Skip to content

Instantly share code, notes, and snippets.

@mgreen27

mgreen27/ETW.yaml

Created January 7, 2022 08:24
Show Gist options
  • Save mgreen27/580ac7479c7fa769de028688d4752ca1 to your computer and use it in GitHub Desktop.
Save mgreen27/580ac7479c7fa769de028688d4752ca1 to your computer and use it in GitHub Desktop.
Download ZIP
ETW enrichment example
Raw
ETW.yaml
name: Custom.ETW.Testing
description: |
This artifact uses the ETW provider:
Microsoft-Windows-Kernel-File {edd08927-9cc4-4e65-b970-c2560fb5c289}
type: CLIENT_EVENT
parameters:
- name: FilePathRegex
description: "FilePath regex filter for"
default: .
- name: FilePathExclusion
description: "FilePath regex filter for"
default: 'velociraptor|Microsoft-Windows-System-Events.dll'
export: |
LET Profile = '''[
["Create", 0, [
["ShareAccess", 0, "Flags", {
"type": "uint32",
"bitmap": {
"FILE_SHARE_READ": 0,
"FILE_SHARE_WRITE": 1,
"FILE_SHARE_DELETE": 2,
}
}],
["CreateAttributes", 0, "Flags", {
"type": "uint32",
"bitmap": {
"FILE_ATTRIBUTE_READONLY":0,
"FILE_ATTRIBUTE_HIDDEN":1,
"FILE_ATTRIBUTE_SYSTEM":2,
"OLD_DOS_VOL_ID":3,
"FILE_ATTRIBUTE_DIRECTORY":4,
"FILE_ATTRIBUTE_ARCHIVE":5,
"FILE_ATTRIBUTE_DEVICE":6,
"FILE_ATTRIBUTE_NORMAL":7,
"FILE_ATTRIBUTE_TEMPORARY":8,
"FILE_ATTRIBUTE_SPARSE_FILE":9,
"FILE_ATTRIBUTE_REPARSE_POINT":10,
"FILE_ATTRIBUTE_COMPRESSED":11,
"FILE_ATTRIBUTE_OFFLINE":12,
"FILE_ATTRIBUTE_NOT_CONTENT_INDEXED":13,
"FILE_ATTRIBUTE_ENCRYPTED":14,
"FILE_ATTRIBUTE_INTEGRITY_STREAM":15,
"FILE_ATTRIBUTE_VIRTUAL":16,
"FILE_ATTRIBUTE_NO_SCRUB_DATA":17,
"FILE_ATTRIBUTE_EA":18,
"FILE_ATTRIBUTE_PINNED":19,
"FILE_ATTRIBUTE_UNPINNED":20
}
}],
["CreateOptions", 0, "Flags", {
"type": "uint32",
"bitmap": {
"FILE_DIRECTORY_FILE":0,
"FILE_WRITE_THROUGH":1,
"FILE_SEQENTIAL_ONLY":2,
"FILE_NO_INTERMEDIATE_BUFFERING":3,
"FILE_SYNCHRONOUS_IO_ALERT":4,
"FILE_SYNCHRONOUS_IO_NONALERT":5,
"FILE_NON_DIRECTORY_FILE":6,
"FILE_CREATE_TREE_CONNECTION":7,
"FILE_COMPLETE+IF_OPLOCKED":8,
"FILE_NO_EA_KNOWLEDGE":9,
"FILE_OPEN_REMOTE_INSTANCE":10,
"FILE_RANDOM_ACCESS":11,
"FILE_DELETE_ON_CLOSE":12,
"FILE_OPEN_BY_FILE_ID":13,
"FILE_OPEN_FOR_BACKUP_INTENT":14,
"FILE_NO_COMPRESSION":15,
"FILE_OPEN_REQUIRING_OPLOCK":16,
"FILE_DISALLOW_EXCLUSIVE":17,
"FILE_SESSION_AWARE":18,
"FILE_RESERVE_OPFILTER":19,
"FILE_OPEN_REPARSE_POINT":20,
"FILE_OPEN_NO_RECALL":21,
"FILE_OPEN_FOR_FREE_SPACE_QUERY":22,
"UNKNOWN":23,
}
}],
]]]
'''
sources:
- precondition:
SELECT OS From info() where OS = 'windows'
query: |
LET RecentProcesses = SELECT * FROM fifo(query={
SELECT System.TimeStamp AS CreateTime,
EventData.ImageName AS ImageName,
int(int=EventData.ProcessID) AS Pid,
EventData.MandatoryLabel AS MandatoryLabel,
EventData.ProcessTokenElevationType AS ProcessTokenElevationType,
EventData.ProcessTokenIsElevated AS TokenIsElevated
FROM watch_etw(guid="{22fb2cd6-0e7b-422b-a0c7-2fad1fd0e716}", any=0x10)
WHERE System.ID = 1
}, max_rows=1000, max_age=60)
-- Query it once to materialize the FIFO
LET _ <= SELECT * FROM RecentProcesses
LET GetProcessInfo(TargetPid,ThreadId) = SELECT *, ThreadId as ProcessThreadId
FROM switch(
-- First try to get the pid directly
a={
SELECT
Name, Pid, CreateTime,
Exe as ImageName,
CommandLine,
Username,
TokenIsElevated
FROM pslist(pid=TargetPid)
},
-- Failing this look in the FIFO for a recently started process.
b={
SELECT
basename(path=ImageName) as Name,
Pid,
CreateTime,
ImageName,
Null as CommandLine,
Null as Username,
if(condition= TokenIsElevated="0",
then= false,
else= true ) as TokenIsElevated
FROM RecentProcesses
WHERE Pid = TargetPid
LIMIT 1
})
LET Normalize(X) = regex_transform(map=dict(
`^0x(.)$`="0$1",
`^0x(.{3})$`="0$1",
`^0x(.{5})$`="0$1",
`^0x(.{7})$`="0$1",
`^0x(.{9})$`="0$1",
`^0x(.{11})$`="0$1",
`^0x(.{13})$`="0$1"), source=X, key="Normalize")
-- watch ETW provider and first round data manipulation
SELECT
System.TimeStamp AS EventTime,
System.ID as EventId,
GetProcessInfo(TargetPid=System.ProcessID,ThreadId=System.ThreadID)[0] as Process,
EventData.FileName as FilePath,
EventData.FileObject as FileObject,
--EventData.CreateOptions as CreateOptionsHex,
parse_binary(accessor='data',filename=unhex(string=Normalize(X=EventData.CreateOptions)),profile=Profile,struct='Create').CreateOptions as CreateOptions,
--EventData.CreateAttributes as CreateAttributesHex,
parse_binary(accessor='data',filename=unhex(string=Normalize(X=EventData.CreateAttributes)),profile=Profile,struct='Create').CreateAttributes as CreateAttributes,
--EventData.ShareAccess as ShareAccessHex,
parse_binary(accessor='data',filename=unhex(string=Normalize(X=EventData.ShareAccess)),profile=Profile,struct='Create').ShareAccess as ShareAccess,
EventData.IRP as IoRequestPacket,
EventData
FROM watch_etw(guid="{edd08927-9cc4-4e65-b970-c2560fb5c289}")
WHERE FilePath
AND FilePath =~ FilePathRegex
AND EventId in (10,11,12,13,20,25,26,27,28,30)
AND NOT FilePath =~ FilePathExclusion
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment