agent

package
v1.8.0-beta.8 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Aug 8, 2022 License: AGPL-3.0 Imports: 53 Imported by: 0

Documentation

Index

Constants

View Source 
const (
	// Actions
	ActionKill      = "kill"
	ActionBlacklist = "blacklist"
	ActionMemdump   = "memdump"
	ActionFiledump  = "filedump"
	ActionRegdump   = "regdump"
	ActionReport    = "report"
	ActionBrief     = "brief"
)
View Source 
const (
	SysmonProcessCreate
	SysmonFileTime
	SysmonNetworkConnect
	SysmonServiceStateChange
	SysmonProcessTerminate
	SysmonDriverLoad
	SysmonImageLoad
	SysmonCreateRemoteThread
	SysmonRawAccessRead
	SysmonAccessProcess
	SysmonFileCreate
	SysmonRegKey
	SysmonRegSetValue
	SysmonRegName
	SysmonCreateStreamHash
	SysmonServiceConfigurationChange
	SysmonCreateNamedPipe
	SysmonConnectNamedPipe
	SysmonWMIFilter
	SysmonWMIConsumer
	SysmonWMIBinding
	SysmonDNSQuery
	SysmonFileDelete
	SysmonClipboardChange
	SysmonProcessTampering
	SysmonFileDeleteDetected
)

Sysmon Event IDs

View Source 
const (
	KernelFileNameCreate int64 = iota + 10
	KernelFileNameDelete
	KernelFileCreate
	KernelFileCleanup
	KernelFileClose
	KernelFileRead
	KernelFileWrite
	KernelFileSetInformation
	KernelFileSetDelete
	KernelFileRename
	KernelFileDirEnum
	KernelFileFlush
	KernelFileQueryInformation
	KernelFileFSCTL
	KernelFileOperationEnd
	KernelFileDirNotify
	KernelFileDeletePath
	KernelFileRenamePath
	KernelFileSetLinkPath
	KernelFileCreateNewFile
	KernelFileSetSecurity
	KernelFileQuerySecurity
	KernelFileSetEA
	KernelFileQueryEA
)

Microsoft-Windows-Kernel-File/Analytic

View Source 
const (
	// https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4663
	SecurityAccessObject = 4663
)
View Source 
const (
	ZeroProtectionLevel = uint32(math.MaxUint32) // 0xffffffff is PROTECTION_SAME but it is a flag used by WinAPI and is not a valid protection level
)

Variables

View Source 
var (
	ContainRuleName = "EDR containment"
	MaxEPS          = float64(300)
	MaxEPSDuration  = 30 * time.Second
)
View Source 
var (
	CriticalityFactor float64 = 2
	MaxIssuesInARow   uint    = 10
)
View Source 
var (
	AvailableActions = []string{
		ActionKill,
		ActionBlacklist,
		ActionMemdump,
		ActionFiledump,
		ActionRegdump,
		ActionReport,
		ActionBrief,
	}
)
View Source 
var (
	IoCRules = []engine.Rule{
		ruleHashIoC(),
		ruleDomainIoC(),
	}
)
View Source 
var (
	KernelFileOperations = map[int64]string{
		KernelFileNameCreate:       "NameCreate",
		KernelFileNameDelete:       "NameDelete",
		KernelFileCreate:           "Create",
		KernelFileCleanup:          "Cleanup",
		KernelFileClose:            "Close",
		KernelFileRead:             "Read",
		KernelFileWrite:            "Write",
		KernelFileSetInformation:   "SetInformation",
		KernelFileSetDelete:        "SetDelete",
		KernelFileRename:           "Rename",
		KernelFileDirEnum:          "DirEnum",
		KernelFileFlush:            "Flush",
		KernelFileQueryInformation: "QueryInformation",
		KernelFileFSCTL:            "FSCTL",
		KernelFileOperationEnd:     "OperationEnd",
		KernelFileDirNotify:        "DirNotify",
		KernelFileDeletePath:       "DeletePath",
		KernelFileRenamePath:       "RenamePath",
		KernelFileSetLinkPath:      "SetLinkPath",
		KernelFileCreateNewFile:    "CreateNewFile",
		KernelFileSetSecurity:      "SetSecurity",
		KernelFileQuerySecurity:    "QuerySecurity",
		KernelFileSetEA:            "SetEA",
		KernelFileQueryEA:          "QueryEA",
	}
)

