MHaggis · September 3, 2021 12:28
diff --git a/GrantedAccess.spl b/GrantedAccess.spl
 ```
 Author: @0x1FFFFF 
 Date: 1 September, 2021
 Goal: Enumerate the human readable permission listed in Sysmon EID 10s.
 Note: This type of logic is too heavy to run inline in a search. Use this to generate results and add to a lookup table.
 ```

 $Your_Sysmon_Logic_Here$ EventCode=10
 | stats count by GrantedAccess 

 ```Convert from Hex to Binary```
 | eval binaryMask=lower(GrantedAcces)
 | eval binaryMask=ltrim(binaryMask, "0x")
 | eval binaryMask=replace(binaryMask,"0","0000") | eval binaryMask=replace(binaryMask,"1","0001") | eval binaryMask=replace(binaryMask,"2","0010") | eval binaryMask=replace(binaryMask,"3","0011") 
 | eval binaryMask=replace(binaryMask,"4","0100") | eval binaryMask=replace(binaryMask,"5","0101") | eval binaryMask=replace(binaryMask,"6","0110") | eval binaryMask=replace(binaryMask,"7","0111") 
 | eval binaryMask=replace(binaryMask,"8","1000") | eval binaryMask=replace(binaryMask,"9","1001") | eval binaryMask=replace(binaryMask,"a","1010") | eval binaryMask=replace(binaryMask,"b","1011") 
 | eval binaryMask=replace(binaryMask,"c","1100") | eval binaryMask=replace(binaryMask,"d","1101") | eval binaryMask=replace(binaryMask,"e","1110") | eval binaryMask=replace(binaryMask,"f","1111") 

 ```Shift values right and output the full mask (i.e. 0x1 > 0001 > 00000000000000000000000000000001)```
 | eval fullMask = "00000000000000000000000000000000" | eval maskLen = 32 - len(binaryMask)  | eval binaryMask = substr(fullMask, 1, maskLen) + binaryMask

 ```Set temp var 'perms' to permission name on mask match returning true, null on false. Concat temp 'perms' to Permissions field```
 ```Note: _ is the equivalent to '.' in regex. Note 2: It is probably better to just have Permissions be a mv and individually set each member, but this works.```
 | eval perms=if(like(binaryMask, "1_______________________________"), "GENERIC_READ", "")                       | eval Permissions = perms. ","
 | eval perms=if(like(binaryMask, "_1______________________________"), "GENERIC_WRITE", "")                      | eval Permissions = Permissions. "" .perms. ","
 | eval perms=if(like(binaryMask, "__1_____________________________"), "GENERIC_EXECUTE", "")                    | eval Permissions = Permissions. "" .perms. ","
 | eval perms=if(like(binaryMask, "___1____________________________"), "GENERIC_ALL", "")                        | eval Permissions = Permissions. "" .perms. ","
 | eval perms=if(like(binaryMask, "_______1________________________"), "ACCESS_SYSTEM_SECURITY", "")             | eval Permissions = Permissions. "" .perms. ","
 | eval perms=if(like(binaryMask, "___________1____________________"), "SYNCHRONIZE", "")                        | eval Permissions = Permissions. "" .perms. ","
 | eval perms=if(like(binaryMask, "____________1___________________"), "WRITE_OWNER", "")                        | eval Permissions = Permissions. "" .perms. ","
 | eval perms=if(like(binaryMask, "_____________1__________________"), "WRITE_DAC", "")                          | eval Permissions = Permissions. "" .perms. ","
 | eval perms=if(like(binaryMask, "______________1_________________"), "READ_CONTROL", "")                       | eval Permissions = Permissions. "" .perms. ","
 | eval perms=if(like(binaryMask, "_______________1________________"), "DELETE", "")                             | eval Permissions = Permissions. "" .perms. ","
 | eval perms=if(like(binaryMask, "___________11111________________"), "STANDARD_RIGHTS_ALL", "")                | eval Permissions = Permissions. "" .perms. ","
 | eval perms=if(like(binaryMask, "______________1_________________"), "STANDARD_RIGHTS_EXECUTE", "")            | eval Permissions = Permissions. "" .perms. ","
 | eval perms=if(like(binaryMask, "______________1_________________"), "STANDARD_RIGHTS_READ", "")               | eval Permissions = Permissions. "" .perms. ","
 | eval perms=if(like(binaryMask, "____________1111________________"), "STANDARD_RIGHTS_REQUIRED", "")           | eval Permissions = Permissions. "" .perms. ","
 | eval perms=if(like(binaryMask, "______________1_________________"), "STANDARD_RIGHTS_WRITE", "")              | eval Permissions = Permissions. "" .perms. ","
 | eval perms=if(like(binaryMask, "___________________1____________"), "PROCESS_QUERY_LIMITED_INFORMATION", "")  | eval Permissions = Permissions. "" .perms. ","
 | eval perms=if(like(binaryMask, "____________________1___________"), "PROCESS_SUSPEND_RESUME", "")             | eval Permissions = Permissions. "" .perms. ","
 | eval perms=if(like(binaryMask, "_____________________1__________"), "PROCESS_QUERY_INFORMATION", "")          | eval Permissions = Permissions. "" .perms. ","
 | eval perms=if(like(binaryMask, "______________________1_________"), "PROCESS_SET_INFORMATION", "")            | eval Permissions = Permissions. "" .perms. ","
 | eval perms=if(like(binaryMask, "_______________________1________"), "PROCESS_SET_QUOTA", "")                  | eval Permissions = Permissions. "" .perms. ","
 | eval perms=if(like(binaryMask, "________________________1_______"), "PROCESS_CREATE_PROCESS", "")             | eval Permissions = Permissions. "" .perms. ","
 | eval perms=if(like(binaryMask, "_________________________1______"), "PROCESS_DUP_HANDLE", "")                 | eval Permissions = Permissions. "" .perms. ","
 | eval perms=if(like(binaryMask, "__________________________1_____"), "PROCESS_VM_WRITE", "")                   | eval Permissions = Permissions. "" .perms. ","
 | eval perms=if(like(binaryMask, "___________________________1____"), "PROCESS_VM_READ", "")                    | eval Permissions = Permissions. "" .perms. ","
 | eval perms=if(like(binaryMask, "____________________________1___"), "PROCESS_VM_OPERATION", "")               | eval Permissions = Permissions. "" .perms. ","
 | eval perms=if(like(binaryMask, "_____________________________1__"), "PROCESS_SET_SESSIONID", "")              | eval Permissions = Permissions. "" .perms. ","
 | eval perms=if(like(binaryMask, "______________________________1_"), "PROCESS_CREATE_THREAD", "")              | eval Permissions = Permissions. "" .perms. ","
 | eval perms=if(like(binaryMask, "_______________________________1"), "PROCESS_TERMINATE", "")                  | eval Permissions = Permissions. "" .perms. ","
 | eval perms=if(like(binaryMask, "___________11111____111111111111"), "PROCESS_ALL_ACCESS_OLD", "")             | eval Permissions = Permissions. "" .perms. ","
 | eval perms=if(like(binaryMask, "___________111111111111111111111"), "PROCESS_ALL_ACCESS_NEW", "")             | eval Permissions = Permissions. "" .perms

 ```Do some multivalue hackery to clean up the Permissions string and remove null values by separating them and expanding them into individual events```
 | eval Permissions = split(Permissions, ",")
 | mvexpand Permissions
 | search Permissions!=""

 ```Re-combine the seperate events and display. This part isn't really needed, since you could store the results in a lookup with mv support, but it looks cleaner```
 | stats values(Permissions) as Permissions by GrantedAccess
 | mvcombine Permissions
 | table GrantedAccess Permissions
 | sort GrantedAccess
	```
	Author: @0x1FFFFF
	Date: 1 September, 2021
	Goal: Enumerate the human readable permission listed in Sysmon EID 10s.
	Note: This type of logic is too heavy to run inline in a search. Use this to generate results and add to a lookup table.
	```

	$Your_Sysmon_Logic_Here$ EventCode=10
	\| stats count by GrantedAccess

	```Convert from Hex to Binary```
	\| eval binaryMask=lower(GrantedAcces)
	\| eval binaryMask=ltrim(binaryMask, "0x")
	\| eval binaryMask=replace(binaryMask,"0","0000") \| eval binaryMask=replace(binaryMask,"1","0001") \| eval binaryMask=replace(binaryMask,"2","0010") \| eval binaryMask=replace(binaryMask,"3","0011")
	\| eval binaryMask=replace(binaryMask,"4","0100") \| eval binaryMask=replace(binaryMask,"5","0101") \| eval binaryMask=replace(binaryMask,"6","0110") \| eval binaryMask=replace(binaryMask,"7","0111")
	\| eval binaryMask=replace(binaryMask,"8","1000") \| eval binaryMask=replace(binaryMask,"9","1001") \| eval binaryMask=replace(binaryMask,"a","1010") \| eval binaryMask=replace(binaryMask,"b","1011")
	\| eval binaryMask=replace(binaryMask,"c","1100") \| eval binaryMask=replace(binaryMask,"d","1101") \| eval binaryMask=replace(binaryMask,"e","1110") \| eval binaryMask=replace(binaryMask,"f","1111")

	```Shift values right and output the full mask (i.e. 0x1 > 0001 > 00000000000000000000000000000001)```
	\| eval fullMask = "00000000000000000000000000000000" \| eval maskLen = 32 - len(binaryMask) \| eval binaryMask = substr(fullMask, 1, maskLen) + binaryMask

	```Set temp var 'perms' to permission name on mask match returning true, null on false. Concat temp 'perms' to Permissions field```
	```Note: _ is the equivalent to '.' in regex. Note 2: It is probably better to just have Permissions be a mv and individually set each member, but this works.```
	\| eval perms=if(like(binaryMask, "1_______________________________"), "GENERIC_READ", "") \| eval Permissions = perms. ","
	\| eval perms=if(like(binaryMask, "_1______________________________"), "GENERIC_WRITE", "") \| eval Permissions = Permissions. "" .perms. ","
	\| eval perms=if(like(binaryMask, "__1_____________________________"), "GENERIC_EXECUTE", "") \| eval Permissions = Permissions. "" .perms. ","
	\| eval perms=if(like(binaryMask, "___1____________________________"), "GENERIC_ALL", "") \| eval Permissions = Permissions. "" .perms. ","
	\| eval perms=if(like(binaryMask, "_______1________________________"), "ACCESS_SYSTEM_SECURITY", "") \| eval Permissions = Permissions. "" .perms. ","
	\| eval perms=if(like(binaryMask, "___________1____________________"), "SYNCHRONIZE", "") \| eval Permissions = Permissions. "" .perms. ","
	\| eval perms=if(like(binaryMask, "____________1___________________"), "WRITE_OWNER", "") \| eval Permissions = Permissions. "" .perms. ","
	\| eval perms=if(like(binaryMask, "_____________1__________________"), "WRITE_DAC", "") \| eval Permissions = Permissions. "" .perms. ","
	\| eval perms=if(like(binaryMask, "______________1_________________"), "READ_CONTROL", "") \| eval Permissions = Permissions. "" .perms. ","
	\| eval perms=if(like(binaryMask, "_______________1________________"), "DELETE", "") \| eval Permissions = Permissions. "" .perms. ","
	\| eval perms=if(like(binaryMask, "___________11111________________"), "STANDARD_RIGHTS_ALL", "") \| eval Permissions = Permissions. "" .perms. ","
	\| eval perms=if(like(binaryMask, "______________1_________________"), "STANDARD_RIGHTS_EXECUTE", "") \| eval Permissions = Permissions. "" .perms. ","
