diff --git a/docker/helk-logstash/Dockerfile b/docker/helk-logstash/Dockerfile index c8dbc972..89c39695 100644 --- a/docker/helk-logstash/Dockerfile +++ b/docker/helk-logstash/Dockerfile @@ -11,4 +11,5 @@ LABEL maintainer="Roberto Rodriguez @Cyb3rWard0g" LABEL description="Dockerfile base for the HELK Logstash." RUN mv /usr/share/logstash/config/logstash.yml /usr/share/logstash/config/logstash.yml.backup -COPY --chown=logstash:logstash config/logstash.yml /usr/share/logstash/config/logstash.yml \ No newline at end of file +COPY --chown=logstash:logstash config/logstash.yml /usr/share/logstash/config/logstash.yml +COPY --chown=logstash:logstash plugins/logstash-offline-plugins-6.6.1.zip /usr/share/logstash/logstash-offline-plugins-6.6.1.zip \ No newline at end of file diff --git a/docker/helk-logstash/pipeline/0002-kafka-input.conf b/docker/helk-logstash/pipeline/0002-kafka-input.conf index 7bf65f1a..589d0247 100644 --- a/docker/helk-logstash/pipeline/0002-kafka-input.conf +++ b/docker/helk-logstash/pipeline/0002-kafka-input.conf @@ -20,6 +20,6 @@ input { session_timeout_ms => "30000" max_poll_interval_ms => "300000" ############################# - max_poll_records => "250" + max_poll_records => "500" } } \ No newline at end of file diff --git a/docker/helk-logstash/pipeline/1523-winevent-process-name-filter.conf b/docker/helk-logstash/pipeline/1523-winevent-process-name-filter.conf new file mode 100644 index 00000000..84df954a --- /dev/null +++ b/docker/helk-logstash/pipeline/1523-winevent-process-name-filter.conf @@ -0,0 +1,44 @@ +# HELK process-name-filter filter conf +# HELK build Stage: Alpha +# Author: Roberto Rodriguez (@Cyb3rWard0g) +# License: GPL-3.0 + +filter { + if [event_id] { + if [Image] { + mutate { add_field => { "z_logstash_pipeline" => "1523_1" } } + mutate { rename => { "Image" => "process_path" } } + } + if [Application] { + mutate { add_field => { "z_logstash_pipeline" => "1523_2" } } + mutate { rename => { "Application" => "process_path" } } + } + if [NewProcessName] { + mutate { add_field => { "z_logstash_pipeline" => "1523_3" } } + mutate { rename => { "NewProcessName" => "process_path" } } + } + if [ProcessName] { + mutate { add_field => { "z_logstash_pipeline" => "1523_4" } } + mutate { rename => { "ProcessName" => "process_path" }} + } + if [ParentProcessName] { + mutate { add_field => { "z_logstash_pipeline" => "1523_5" } } + mutate { rename => { "ParentProcessName" => "process_parent_path" } } + } + if [ParentImage] { + mutate { add_field => { "z_logstash_pipeline" => "1523_6" } } + mutate { rename => { "ParentImage" => "process_parent_path" } } + } + if [TargetImage] { + mutate { add_field => { "z_logstash_pipeline" => "1523_7" } } + mutate { rename => { "TargetImage" => "process_target_path" } } + } + if [SourceImage] { + mutate { add_field => { "z_logstash_pipeline" => "1523_8" } } + mutate { rename => { "SourceImage" => "process_path" } } + } + if [ProdessName] { + mutate { rename => { "ProdessName" => "process_path" } } + } + } +} \ No newline at end of file diff --git a/docker/helk-logstash/pipeline/1523-winevent-process-name-split.conf b/docker/helk-logstash/pipeline/1523-winevent-process-name-split.conf deleted file mode 100644 index f91be32d..00000000 --- a/docker/helk-logstash/pipeline/1523-winevent-process-name-split.conf +++ /dev/null @@ -1,102 +0,0 @@ -# HELK process-name-split filter conf -# HELK build Stage: Alpha -# Author: Roberto Rodriguez (@Cyb3rWard0g) -# License: GPL-3.0 - -filter { - if [event_id] { - if [Image] { - mutate { add_field => { "z_logstash_pipeline" => "1523_1" } } - if [Image] !~ /.*\\.*/ { - mutate { copy => {"Image" => "process_name"} } - } - else { - grok { - match => { "Image" => ".*\\%{GREEDYDATA:process_name}" } - tag_on_failure => [ "_Image__grokparsefailure", "_grokparsefailure", "_parsefailure" ] - } - } - } - if [Application] { - mutate { add_field => { "z_logstash_pipeline" => "1523_2" } } - if [Application] !~ /.*\\.*/ { - mutate { copy => {"Application" => "process_name"} } - } - else { - grok { - match => { "Application" => ".*\\%{GREEDYDATA:process_name}" } - tag_on_failure => [ "_Application__grokparsefailure", "_grokparsefailure", "_parsefailure" ] - } - } - } - if [NewProcessName] { - mutate { add_field => { "z_logstash_pipeline" => "1523_3" } } - if [NewProcessName] !~ /.*\\.