Functions

func BuildDefaultConfig 

func BuildDefaultConfig(root string) *config.Agent

func EventDataPath 

func EventDataPath(field string) *engine.XPath

Types

type ActionHandler 

type ActionHandler struct {
	// contains filtered or unexported fields
}

func NewActionHandler 

func NewActionHandler(h *Agent) *ActionHandler

func (*ActionHandler) HandleActions 

func (m *ActionHandler) HandleActions(e *event.EdrEvent)

func (*ActionHandler) Queue 

func (m *ActionHandler) Queue(e *event.EdrEvent)

type ActivityTracker 

type ActivityTracker struct {
	sync.RWMutex

	// driver loaded
	Drivers []DriverInfo
	// contains filtered or unexported fields
}

func NewActivityTracker 

func NewActivityTracker() *ActivityTracker

func (*ActivityTracker) Add 

func (pt *ActivityTracker) Add(t *ProcessTrack)

func (*ActivityTracker) AddKernelFile 

func (pt *ActivityTracker) AddKernelFile(f *KernelFile)

func (*ActivityTracker) Blacklist 

func (pt *ActivityTracker) Blacklist(cmdLine string)

func (*ActivityTracker) CheckDumpCountOrInc 

func (pt *ActivityTracker) CheckDumpCountOrInc(guid string, max int, dfault bool) bool

returns true if DumpCount member of processTrack is below max argument and increments if necessary. This function is used to check whether we should still dump information given a guid

func (*ActivityTracker) ContainsGuid 

func (pt *ActivityTracker) ContainsGuid(guid string) bool

func (*ActivityTracker) ContainsPID 

func (pt *ActivityTracker) ContainsPID(pid int64) bool

func (*ActivityTracker) DelKernelFile 

func (pt *ActivityTracker) DelKernelFile(key uint64)

func (*ActivityTracker) GetByGuid 

func (pt *ActivityTracker) GetByGuid(guid string) *ProcessTrack

GetByPID get a process track by process GUID. If none is found an empty ProcessTrack is returned

func (*ActivityTracker) GetByPID 

func (pt *ActivityTracker) GetByPID(pid int64) *ProcessTrack

GetByPID get a process track by PID. If none is found an empty ProcessTrack is returned

func (*ActivityTracker) GetKernelFile 

func (pt *ActivityTracker) GetKernelFile(key uint64) (f *KernelFile, ok bool)

func (*ActivityTracker) GetModuleOrUpdate 

func (pt *ActivityTracker) GetModuleOrUpdate(i *ModuleInfo) *ModuleInfo

GetModuleOrUpdate retrieves an already existing ModuleInfo or updates the map of known ModuleInfo and returns the ModuleInfo updated

func (*ActivityTracker) GetParentByGuid 

func (pt *ActivityTracker) GetParentByGuid(guid string) *ProcessTrack

func (*ActivityTracker) IsBlacklisted 

func (pt *ActivityTracker) IsBlacklisted(cmdLine string) bool

func (*ActivityTracker) IsTerminated 

func (pt *ActivityTracker) IsTerminated(guid string) bool

func (*ActivityTracker) Modules 

func (pt *ActivityTracker) Modules() (s []ModuleInfo)

func (*ActivityTracker) PS 

func (pt *ActivityTracker) PS() map[string]ProcessTrack

func (*ActivityTracker) SourceTrackFromEvent 

func (pt *ActivityTracker) SourceTrackFromEvent(e *event.EdrEvent) (t *ProcessTrack)

func (*ActivityTracker) TargetTrackFromEvent 

func (pt *ActivityTracker) TargetTrackFromEvent(e *event.EdrEvent) (t *ProcessTrack)

func (*ActivityTracker) Terminate 

func (pt *ActivityTracker) Terminate(guid string) error

type Agent 

type Agent struct {
	sync.RWMutex // Mutex to lock the IDS when updating rules

	Engine   *engine.Engine
	DryRun   bool
	PrintAll bool
	// contains filtered or unexported fields
}

Agent structure

func NewAgent 

func NewAgent(c *config.Agent) (h *Agent, err error)

NewAgent creates a new Agent object from configuration

func (*Agent) IsHIDSEvent 

func (h *Agent) IsHIDSEvent(e *event.EdrEvent) bool

IsHIDSEvent returns true if the event is generated by IDS activity

func (*Agent) LogStats 

func (h *Agent) LogStats()

LogStats logs whids statistics

func (*Agent) Report 

func (h *Agent) Report(light bool) (r Report)

Report generate a forensic ready report (meant to be dumped) this method is blocking as it runs commands and wait after those

func (*Agent) Run 

func (h *Agent) Run()

Run starts the WHIDS engine and waits channel listening is stopped

func (*Agent) Stop 

func (h *Agent) Stop()

Stop stops the IDS

func (*Agent) Wait 

func (h *Agent) Wait()

Wait waits the IDS to finish

func (*Agent) WaitWithTimeout 

func (h *Agent) WaitWithTimeout(timeout time.Duration)

WaitWithTimeout waits the IDS to finish

type ConStat 

type ConStat struct {
	FirstSeen string          `json:"first-seen"`
	LastSeen  string          `json:"last-seen"`
	Resolved  map[string]uint `json:"resolved"`
	Ports     map[uint16]uint `json:"ports"`
	Count     int             `json:"count"`
}

type DriverInfo 

type DriverInfo struct {

	/* Public */
	Image           string            `json:"image"`
	HashesMap       map[string]string `json:"hashes"`
	Signed          bool              `json:"signed"`
	Signature       string            `json:"signature"`
	SignatureStatus string            `json:"signature-status"`
	// contains filtered or unexported fields
}

func DriverInfoFromEvent 

func DriverInfoFromEvent(e *event.EdrEvent) (i *DriverInfo)

type EventStats 

type EventStats struct {
	// contains filtered or unexported fields
}

func NewEventStats 

func NewEventStats(tresh float64, dur time.Duration) *EventStats

func (*EventStats) CriticalEPS 

func (m *EventStats) CriticalEPS() float64

func (*EventStats) Detections 

func (m *EventStats) Detections() float64

func (*EventStats) Duration 

func (m *EventStats) Duration() time.Duration

func (*EventStats) DynEPS 

func (m *EventStats) DynEPS() float64

func (*EventStats) EPS 

func (m *EventStats) EPS() float64

func (*EventStats) Events 

func (m *EventStats) Events() float64

func (*EventStats) HasCriticalPerfIssue 

func (m *EventStats) HasCriticalPerfIssue() bool

func (*EventStats) HasPerfIssue 

func (m *EventStats) HasPerfIssue() (bool, float64)

func (*EventStats) SinceStart 

func (m *EventStats) SinceStart() time.Duration

func (*EventStats) Start 

func (m *EventStats) Start()

func (*EventStats) Threshold 

func (m *EventStats) Threshold() float64

func (*EventStats) Update 

func (m *EventStats) Update(e *event.EdrEvent)

type FileInfo 

type FileInfo struct {
	Dir     string            `json:"dir"`
	Name    string            `json:"name"`
	Size    int64             `json:"size"`
	ModTime time.Time         `json:"modtime"`
	Type    string            `json:"type"`
	Hashes  map[string]string `json:"hashes,omitempty"`
	Err     error             `json:"error"`
}

func (*FileInfo) FromFSFileInfo 

func (fi *FileInfo) FromFSFileInfo(fsfi fs.FileInfo)

func (*FileInfo) Hash 

func (fi *FileInfo) Hash() error

func (*FileInfo) Path 

func (fi *FileInfo) Path() string

type FileStats 

type FileStats struct {
	LastAccessed           *datastructs.RingSet `json:"last-accessed"`
	CountFilesCreated      int64                `json:"file-create-count"`
	CountFilesCreatedByExt map[string]int64     `json:"file-create-count-by-ext"`
	TimeFirstFileCreated   time.Time            `json:"first-file-create"`
	TimeLastFileCreated    time.Time            `json:"last-file-create"`
	CountFilesDeleted      int64                `json:"file-delete-count"`
	CountFilesDeletedByExt map[string]int64     `json:"file-delete-count-by-ext"`
	TimeFirstFileDeleted   time.Time            `json:"first-file-delete"`
	TimeLastFileDeleted    time.Time            `json:"last-file-delete"`
}

type Filter 

type Filter struct {
	EventIDs *datastructs.SyncedSet
	Channel  string
}

Filter structure

func NewFilter 

func NewFilter(eids []int64, channel string) *Filter

NewFilter creates a new Filter structure

func (*Filter) Match 

func (f *Filter) Match(e *event.EdrEvent) bool

Match checks if an event matches the filter

type Hook 

type Hook func(*Agent, *event.EdrEvent)

Hook structure definition hooking functions are supposed to run quickly since it is run synchronously with the Gene scanner. Likewise, the hooking functions should never panic the program.

type HookManager 

type HookManager struct {
	sync.RWMutex
	Filters []*Filter
	Hooks   []Hook
	// contains filtered or unexported fields
}

HookManager structure definition to easier handle hooks

func NewHookMan 

func NewHookMan() *HookManager

NewHookMan creates a new HookManager structure

func (*HookManager) Hook 

func (hm *HookManager) Hook(h Hook, f *Filter)

Hook register a hook for a given filter

func (*HookManager) RunHooksOn 

func (hm *HookManager) RunHooksOn(h *Agent, e *event.EdrEvent) (ret bool)

RunHooksOn runs the hook on a given event

type KernelFile 

type KernelFile struct {
	FileName   string
	FileObject uint64
	EventCount map[int64]uint64
}

func KernelFileFromEvent 

func KernelFileFromEvent(e *event.EdrEvent) (f *KernelFile)

type ModuleInfo 

type ModuleInfo struct {
	Image            string            `json:"image"`
	FileVersion      string            `json:"file-version"`
	Description      string            `json:"description"`
	Product          string            `json:"product"`
	Company          string            `json:"company"`
	OriginalFileName string            `json:"orginal-filename"`
	Hashes           map[string]string `json:"hashes"`
	Signature        string            `json:"signature"`
	SignatureStatus  string            `json:"signature-status"`
	Signed           bool              `json:"signed"`
	// Statistics
	LoadCount int64     `json:"load-count"`
	FirstLoad time.Time `json:"first-load"`
	LastLoad  time.Time `json:"last-load"`
	// contains filtered or unexported fields
}

func ModuleInfoFromEvent 

func ModuleInfoFromEvent(e *event.EdrEvent) (i *ModuleInfo)

func (*ModuleInfo) Id 

func (i *ModuleInfo) Id() string

func (*ModuleInfo) UpdateStatistics 

func (i *ModuleInfo) UpdateStatistics(other *ModuleInfo)

type ProcStats 

type ProcStats struct {
	CreateProcessCount int64               `json:"create-process-count"`
	Connections        map[string]*ConStat `json:"connections"`
	Files              FileStats           `json:"files"`
}

func NewProcStats 

func NewProcStats() ProcStats

func (*ProcStats) ConStat 

func (p *ProcStats) ConStat(ip string) *ConStat

func (*ProcStats) UpdateCon 

func (p *ProcStats) UpdateCon(timestamp, ip string, port uint16)

func (*ProcStats) UpdateNetResolve 

func (p *ProcStats) UpdateNetResolve(timestamp, ip, qname string)

type ProcessTrack 

type ProcessTrack struct {

	/* Public */
	Image                  string            `json:"image"`
	ParentImage            string            `json:"parent-image"`
	PID                    int64             `json:"pid"`
	CommandLine            string            `json:"command-line"`
	ParentCommandLine      string            `json:"parent-command-line"`
	CurrentDirectory       string            `json:"cwd"`
	ParentCurrentDirectory string            `json:"parent-cwd"`
	ProcessGUID            string            `json:"process-guid"`
	User                   string            `json:"user"`
	ParentUser             string            `json:"parent-user"`
	IntegrityLevel         string            `json:"integrity-lvl"`
	ParentIntegrityLevel   string            `json:"parent-integrity-lvl"`
	ParentProcessGUID      string            `json:"parent-process-guid"`
	Services               string            `json:"services"`
	ParentServices         string            `json:"parent-services"`
	ProtectionLevel        uint32            `json:"protection-lvl"`
	ParentProtectionLevel  uint32            `json:"parent-protection-lvl"`
	HashesMap              map[string]string `json:"hashes"`
	Signature              string            `json:"signature"`
	SignatureStatus        string            `json:"signature-status"`
	Signed                 bool              `json:"signed"`
	Ancestors              []string          `json:"ancestors"`
	Modules                []*ModuleInfo     `json:"modules"`
	Integrity              float64           `json:"integrity"`
	IntegrityTimeout       bool              `json:"integrity-timeout"`
	MemDumped              bool              `json:"memory-dumped"`
	DumpCount              int               `json:"dump-count"`
	ChildCount             int               `json:"child-count"` // number of currently running child proceses
	Stats                  ProcStats         `json:"statistics"`
	ThreatScore            ThreatScore       `json:"threat-score"`
	Terminated             bool              `json:"terminated"`
	TimeTerminated         time.Time         `json:"time-terminated"`
	// contains filtered or unexported fields
}

func NewProcessTrack 

func NewProcessTrack(image, pguid, guid string, pid int64) *ProcessTrack

NewProcessTrack creates a new processTrack structure enforcing that minimal information is encoded (image, guid, pid)

func (*ProcessTrack) IsZero 

func (t *ProcessTrack) IsZero() bool

func (*ProcessTrack) SetHashes 

func (t *ProcessTrack) SetHashes(hashes string)

func (*ProcessTrack) TerminateProcess 

func (t *ProcessTrack) TerminateProcess() error

type Report 

type Report struct {
	Processes map[string]ProcessTrack `json:"processes"`
	Modules   []ModuleInfo            `json:"modules"`
	Drivers   []DriverInfo            `json:"drivers"`
	Commands  []config.ReportCommand  `json:"commands"`
	StartTime time.Time               `json:"start-timestamp"` // time at which report generation started
	StopTime  time.Time               `json:"stop-timestamp"`  // time at which report generation stopped
}

Report structure

type ThreatScore 

type ThreatScore struct {
	Signatures map[string]uint `json:"signatures"`
	Score      int64           `json:"score"`
}

func NewGeneScore 

func NewGeneScore() ThreatScore

func (*ThreatScore) Update 

func (g *ThreatScore) Update(d *engine.Detection)

type WalkItem 

type WalkItem struct {
	Dirs  []FileInfo `json:"dirs"`
	Files []FileInfo `json:"files"`
	Err   string     `json:"err"`
}

func (*WalkItem) FromWalkerWalkItem 

func (wi *WalkItem) FromWalkerWalkItem(o fswalker.WalkItem)

Source Files

View all Source files

Directories

Path Synopsis

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.