory used in the config if not existing

func (*Config) Verify 

func (c *Config) Verify() error

Verify validate HIDS configuration object

type DriverInfo 

type DriverInfo struct {

	/* Public */
	Image           string            `json:"image"`
	HashesMap       map[string]string `json:"hashes"`
	Signed          bool              `json:"signed"`
	Signature       string            `json:"signature"`
	SignatureStatus string            `json:"signature-status"`
	// contains filtered or unexported fields
}

func DriverInfoFromEvent 

func DriverInfoFromEvent(e *event.EdrEvent) (i *DriverInfo)

type DumpConfig 

type DumpConfig struct {
	Dir           string `toml:"dir" comment:"Directory used to store dumps"`
	MaxDumps      int    `toml:"max-dumps" comment:"Maximum number of dumps per process"` // maximum number of dump per GUID
	Compression   bool   `toml:"compression" comment:"Enable dumps compression"`
	DumpUntracked bool   `` // whether or not we should dump untracked processes, if true it would create many FPs
	/* 145-byte string literal not displayed */
}

DumpConfig structure definition

type EtwConfig 

type EtwConfig struct {
	Providers []string `toml:"providers" comment:"ETW providers to enable in the EDR autologger setting"`
	Traces    []string `toml:"traces" comment:"Additional ETW traces to retrieve events"`
}

func (*EtwConfig) ConfigureAutologger 

func (c *EtwConfig) ConfigureAutologger() (lastErr error)

func (*EtwConfig) UnifiedTraces 

func (c *EtwConfig) UnifiedTraces() []string

type FileInfo 

type FileInfo struct {
	Dir     string            `json:"dir"`
	Name    string            `json:"name"`
	Size    int64             `json:"size"`
	ModTime time.Time         `json:"modtime"`
	Type    string            `json:"type"`
	Hashes  map[string]string `json:"hashes,omitempty"`
}

func (*FileInfo) FromFSFileInfo 

func (fi *FileInfo) FromFSFileInfo(fsfi fs.FileInfo)

func (*FileInfo) Hash 

func (fi *FileInfo) Hash() error

func (*FileInfo) Path 

func (fi *FileInfo) Path() string

type FileStats 

type FileStats struct {
	LastAccessed           *datastructs.RingSet `json:"last-accessed"`
	CountFilesCreated      int64                `json:"file-create-count"`
	CountFilesCreatedByExt map[string]int64     `json:"file-create-count-by-ext"`
	TimeFirstFileCreated   time.Time            `json:"first-file-create"`
	TimeLastFileCreated    time.Time            `json:"last-file-create"`
	CountFilesDeleted      int64                `json:"file-delete-count"`
	CountFilesDeletedByExt map[string]int64     `json:"file-delete-count-by-ext"`
	TimeFirstFileDeleted   time.Time            `json:"first-file-delete"`
	TimeLastFileDeleted    time.Time            `json:"last-file-delete"`
}

type Filter 

type Filter struct {
	EventIDs *datastructs.SyncedSet
	Channel  string
}

Filter structure

func NewFilter 

func NewFilter(eids []int64, channel string) *Filter

NewFilter creates a new Filter structure

func (*Filter) Match 

func (f *Filter) Match(e *event.EdrEvent) bool

Match checks if an event matches the filter

type HIDS 

type HIDS struct {
	sync.RWMutex // Mutex to lock the IDS when updating rules

	Engine   *engine.Engine
	DryRun   bool
	PrintAll bool
	// contains filtered or unexported fields
}

HIDS structure

func NewHIDS 

func NewHIDS(c *Config) (h *HIDS, err error)

NewHIDS creates a new HIDS object from configuration

func (*HIDS) IsHIDSEvent 

func (h *HIDS) IsHIDSEvent(e *event.EdrEvent) bool

IsHIDSEvent returns true if the event is generated by IDS activity

func (*HIDS) LogStats 

func (h *HIDS) LogStats()

LogStats logs whids statistics

func (*HIDS) Report 

func (h *HIDS) Report(light bool) (r Report)

Report generate a forensic ready report (meant to be dumped) this method is blocking as it runs commands and wait after those

func (*HIDS) Run 

func (h *HIDS) Run()

Run starts the WHIDS engine and waits channel listening is stopped

func (*HIDS) Stop 

func (h *HIDS) Stop()

Stop stops the IDS

func (*HIDS) Wait 

func (h *HIDS) Wait()

Wait waits the IDS to finish

func (*HIDS) WaitWithTimeout 

func (h *HIDS) WaitWithTimeout(timeout time.Duration)

WaitWithTimeout waits the IDS to finish

type Hook 

type Hook func(*HIDS, *event.EdrEvent)

Hook structure definition hooking functions are supposed to run quickly since it is run synchronously with the Gene scanner. Likewise, the hooking functions should never panic the program.

type HookManager 

type HookManager struct {
	sync.RWMutex
	Filters []*Filter
	Hooks   []Hook
	// contains filtered or unexported fields
}

HookManager structure definition to easier handle hooks

func NewHookMan 

func NewHookMan() *HookManager

NewHookMan creates a new HookManager structure

func (*HookManager) Hook 

func (hm *HookManager) Hook(h Hook, f *Filter)

Hook register a hook for a given filter

func (*HookManager) RunHooksOn 

func (hm *HookManager) RunHooksOn(h *HIDS, e *event.EdrEvent) (ret bool)

RunHooksOn runs the hook on a given event

type ModuleInfo 

type ModuleInfo struct {
	Image            string            `json:"image"`
	FileVersion      string            `json:"file-version"`
	Description      string            `json:"description"`
	Product          string            `json:"product"`
	Company          string            `json:"company"`
	OriginalFileName string            `json:"orginal-filename"`
	Hashes           map[string]string `json:"hashes"`
	Signature        string            `json:"signature"`
	SignatureStatus  string            `json:"signature-status"`
	Signed           bool              `json:"signed"`
	// Statistics
	LoadCount int64     `json:"load-count"`
	FirstLoad time.Time `json:"first-load"`
	LastLoad  time.Time `json:"last-load"`
	// contains filtered or unexported fields
}

func ModuleInfoFromEvent 

func ModuleInfoFromEvent(e *event.EdrEvent) (i *ModuleInfo)

func (*ModuleInfo) Id 

func (i *ModuleInfo) Id() string

func (*ModuleInfo) UpdateStatistics 

func (i *ModuleInfo) UpdateStatistics(other *ModuleInfo)

type OSQueryConfig 

type OSQueryConfig struct {
	Bin    string   `toml:"bin" comment:"Path to osqueryi binary"`
	Tables []string `toml:"tables" comment:"OSQuery tables to add to the report"`
}

OSQueryConfig holds configuration about OSQuery tool

func (*OSQueryConfig) PrepareCommands 

func (c *OSQueryConfig) PrepareCommands() (cmds []ReportCommand)

PrepareCommands builds up osquery commands

type ProcStats 

type ProcStats struct {
	CreateProcessCount int64               `json:"create-process-count"`
	Connections        map[string]*ConStat `json:"connections"`
	Files              FileStats           `json:"files"`
}

func NewProcStats 

func NewProcStats() ProcStats

func (*ProcStats) ConStat 

func (p *ProcStats) ConStat(ip string) *ConStat

func (*ProcStats) UpdateCon 

func (p *ProcStats) UpdateCon(timestamp, ip string, port uint16)

func (*ProcStats) UpdateNetResolve 

func (p *ProcStats) UpdateNetResolve(timestamp, ip, qname string)

type ProcessTrack 

type ProcessTrack struct {

	/* Public */
	Image                  string            `json:"image"`
	ParentImage            string            `json:"parent-image"`
	PID                    int64             `json:"pid"`
	CommandLine            string            `json:"command-line"`
	ParentCommandLine      string            `json:"parent-command-line"`
	CurrentDirectory       string            `json:"cwd"`
	ParentCurrentDirectory string            `json:"parent-cwd"`
	ProcessGUID            string            `json:"process-guid"`
	User                   string            `json:"user"`
	ParentUser             string            `json:"parent-user"`
	IntegrityLevel         string            `json:"integrity-lvl"`
	ParentIntegrityLevel   string            `json:"parent-integrity-lvl"`
	ParentProcessGUID      string            `json:"parent-process-guid"`
	Services               string            `json:"services"`
	ParentServices         string            `json:"parent-services"`
	HashesMap              map[string]string `json:"hashes"`
	Signature              string            `json:"signature"`
	SignatureStatus        string            `json:"signature-status"`
	Signed                 bool              `json:"signed"`
	Ancestors              []string          `json:"ancestors"`
	Modules                []*ModuleInfo     `json:"modules"`
	Integrity              float64           `json:"integrity"`
	IntegrityTimeout       bool              `json:"integrity-timeout"`
	MemDumped              bool              `json:"memory-dumped"`
	DumpCount              int               `json:"dump-count"`
	ChildCount             int               `json:"child-count"` // number of currently running child proceses
	Stats                  ProcStats         `json:"statistics"`
	ThreatScore            ThreatScore       `json:"threat-score"`
	Terminated             bool              `json:"terminated"`
	TimeTerminated         time.Time         `json:"time-terminated"`
	// contains filtered or unexported fields
}