*/ { - mutate { copy => {"NewProcessName" => "process_name"} } - } - else { - grok { - match => { "NewProcessName" => ".*\\%{GREEDYDATA:process_name}" } - tag_on_failure => [ "_NewProcessName__grokparsefailure", "_grokparsefailure", "_parsefailure" ] - } - } - } - if [ProcessName] { - mutate { add_field => { "z_logstash_pipeline" => "1523_4" } } - if [ProcessName] !~ /.*\\.*/ { - mutate { copy => {"ProcessName" => "process_name"} } - } - else { - grok { - match => { "ProcessName" => ".*\\%{GREEDYDATA:process_name}" } - tag_on_failure => [ "_ProcessName_grokparsefailure", "_grokparsefailure", "_parsefailure" ] - } - } - } - if [ParentProcessName] { - mutate { add_field => { "z_logstash_pipeline" => "1523_5" } } - if [ParentProcessName] !~ /.*\\.*/ { - mutate { copy => {"ParentProcessName" => "process_parent_name"} } - } - else { - grok { - match => { "ParentProcessName" => ".*\\%{GREEDYDATA:process_parent_name}" } - tag_on_failure => [ "_ParentProcessName_grokparsefailure", "_grokparsefailure", "_parsefailure" ] - } - } - } - if [ParentImage] { - mutate { add_field => { "z_logstash_pipeline" => "1523_6" } } - if [ParentImage] !~ /.*\\.*/ { - mutate { copy => {"ParentImage" => "process_parent_name"} } - } - else { - grok { - match => { "ParentImage" => ".*\\%{GREEDYDATA:process_parent_name}" } - tag_on_failure => [ "_ParentImage__grokparsefailure", "_grokparsefailure", "_parsefailure" ] - } - } - } - if [TargetImage] { - mutate { add_field => { "z_logstash_pipeline" => "1523_7" } } - if [SourceImage] !~ /.*\\.*/ { - mutate { copy => {"SourceImage" => "process_name"} } - } - else { - grok { - match => { "SourceImage" => ".*\\%{GREEDYDATA:process_name}" } - tag_on_failure => [ "_SourceImage__grokparsefailure", "_grokparsefailure", "_parsefailure" ] - } - } - if [TargetImage] !~ /.*\\.*/ { - mutate { copy => {"TargetImage" => "target_process_name"} } - } - else{ - grok { - match => { "TargetImage" => ".*\\%{GREEDYDATA:target_process_name}" } - tag_on_failure => [ "_TargetImage__grokparsefailure", "_grokparsefailure", "_parsefailure" ] - } - } - } - } -} \ No newline at end of file diff --git a/docker/helk-logstash/pipeline/1524-winevent-process-ids-filter.conf b/docker/helk-logstash/pipeline/1524-winevent-process-ids-filter.conf new file mode 100644 index 00000000..1d800e71 --- /dev/null +++ b/docker/helk-logstash/pipeline/1524-winevent-process-ids-filter.conf @@ -0,0 +1,53 @@ +# HELK process-ids filter conf +# HELK build Stage: Alpha +# Author: Roberto Rodriguez (@Cyb3rWard0g) +# License: GPL-3.0 + +filter { + if [event_id] { + if [ProcessId] { + mutate { add_field => { "z_logstash_pipeline" => "1524_2" } } + mutate { rename => { "ProcessId" => "process_id" } } + } + if [NewProcessId] { + mutate { add_field => { "z_logstash_pipeline" => "1524_3" } } + mutate { rename => { "NewProcessId" => "process_id" } } + } + if [ParentProcessId] { + mutate { add_field => { "z_logstash_pipeline" => "1524_5" } } + mutate { rename => { "ParentProcessId" => "process_parent_id" } } + } + if [ProcessGuid] { + mutate { add_field => { "z_logstash_pipeline" => "1524_6" } } + mutate { rename => { "ProcessGuid" => "process_guid" } } + } + if [ParentProcessGuid] { + mutate { add_field => { "z_logstash_pipeline" => "1524_7" } } + mutate { rename => { "ParentProcessGuid" => "process_parent_guid" } } + } + if [SourceProcessGuid] { + mutate { add_field => { "z_logstash_pipeline" => "1524_8" } } + mutate { rename => { "SourceProcessGuid" => "process_guid" } } + } + if [SourceProcessGUID] { + mutate { add_field => { "z_logstash_pipeline" => "1524_9" } } + mutate { rename => { "SourceProcessGUID" => "process_guid" } } + } + if [SourceProcessId] { + mutate { add_field => { "z_logstash_pipeline" => "1524_11" } } + mutate { rename => { "SourceProcessId" => "process_id" } } + } + if [TargetProcessGuid] { + mutate { add_field => { "z_logstash_pipeline" => "1524_12" } } + mutate { rename => { "TargetProcessGuid" => "process_target_guid" } } + } + if [TargetProcessGUID] { + mutate { add_field => { "z_logstash_pipeline" => "1524_13" } } + mutate { rename => { "TargetProcessGUID" => "process_target_guid" } } + } + if [TargetProcessId] { + mutate { add_field => { "z_logstash_pipeline" => "1524_15" } } + mutate { rename => { "TargetProcessId" => "process_target_id" } } + } + } +} \ No newline at end of file diff --git a/docker/helk-logstash/pipeline/1531-winevent-sysmon-filter.conf b/docker/helk-logstash/pipeline/1531-winevent-sysmon-filter.conf index 8cf8303e..e86166a8 100644 --- a/docker/helk-logstash/pipeline/1531-winevent-sysmon-filter.conf +++ b/docker/helk-logstash/pipeline/1531-winevent-sysmon-filter.conf @@ -20,19 +20,10 @@ filter { source => "RuleName" field_split => "," value_split => "=" - prefix => "mitre_" + prefix => "rule_" transform_key => "lowercase" } } - if [Image] { - mutate { - rename => { - "Image" => "process_path" - "ProcessGuid" => "process_guid" - "ProcessId" => "process_id" - } - } - } if [Hashes] { kv { source => "Hashes" @@ -42,18 +33,6 @@ filter { transform_key => "lowercase" } } - if [TargetImage] { - mutate { - rename => { - "SourceImage" => "process_path" - "SourceProcessGUID" => "process_guid" - "SourceProcessId" => "process_id" - "TargetImage" => "target_process_path" - "TargetProcessGUID" => "target_process_guid" - "TargetProcessId" => "target_process_id" - } - } - } if [User] { grok { match => { "User" => "%{GREEDYDATA:user_domain}\\%{GREEDYDATA:user_name}" } @@ -66,13 +45,10 @@ filter { rename => { "CommandLine" => "process_command_line" "CurrentDirectory" => "process_current_directory" - "ParentImage" => "process_parent_path" "ParentCommandLine" => "process_parent_command_line" "IntegrityLevel" => "process_integrity_level" "LogonGuid" => "user_logon_guid" "LogonId" => "user_logon_id" - "ParentProcessGuid" => "process_parent_guid" - "ParentProcessId" => "process_parent_id" "TerminalSessionId" => "user_session_id" "FileVersion" => "file_version" "Description" => "file_description" @@ -238,7 +214,7 @@ filter { date { timezone => "UTC" match => [ "CreationUtcTime", "YYYY-MM-dd HH:mm:ss.SSS" ] - target => "@date_creation" + target => "@file_date_creation" tag_on_failure => [ "_sysmon_CreationUtcTime_datefailure", "_sysmon_datefailure", "_dateparsefailure" ] } date { diff --git a/docker/helk-logstash/pipeline/1532-winevent-security-filter.conf b/docker/helk-logstash/pipeline/1532-winevent-security-filter.conf index e57f2f76..38015b1c 100644 --- a/docker/helk-logstash/pipeline/1532-winevent-security-filter.conf +++ b/docker/helk-logstash/pipeline/1532-winevent-security-filter.conf @@ -28,8 +28,6 @@ filter { "SubjectUserName" => "user_name" "SubjectDomainName" => "user_domain" "SubjectLogonId" => "user_logon_id" - "ProcessId" => "process_id" - "ProcessName" => "process_path" } } } @@ -41,8 +39,6 @@ filter { "SubjectUserName" => "user_reporter_name" "SubjectDomainName" => "user_reporter_domain" "SubjectLogonId" => "reporter_logon_id" - "ProcessId" => "process_id" - "ProcessName" => "process_path" "TargetLogonId" => "user_logon_id" "LogonType" => "logon_type" "RestrictedAdminMode" => "logon_restricted_adminmode" @@ -77,8 +73,6 @@ filter { "SubjectUserName" => "user_reporter_name" "SubjectDomainName" => "user_reporter_domain" "SubjectLogonId" => "reporter_logon_id" - "ProcessId" => "process_id" - "ProcessName" => "process_path" "LogonType" => "logon_type" "TargetUserName" => "user_name" "TargetDomainName" => "user_domain" @@ -152,17 +146,14 @@ filter { "SubjectDomainName" => "user_domain" "SubjectLogonId" => "user_logon_id" "LogonGuid" => "user_logon_guid" - "TargetUserName" => "target_user_name" - "TargetDomainName" => "target_user_domain" - "ProcessId" => "process_id" - "ProcessName" => "process_path" - "TargetLogonId" => "target_user_logon_id" + "TargetUserName" => "user_target_name" + "TargetDomainName" => "user_target_domain" + "TargetLogonId" => "user_target_logon_id" "TargetServerName" => "service_host_name" "TargetInfo" => "service_host_info" - "TargetLogonGuid" => "target_user_logon_guid" + "TargetLogonGuid" => "user_target_logon_guid" "IpPort" => "src_port" } - gsub => [ "target_user_logon_guid", "[{}]", "" ] } } if [event_id] == 4656 { @@ -182,8 +173,6 @@ filter { "HandleId" => "object_access_handle_id" "PrivilegeList" => "object_privilege_list" "TransactionId" => "object_transaction_guid" - "ProcessId" => "process_id" - "ProcessName" => "process_path" "ResourceAttributes" => "object_resource_attributes" "RestrictedSidCount" => "object_restricted_sid_count" } @@ -201,8 +190,6 @@ filter { "ObjectValueName" => "object_value_name" "HandleId" => "object_access_handle_id" "OperationType" => "object_operation_type" - "ProcessId" => "process_id" - "ProcessName" => "process_path" "OldValueType" => "object_value_old_type" "OldValue" => "object_value_old" "NewValueType" => "object_value_new_type" @@ -218,8 +205,6 @@ filter { "SubjectLogonId" => "user_logon_id" "SubjectUserName" => "user_name" "SubjectUserSid" => "user_sid" - "ProcessId" => "process_id" - "ProcessName" => "process_path" "ObjectServer" => "object_server" "HandleId" => "object_access_handle_id" } @@ -232,14 +217,13 @@ filter { "SubjectLogonId" => "user_logon_id" "SubjectUserName" => "user_name" "SubjectUserSid" => "user_sid" - "ProcessId" => "process_id" - "ProcessName" => "process_path" "ObjectName" => "object_name" "ObjectServer" => "object_server" "ObjectType" => "object_type" "HandleId" => "object_access_handle_id" "TransactionId" => "object_transaction_guid" "AccessList" => "object_access_list_requested" + "AccessMask" => "object_access_mask_requested" } } } @@ -265,8 +249,6 @@ filter { "AdditionalInfo" => "object_additional_info" "AccessList" => "object_access_list_requested" "ResourceAttributes" => "object_resource_attributes" - "ProcessId" => "process_id" - "ProcessName" => "process_path" "AccessReason" => "object_access_reason" "PrivilegeList" => "object_privilege_list" "TransactionId" => "object_transaction_guid" @@ -282,8 +264,6 @@ filter { "SubjectLogonId" => "user_logon_id" "SubjectUserName" => "user_name" "SubjectUserSid" => "user_sid" - "ProcessId" => "process_id" - "ProcessName" => "process_path" "HandleId" => "object_access_handle_id" "NewSd" => "object_new_sddl" "ObjectName" => "object_name" @@ -316,8 +296,6 @@ filter { "SubjectLogonId" => "user_logon_id" "SubjectUserName" => "user_name" "SubjectUserSid" => "user_sid" - "ProcessId" => "process_id" - "ProcessName" => "process_path" } } } @@ -329,8 +307,6 @@ filter { "SubjectLogonId" => "user_logon_id" "SubjectUserName" => "user_name" "SubjectUserSid" => "user_sid" - "ProcessId" => "process_id" - "ProcessName" => "process_path" "AccessMask" => "object_access_mask_requested" "HandleId" => "object_access_handle_id" "ObjectName" => "object_name" @@ -358,9 +334,6 @@ filter { # https://github.com/MicrosoftDocs/windows-itpro-docs/blob/master/windows/security/threat-protection/auditing/event-4688.md mutate { rename => { - "NewProcessId" => "process_id" - "NewProcessName" => "process_path" - "ParentProcessName" => "process_parent_path" "CommandLine" => "process_command_line" "SubjectDomainName" => "user_domain" "SubjectLogonId" => "user_logon_id" @@ -370,7 +343,7 @@ filter { "TargetUserSid" => "user_principal_sid" "TargetUserName" => "user_principal_name" "TargetLogonId" => "user_principal_id" - "MandatoryLabel" => "process_mandatory_level" + "MandatoryLabel" => "process_mandatory_sid" "ProcessId" => "process_parent_id" "TokenElevationType" => "process_token_elevation_type" } @@ -384,8 +357,6 @@ filter { "SubjectLogonId" => "user_logon_id" "SubjectUserName" => "user_name" "SubjectUserSid" => "user_sid" - "ProcessId" => "process_id" - "ProcessName" => "process_path" "Status" => "event_status" } } @@ -400,8 +371,8 @@ filter { "SubjectUserSid" => "user_sid" "SourceHandleId" => "process_handle_id" "SourceProcessId" => "process_id" - "TargetHandleId" => "target_process_handle_id" - "TargetProcessId" => "target_process_id" + "TargetHandleId" => "process_target_handle_id" + "TargetProcessId" => "process_target_id" } } } @@ -449,8 +420,6 @@ filter { "TargetUserName" => "user_target_name" "DisabledPrivilegeList" => "user_target_disabled_privilege_list" "EnabledPrivilegeList" => "user_target_enabled_privilege_list" - "ProcessId" => "process_id" - "ProcessName" => "process_path" } } } @@ -528,7 +497,7 @@ filter { } } } - if [event_id] == 4732 or [event_id] == 4733 { + if [event_id] == 4732 or [event_id] == 4733 or [event_id] == 4735 { # https://github.com/MicrosoftDocs/windows-itpro-docs/blob/master/windows/security/threat-protection/auditing/event-4732.md # https://github.com/MicrosoftDocs/windows-itpro-docs/blob/master/windows/security/threat-protection/auditing/event-4733.md mutate { @@ -663,9 +632,6 @@ filter { "SubjectLogonId" => "user_logon_id" "SubjectUserName" => "user_name" "SubjectUserSid" => "user_sid" - "ProcessId" => "process_id" - "ProcessName" => "process_path" - "ParentProcessName" => "parent_process_path" "HandleId" => "object_access_handle_id" "NewSd" => "object_new_sddl" "ObjectName" => "object_name" @@ -675,6 +641,14 @@ filter { } } } + if [event_id] == 4956 { + # https://github.com/MicrosoftDocs/windows-itpro-docs/blob/master/windows/security/threat-protection/auditing/event-4956.md + mutate { + rename => { + "ActiveProfile" => "firewall_active_profile" + } + } + } if [event_id] == 4957 { # https://github.com/MicrosoftDocs/windows-itpro-docs/blob/master/windows/security/threat-protection/auditing/event-4957.md mutate { @@ -701,6 +675,9 @@ filter { "Operation" => "key_operation" "ProviderName" => "key_provider_name" "ReturnCode" => "key_return_code" + "ClientCreationTime" => "process_creation_time" + "ClientProcessId" => "process_id" + "KeyFilePath" => "key_file_path" } } } @@ -754,7 +731,6 @@ filter { # https://github.com/MicrosoftDocs/windows-itpro-docs/blob/master/windows/security/threat-protection/auditing/event-5158.md mutate { rename => { - "Application" => "process_path" "DestPort" => "dst_port" "Direction" => "network_direction" "FilterRTID" => "network_filter_rtid" @@ -765,7 +741,6 @@ filter { "RemoteMachineID" => "dst_host_name_id" "RemoteUserID" => "dst_user_id" "SourcePort" => "src_port" - "ProcessId" => "process_id" } } } @@ -777,6 +752,12 @@ filter { "SubjectUserName" => "user_name" "SubjectUserSid" => "user_sid" "ReadOperation" => "object_operation_type" + "ClientProcessId" => "process_id" + "TargetName" => "credentials_read" + "Type" => "credentials_read_type" + "CountOfCredentialsReturned" => "credentials_read_returned_count" + "ReturnCode" => "credentials_read_returned_code" + "ProcessCreationTime" => "process_creation_time" } } } @@ -808,7 +789,6 @@ filter { "LayerId" => "filtering_layer_id" "LayerKey" => "filtering_layer_key" "LayerName" => "filtering_layer_name" - "ProcessId" => "process_id" "ProviderKey" => "filtering_provider_key" "ProviderName" => "filtering_provider_name" "UserName" => "user_name" diff --git a/docker/helk-logstash/pipeline/1541-winevent-process-name-split.conf b/docker/helk-logstash/pipeline/1541-winevent-process-name-split.conf new file mode 100644 index 00000000..ebf11f30 --- /dev/null +++ b/docker/helk-logstash/pipeline/1541-winevent-process-name-split.conf @@ -0,0 +1,45 @@ +# HELK process-name-split filter conf +# HELK build Stage: Alpha +# Author: Rodriguez (@Cyb3rWard0g) +# License: GPL-3.0 + +filter { + if [event_id] { + if [process_path] { + mutate { add_field => { "z_logstash_pipeline" => "1541_1" } } + if [process_path] !~ /.*\\.*/ { + mutate { copy => {"process_path" => "process_name"} } + } + else { + grok { + match => { "process_path" => ".*\\%{GREEDYDATA:process_name}" } + tag_on_failure => [ "_process_path__grokparsefailure", "_grokparsefailure", "_parsefailure" ] + } + } + } + if [process_parent_path] { + mutate { add_field => { "z_logstash_pipeline" => "1541_2" } } + if [process_parent_path] !~ /.*\\.*/ { + mutate { copy => {"process_parent_path" => "process_parent_name"} } + } + else { + grok { + match => { "process_parent_path" => ".*\\%{GREEDYDATA:process_parent_name}" } + tag_on_failure => [ "_process_parent_path_grokparsefailure", "_grokparsefailure", "_parsefailure" ] + } + } + } + if [process_target_path] { + mutate { add_field => { "z_logstash_pipeline" => "1541_3" } } + if [process_target_path] !~ /.*\\.*/ { + mutate { copy => {"process_target_path" => "process_target_name"} } + } + else{ + grok { + match => { "process_target_path" => ".*\\%{GREEDYDATA:process_target_name}" } + tag_on_failure => [ "_process_target_path__grokparsefailure", "_grokparsefailure", "_parsefailure" ] + } + } + } + } +} diff --git a/docker/helk-logstash/pipeline/1542-winevent-process-ids-conversions.conf b/docker/helk-logstash/pipeline/1542-winevent-process-ids-conversions.conf new file mode 100644 index 00000000..076f7bee --- /dev/null +++ b/docker/helk-logstash/pipeline/1542-winevent-process-ids-conversions.conf @@ -0,0 +1,33 @@ +# HELK process-ids-conversions filter conf +# HELK build Stage: Alpha +# Author: Nate Guagenti (@neu5ron) Roberto Rodriguez (@Cyb3rWard0g) +# License: GPL-3.0 + +filter { + if [event_id] { + if [process_id] =~ /^0x/ { + mutate { add_field => { "z_logstash_pipeline" => "1542_1" } } + mutate { gsub => [ "process_id", "0x", "" ]} + ruby { + code => "event.set('process_id', event.get('process_id').to_s.hex)" + tag_on_exception => "_rubyexception_1542_1" + } + } + if [parent_process_id] =~ /^0x/ { + mutate { add_field => { "z_logstash_pipeline" => "1542_2" } } + mutate { gsub => [ "parent_process_id", "0x", "" ]} + ruby { + code => "event.set('parent_process_id', event.get('parent_process_id').to_s.hex)" + tag_on_exception => "_rubyexception_1542_2" + } + } + if [process_target_id] =~ /^0x/ { + mutate { add_field => { "z_logstash_pipeline" => "1542_3" } } + mutate { gsub => [ "process_target_id", "0x", "" ]} + ruby { + code => "event.set('process_target_id', event.get('process_target_id').to_s.hex)" + tag_on_exception => "_rubyexception_1542_3" + } + } + } +} diff --git a/docker/helk-logstash/pipeline/1543-winevent-conversions-process-cli-filter.conf b/docker/helk-logstash/pipeline/1543-winevent-conversions-process-cli-filter.conf deleted file mode 100644 index 28b0cb2f..00000000 --- a/docker/helk-logstash/pipeline/1543-winevent-conversions-process-cli-filter.conf +++ /dev/null @@ -1,47 +0,0 @@ -# HELK winevent-conversions-process-cli filter conf -# HELK build Stage: Alpha -# Author: Nate Guagenti (@neu5ron) -# License: GPL-3.0 - -filter { - - if [event_id] { - - if [user_logon_id] =~ /^0x/ { - mutate { add_field => { "z_logstash_pipeline" => "1543_1" } } - mutate { gsub => [ "user_logon_id", "0x", "" ]} - ruby { - code => "event.set('user_logon_id', event.get('user_logon_id').to_s.hex)" - tag_on_exception => "_rubyexception_1543_1" - } - } - if [process_id] =~ /^0x/ { - mutate { add_field => { "z_logstash_pipeline" => "1543_2" } } - mutate { gsub => [ "process_id", "0x", "" ]} - ruby { - code => "event.set('process_id', event.get('process_id').to_s.hex)" - tag_on_exception => "_rubyexception_1543_2" - } - } - if [process_parent_id] =~ /^0x/ { - mutate { add_field => { "z_logstash_pipeline" => "1543_3" } } - mutate { gsub => [ "process_parent_id", "0x", "" ]} - ruby { - code => "event.set('process_parent_id', event.get('process_parent_id').to_s.hex)" - tag_on_exception => "_rubyexception_1543_3" - } - } - if [target_process_id] =~ /^0x/ { - mutate { add_field => { "z_logstash_pipeline" => "1543_4" } } - mutate { gsub => [ "target_process_id", "0x", "" ]} - ruby { - code => "event.set('target_process_id', event.get('target_process_id').to_s.hex)" - tag_on_exception => "_rubyexception_1543_4" - } - } - if [ProdessName] { - mutate { rename => { "ProdessName" => "ProcessName" } } - } - - } -} diff --git a/docker/helk-logstash/pipeline/1543-winevent-user-ids-conversions.conf b/docker/helk-logstash/pipeline/1543-winevent-user-ids-conversions.conf new file mode 100644 index 00000000..a4cc658b --- /dev/null +++ b/docker/helk-logstash/pipeline/1543-winevent-user-ids-conversions.conf @@ -0,0 +1,17 @@ +# HELK user-ids-conversions filter conf +# HELK build Stage: Alpha +# Author: Nate Guagenti (@neu5ron) +# License: GPL-3.0 + +filter { + if [event_id] { + if [user_logon_id] =~ /^0x/ { + mutate { add_field => { "z_logstash_pipeline" => "1543_1" } } + mutate { gsub => [ "user_logon_id", "0x", "" ]} + ruby { + code => "event.set('user_logon_id', event.get('user_logon_id').to_s.hex)" + tag_on_exception => "_rubyexception_1543_1" + } + } + } +} diff --git a/docker/helk-logstash/pipeline/1544-winevent-cleanup-other.conf b/docker/helk-logstash/pipeline/1544-winevent-cleanup-other.conf index 5d97c3a0..b40534fd 100644 --- a/docker/helk-logstash/pipeline/1544-winevent-cleanup-other.conf +++ b/docker/helk-logstash/pipeline/1544-winevent-cleanup-other.conf @@ -21,9 +21,9 @@ filter { mutate { add_field => { "z_logstash_pipeline" => "1544_4" } } mutate { gsub => [ "process_parent_guid", "[{}]", "" ] } } - if [target_process_guid] { + if [process_target_guid] { mutate { add_field => { "z_logstash_pipeline" => "1544_5" } } - mutate { gsub => [ "target_process_guid", "[{}]", "" ] } + mutate { gsub => [ "process_target_guid", "[{}]", "" ] } } if [user] { mutate { add_field => { "z_logstash_pipeline" => "1544_6" } } @@ -37,5 +37,9 @@ filter { mutate { add_field => { "z_logstash_pipeline" => "1544_8" } } mutate { remove_field => [ "host" ] } } + if [user_target_logon_guid] { + mutate { add_field => { "z_logstash_pipeline" => "1544_9" } } + mutate { gsub => [ "user_target_logon_guid", "[{}]", "" ] } + } } } \ No newline at end of file diff --git a/docker/helk-logstash/pipeline/1545-winevent-security-conversions.conf b/docker/helk-logstash/pipeline/1545-winevent-security-conversions.conf index c8b5d66f..5f3b5464 100644 --- a/docker/helk-logstash/pipeline/1545-winevent-security-conversions.conf +++ b/docker/helk-logstash/pipeline/1545-winevent-security-conversions.conf @@ -2,7 +2,7 @@ # HELK build Stage: Alpha # Author: Roberto Rodriguez (@Cyb3rWard0g) # License: GPL-3.0 - +# Reference: https://docs.microsoft.com/en-us/windows/desktop/SecAuthZ/well-known-sids filter { if [log_name] == "Security" { if [event_id] == 4624 { @@ -107,41 +107,6 @@ filter { } mutate { copy => { "event_status_value" => "event_status" } } } - if [event_id] == 4662 and [object_server] == "DS" { - mutate { add_field => { "z_logstash_pipeline" => "1545_3" } } - mutate { gsub => [ "object_type", "%{}", "" ] } - translate { - field => "[object_type]" - destination => "[object_type_value]" - dictionary => { - "f30e3bc2-9ff0-11d1-b603-0000f80367c1" => "Group-Policy-Container" - "19195a5b-6da0-11d0-afd3-00c04fd930c9" => "Domain-DNS" - "bf967aa5-0de6-11d0-a285-00aa003049e2" => "Organizational-Unit" - "bf967a8b-0de6-11d0-a285-00aa003049e2" => "Container" - "bf967a86-0de6-11d0-a285-00aa003049e2" => "Computer" - "2628a46a-a6ad-4ae0-b854-2b12d9fe6f9e" => "Account" - "bf967a9c-0de6-11d0-a285-00aa003049e2" => "Group" - } - fallback => "Unknown" - } - } - if [event_id] == 4688 { - mutate { add_field => { "z_logstash_pipeline" => "1545_4" } } - translate { - field => "[object_type]" - destination => "[object_type_value]" - dictionary => { - "f30e3bc2-9ff0-11d1-b603-0000f80367c1" => "Group-Policy-Container" - "19195a5b-6da0-11d0-afd3-00c04fd930c9" => "Domain-DNS" - "bf967aa5-0de6-11d0-a285-00aa003049e2" => "Organizational-Unit" - "bf967a8b-0de6-11d0-a285-00aa003049e2" => "Container" - "bf967a86-0de6-11d0-a285-00aa003049e2" => "Computer" - "2628a46a-a6ad-4ae0-b854-2b12d9fe6f9e" => "Account" - "bf967a9c-0de6-11d0-a285-00aa003049e2" => "Group" - } - fallback => "Unknown" - } - } if [event_id] == 4776 { mutate { add_field => { "z_logstash_pipeline" => "1545_5" } } translate { @@ -165,6 +130,52 @@ filter { } } } + if [event_id] == 4662 and [object_server] == "DS" { + mutate { add_field => { "z_logstash_pipeline" => "1545_3" } } + mutate { gsub => [ "object_type", "%{}", "" ] } + translate { + field => "[object_type]" + destination => "[object_type_value]" + dictionary => { + "f30e3bc2-9ff0-11d1-b603-0000f80367c1" => "Group-Policy-Container" + "19195a5b-6da0-11d0-afd3-00c04fd930c9" => "Domain-DNS" + "bf967aa5-0de6-11d0-a285-00aa003049e2" => "Organizational-Unit" + "bf967a8b-0de6-11d0-a285-00aa003049e2" => "Container" + "bf967a86-0de6-11d0-a285-00aa003049e2" => "Computer" + "2628a46a-a6ad-4ae0-b854-2b12d9fe6f9e" => "Account" + "bf967a9c-0de6-11d0-a285-00aa003049e2" => "Group" + } + fallback => "Unknown" + } + } + # https://social.technet.microsoft.com/Forums/windows/en-US/bf693b49-1dd5-45ee-84cf-4a417e5b35ec/run-as-admin-event-log?forum=winserverDS + if [event_id] == 4688 { + mutate { add_field => { "z_logstash_pipeline" => "1545_4" } } + translate { + field => "[process_token_elevation_type]" + destination => "[process_token_elevation_type_value]" + dictionary => { + "%%1936" => "TokenElevationTypeDefault" + "%%1937" => "TokenElevationTypeFull" + "%%1938" => "TokenElevationTypeLimited" + } + fallback => "Unknown" + } + translate { + field => "[process_mandatory_sid]" + destination => "[process_mandatory_rid_label]" + dictionary => { + "S-1-16-0" => "SECURITY_MANDATORY_UNTRUSTED_RID" + "S-1-16-4096" => "SECURITY_MANDATORY_LOW_RID" + "S-1-16-8192" => "SECURITY_MANDATORY_MEDIUM_RID" + "S-1-16-8448" => "SECURITY_MANDATORY_MEDIUM_PLUS_RID" + "S-1-16-12288" => "SECURITY_MANDATORY_HIGH_RID" + "S-1-16-16384" => "SECURITY_MANDATORY_SYSTEM_RID" + "S-1-16-20480" => "SECURITY_MANDATORY_PROTECTED_PROCESS_RID" + } + fallback => "Unknown" + } + } if [event_id] == 5061 { mutate { add_field => { "z_logstash_pipeline" => "1545_6" } } translate { diff --git a/docker/helk-logstash/plugins/logstash-offline-plugins-6.6.1.zip b/docker/helk-logstash/plugins/logstash-offline-plugins-6.6.1.zip new file mode 100644 index 00000000..5244c054 Binary files /dev/null and b/docker/helk-logstash/plugins/logstash-offline-plugins-6.6.1.zip differ diff --git a/docker/helk-logstash/scripts/logstash-entrypoint.sh b/docker/helk-logstash/scripts/logstash-entrypoint.sh index 9ee5ddbc..36071460 100755 --- a/docker/helk-logstash/scripts/logstash-entrypoint.sh +++ b/docker/helk-logstash/scripts/logstash-entrypoint.sh @@ -85,11 +85,14 @@ echo "[HELK-LOGSTASH-DOCKER-INSTALLATION-INFO] Checking Logstash plugins.." if ( logstash-plugin list 'prune' ) && ( logstash-plugin list 'i18n' ) && ( logstash-plugin list 'wmi' ); then echo "[HELK-LOGSTASH-DOCKER-INSTALLATION-INFO] Plugins are already installed" else - echo "[HELK-LOGSTASH-DOCKER-INSTALLATION-INFO] Installing Logstash plugins.." # logstash-plugin install logstash-filter-dns && logstash-plugin install logstash-filter-cidr && logstash-plugin install logstash-input-lumberjack && logstash-plugin install logstash-output-lumberjack && logstash-plugin install logstash-output-zabbix && logstash-plugin install logstash-filter-geoip && logstash-plugin install logstash-codec-cef && logstash-plugin install logstash-output-syslog && logstash-plugin update logstash-filter-dissect && logstash-plugin install logstash-output-kafka && logstash-plugin install logstash-input-kafka && logstash-plugin install logstash-filter-translate && logstash-plugin install logstash-filter-alter && logstash-plugin install logstash-filter-fingerprint && logstash-plugin install logstash-output-stdout && logstash-plugin install logstash-filter-prune && logstash-plugin install logstash-codec-gzip_lines && logstash-plugin install logstash-codec-avro && logstash-plugin install logstash-codec-netflow && logstash-plugin install logstash-filter-i18n && logstash-plugin install logstash-filter-environment && logstash-plugin install logstash-filter-de_dot && logstash-plugin install logstash-input-snmptrap && logstash-plugin install logstash-input-snmp && logstash-plugin install logstash-input-jdbc && logstash-plugin install logstash-input-wmi && logstash-plugin install logstash-filter-clone - logstash-plugin install logstash-filter-translate && logstash-plugin install logstash-filter-dns && logstash-plugin install logstash-filter-cidr && logstash-plugin install logstash-filter-geoip && logstash-plugin update logstash-filter-dissect && logstash-plugin install logstash-output-kafka && logstash-plugin install logstash-input-kafka && logstash-plugin install logstash-filter-alter && logstash-plugin install logstash-filter-fingerprint && logstash-plugin install logstash-filter-prune && logstash-plugin install logstash-codec-gzip_lines && logstash-plugin install logstash-codec-netflow && logstash-plugin install logstash-filter-i18n && logstash-plugin install logstash-filter-environment && logstash-plugin install logstash-filter-de_dot && logstash-plugin install logstash-input-wmi && logstash-plugin install logstash-filter-clone - #echo "[HELK-LOGSTASH-DOCKER-INSTALLATION-INFO] Updating Logstash plugins.." - #logstash-plugin update + echo "[HELK-LOGSTASH-DOCKER-INSTALLATION-INFO] Trying to install Logstash plugins over the Internet.." + if (logstash-plugin install logstash-filter-translate && logstash-plugin install logstash-filter-dns && logstash-plugin install logstash-filter-cidr && logstash-plugin install logstash-filter-geoip && logstash-plugin update logstash-filter-dissect && logstash-plugin install logstash-output-kafka && logstash-plugin install logstash-input-kafka && logstash-plugin install logstash-filter-alter && logstash-plugin install logstash-filter-fingerprint && logstash-plugin install logstash-filter-prune && logstash-plugin install logstash-codec-gzip_lines && logstash-plugin install logstash-codec-netflow && logstash-plugin install logstash-filter-i18n && logstash-plugin install logstash-filter-environment && logstash-plugin install logstash-filter-de_dot && logstash-plugin install logstash-input-wmi && logstash-plugin install logstash-filter-clone); then + echo "[HELK-LOGSTASH-DOCKER-INSTALLATION-INFO] Logstash plugins installed via the Internet.." + else + echo "[HELK-LOGSTASH-DOCKER-INSTALLATION-INFO] Trying to install logstash plugins from offline package.." + logstash-plugin install file:///usr/share/logstash/logstash-offline-plugins-6.6.1.zip + fi fi # ********* Setting LS_JAVA_OPTS *************** diff --git a/docker/helk_install.sh b/docker/helk_install.sh index bf6e80ed..d46e58f4 100755 --- a/docker/helk_install.sh +++ b/docker/helk_install.sh @@ -462,7 +462,7 @@ show_banner(){ echo "** HELK - THE HUNTING ELK **" echo "** **" echo "** Author: Roberto Rodriguez (@Cyb3rWard0g) **" - echo "** HELK build version: v0.1.7-alpha02242019 **" + echo "** HELK build version: v0.1.7-alpha02262019 **" echo "** HELK ELK version: 6.6.1 **" echo "** License: GPL-3.0 **" echo "**********************************************"