	\| eval perms=if(like(binaryMask, "______________1_________________"), "STANDARD_RIGHTS_READ", "") \| eval Permissions = Permissions. "" .perms. ","
	\| eval perms=if(like(binaryMask, "____________1111________________"), "STANDARD_RIGHTS_REQUIRED", "") \| eval Permissions = Permissions. "" .perms. ","
	\| eval perms=if(like(binaryMask, "______________1_________________"), "STANDARD_RIGHTS_WRITE", "") \| eval Permissions = Permissions. "" .perms. ","
	\| eval perms=if(like(binaryMask, "___________________1____________"), "PROCESS_QUERY_LIMITED_INFORMATION", "") \| eval Permissions = Permissions. "" .perms. ","
	\| eval perms=if(like(binaryMask, "____________________1___________"), "PROCESS_SUSPEND_RESUME", "") \| eval Permissions = Permissions. "" .perms. ","
	\| eval perms=if(like(binaryMask, "_____________________1__________"), "PROCESS_QUERY_INFORMATION", "") \| eval Permissions = Permissions. "" .perms. ","
	\| eval perms=if(like(binaryMask, "______________________1_________"), "PROCESS_SET_INFORMATION", "") \| eval Permissions = Permissions. "" .perms. ","
	\| eval perms=if(like(binaryMask, "_______________________1________"), "PROCESS_SET_QUOTA", "") \| eval Permissions = Permissions. "" .perms. ","
	\| eval perms=if(like(binaryMask, "________________________1_______"), "PROCESS_CREATE_PROCESS", "") \| eval Permissions = Permissions. "" .perms. ","
	\| eval perms=if(like(binaryMask, "_________________________1______"), "PROCESS_DUP_HANDLE", "") \| eval Permissions = Permissions. "" .perms. ","
	\| eval perms=if(like(binaryMask, "__________________________1_____"), "PROCESS_VM_WRITE", "") \| eval Permissions = Permissions. "" .perms. ","
	\| eval perms=if(like(binaryMask, "___________________________1____"), "PROCESS_VM_READ", "") \| eval Permissions = Permissions. "" .perms. ","
	\| eval perms=if(like(binaryMask, "____________________________1___"), "PROCESS_VM_OPERATION", "") \| eval Permissions = Permissions. "" .perms. ","
	\| eval perms=if(like(binaryMask, "_____________________________1__"), "PROCESS_SET_SESSIONID", "") \| eval Permissions = Permissions. "" .perms. ","
	\| eval perms=if(like(binaryMask, "______________________________1_"), "PROCESS_CREATE_THREAD", "") \| eval Permissions = Permissions. "" .perms. ","
	\| eval perms=if(like(binaryMask, "_______________________________1"), "PROCESS_TERMINATE", "") \| eval Permissions = Permissions. "" .perms. ","
	\| eval perms=if(like(binaryMask, "___________11111____111111111111"), "PROCESS_ALL_ACCESS_OLD", "") \| eval Permissions = Permissions. "" .perms. ","
	\| eval perms=if(like(binaryMask, "___________111111111111111111111"), "PROCESS_ALL_ACCESS_NEW", "") \| eval Permissions = Permissions. "" .perms

	```Do some multivalue hackery to clean up the Permissions string and remove null values by separating them and expanding them into individual events```
	\| eval Permissions = split(Permissions, ",")
	\| mvexpand Permissions
	\| search Permissions!=""

	```Re-combine the seperate events and display. This part isn't really needed, since you could store the results in a lookup with mv support, but it looks cleaner```
	\| stats values(Permissions) as Permissions by GrantedAccess
	\| mvcombine Permissions
	\| table GrantedAccess Permissions
	\| sort GrantedAccess