func NewProcessTrack 

func NewProcessTrack(image, pguid, guid string, pid int64) *ProcessTrack

NewProcessTrack creates a new processTrack structure enforcing that minimal information is encoded (image, guid, pid)

func (*ProcessTrack) SetHashes 

func (t *ProcessTrack) SetHashes(hashes string)

func (*ProcessTrack) TerminateProcess 

func (t *ProcessTrack) TerminateProcess() error

type Report 

type Report struct {
	Processes map[string]ProcessTrack `json:"processes"`
	Modules   []ModuleInfo            `json:"modules"`
	Drivers   []DriverInfo            `json:"drivers"`
	Commands  []ReportCommand         `json:"commands"`
	StartTime time.Time               `json:"start-timestamp"` // time at which report generation started
	StopTime  time.Time               `json:"stop-timestamp"`  // time at which report generation stopped
}

Report structure

type ReportCommand 

type ReportCommand struct {
	Description string        `json:"description" toml:"description" comment:"Description of the command to run, for reporting purposes"`
	Name        string        `json:"name" toml:"name" comment:"Name of the command to execute (can be a binary)"`
	Args        []string      `json:"args" toml:"args" comment:"Argument of the command line"`
	ExpectJSON  bool          `json:"expect-json" toml:"expect-json" comment:"Expect JSON formated output on stdout"`
	Stdout      interface{}   `json:"stdout" toml:",omitempty"`
	Stderr      []byte        `json:"stderr" toml:",omitempty"`
	Error       string        `json:"error" toml:",omitempty"`
	Timestamp   time.Time     `json:"timestamp" toml:",omitempty"`
	Timeout     time.Duration `` /* 141-byte string literal not displayed */
}

ReportCommand is a structure both to configure commands to run in a report but also to store the outcome of the command after it ran

func (*ReportCommand) Run 

func (c *ReportCommand) Run()

Run the desired command

type ReportConfig 

type ReportConfig struct {
	EnableReporting bool            `toml:"en-reporting" comment:"Enables IR reporting"`
	OSQuery         OSQueryConfig   `toml:"osquery" comment:"OSQuery configuration"`
	Commands        []ReportCommand `toml:"commands" comment:"Commands to execute in addition to the OSQuery ones" commented:"true"`
	CommandTimeout  time.Duration   `toml:"timeout" comment:"Timeout after which every command expires (to prevent too long commands)"`
}

ReportConfig holds report configuration

func (*ReportConfig) PrepareCommands 

func (c *ReportConfig) PrepareCommands() (cmds []ReportCommand)

PrepareCommands builds up all commands to run

type RulesConfig 

type RulesConfig struct {
	RulesDB        string        `toml:"rules-db" comment:"Path to Gene rules database"`
	ContainersDB   string        `toml:"containers-db" comment:"Path to Gene rules containers\n (c.f. Gene documentation)"`
	UpdateInterval time.Duration `` /* 146-byte string literal not displayed */
}

RulesConfig holds rules configuration

func (*RulesConfig) RulesPaths 

func (c *RulesConfig) RulesPaths() (path, sha256Path string)

type SysmonConfig 

type SysmonConfig struct {
	Bin              string `toml:"bin" comment:"Path to Sysmon binary"`
	ArchiveDirectory string `toml:"archive-directory" comment:"Path to Sysmon Archive directory"`
	CleanArchived    bool   `toml:"clean-archived" comment:"Delete files older than 5min archived by Sysmon"`
}

SysmonConfig holds Sysmon related configuration

type ThreatScore 

type ThreatScore struct {
	Signatures map[string]uint `json:"signatures"`
	Score      int64           `json:"score"`
}

func NewGeneScore 

func NewGeneScore() ThreatScore

func (*ThreatScore) Update 

func (g *ThreatScore) Update(d *engine.Detection)

type WalkItem 

type WalkItem struct {
	Dirs  []FileInfo `json:"dirs"`
	Files []FileInfo `json:"files"`
	Err   string     `json:"err"`
}

func (*WalkItem) FromWalkerWalkItem 

func (wi *WalkItem) FromWalkerWalkItem(o fswalker.WalkItem)

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.