diff --git a/.github/workflows/regenerate-docs.yml b/.github/workflows/regenerate-docs.yml index 55b99e75..d91167f8 100644 --- a/.github/workflows/regenerate-docs.yml +++ b/.github/workflows/regenerate-docs.yml @@ -16,6 +16,9 @@ jobs: with: repository: ${{ github.event.pull_request.head.repo.full_name }} ref: ${{ github.head_ref }} + - name: Clean /docs/data_model + shell: bash + run: rm -rfv ./docs/data_model - name: Clean /docs/analytics shell: bash run: rm -rfv ./docs/analytics @@ -29,6 +32,9 @@ jobs: cache: 'pip' - name: Install script dependencies run: pip install -r ./scripts/requirements.txt + - name: Regenerate datamodels + working-directory: ./scripts + run: python generate_datamodels.py - name: Regenerate analytics working-directory: ./scripts run: python generate_analytics.py diff --git a/data_model/authentication.yaml b/data_model/authentication.yaml index 130efe0e..7e1ce18f 100644 --- a/data_model/authentication.yaml +++ b/data_model/authentication.yaml @@ -1,6 +1,6 @@ --- name: Authentication -description: Authentication events occur whenever a user attempts to login to a system, or a user or process attempts to access a privileged system resource. +description: An authentication event occurs whenever a user or process attempts to access a privileged system resource. Examples include logging into a system, or elevating privilege. actions: - name: success description: The event corresponding to an authentication service responding positively to an authentication request. diff --git a/data_model/driver.yaml b/data_model/driver.yaml index c76cb4f1..8daf9af8 100644 --- a/data_model/driver.yaml +++ b/data_model/driver.yaml @@ -40,3 +40,11 @@ fields: - name: signature_valid description: Boolean indicator of whether the driver is signed and whether the signature is current and not revoked example: true +coverage_map: + load: + fqdn: ["sysmon_13"] + image_path: ["sysmon_13"] + pid: ["sysmon_13"] + sha256_hash: ["sysmon_13"] + signature_valid: ["sysmon_13"] + signer: ["sysmon_13"] diff --git a/data_model/email.yaml b/data_model/email.yaml index 4deb4539..fe42a138 100644 --- a/data_model/email.yaml +++ b/data_model/email.yaml @@ -1,6 +1,6 @@ --- name: Email -description: Email events are at the email server level. +description: Email events are at the mail server level. actions: - name: deliver description: The event corresponding to an email being sent to an end recipient. diff --git a/data_model/file.yaml b/data_model/file.yaml old mode 100755 new mode 100644 index 80b292db..eb8022ce --- a/data_model/file.yaml +++ b/data_model/file.yaml @@ -94,3 +94,38 @@ fields: - name: uid description: The user ID or SID for the acting entity. example: S-1-5-18 +coverage_map: + create: + company: ["autoruns_13.98", "sysmon_13"] + creation_time: ["autoruns_13.98", "sysmon_13"] + file_name: ["autoruns_13.98"] + file_path: ["sysmon_13"] + fqdn: ["autoruns_13.98", "sysmon_13"] + hostname: ["autoruns_13.98"] + image_path: ["sysmon_13"] + md5_hash: ["autoruns_13.98"] + pid: ["sysmon_13"] + signer: ["sysmon_13"] + delete: + fqdn: ["sysmon_13"] + image_path: ["sysmon_13"] + pid: ["sysmon_13"] + uid: ["sysmon_13"] + modify: + company: ["autoruns_13.98"] + creation_time: ["autoruns_13.98"] + file_name: ["autoruns_13.98"] + fqdn: ["autoruns_13.98"] + hostname: ["autoruns_13.98"] + md5_hash: ["autoruns_13.98"] + sha256_hash: ["autoruns_13.98"] + signature_valid: ["autoruns_13.98"] + signer: ["autoruns_13.98"] + timestomp: + creation_time: ["sysmon_13"] + file_path: ["sysmon_13"] + fqdn: ["sysmon_13"] + image_path: ["sysmon_13"] + pid: ["sysmon_13"] + previous_creation_time: ["sysmon_13"] + uid: ["sysmon_13"] diff --git a/data_model/flow.yaml b/data_model/flow.yaml index 30f6f2c2..96ad7fde 100644 --- a/data_model/flow.yaml +++ b/data_model/flow.yaml @@ -90,3 +90,21 @@ fields: - name: uid description: User ID or SID of the flow-handling entity. example: S-1-5-18 +coverage_map: + start: + dest_hostname: ["sysmon_13"] + dest_ip: ["sysmon_13"] + dest_port: ["sysmon_13"] + exe: ["sysmon_13"] + fqdn: ["sysmon_13"] + hostname: ["sysmon_13"] + image_path: ["sysmon_13"] + pid: ["sysmon_13"] + src_fdqn: ["sysmon_13"] + src_hostname: ["sysmon_13"] + src_ip: ["sysmon_13"] + src_port: ["sysmon_13"] + start_time: ["sysmon_13"] + transport_protocol: ["sysmon_13"] + uid: ["sysmon_13"] + user: ["sysmon_13"] diff --git a/data_model/module.yaml b/data_model/module.yaml index 733fdc44..0e7475a0 100644 --- a/data_model/module.yaml +++ b/data_model/module.yaml @@ -46,3 +46,16 @@ fields: - name: signature_valid description: Boolean indicator of whether the signature is current and not revoked example: true +coverage_map: + load: + fqdn: ["sysmon_13"] + hostname: ["sysmon_13"] + image_path: ["sysmon_13"] + md5_hash: ["sysmon_13"] + module_name: ["sysmon_13"] + module_path: ["sysmon_13"] + pid: ["sysmon_13"] + sha1_hash: ["sysmon_13"] + signature_valid: ["sysmon_13"] + signer: ["sysmon_13"] + tid: ["sysmon_13"] diff --git a/data_model/process.yaml b/data_model/process.yaml index 90279c51..cb19890a 100644 --- a/data_model/process.yaml +++ b/data_model/process.yaml @@ -93,3 +93,27 @@ fields: - name: uid description: User ID under which original process is running. example: 509 +coverage_map: + access: + access_level: ["sysmon_13"] + call_trace: ["sysmon_13"] + fqdn: ["sysmon_13"] + guid: ["sysmon_13"] + image_path: ["sysmon_13"] + pid: ["sysmon_13"] + sid: ["sysmon_13"] + target_guid: ["sysmon_13"] + target_pid: ["sysmon_13"] + target_name: ["sysmon_13"] + create: + command_line: ["sysmon_13"] + current_working_directory: ["sysmon_13"] + fqdn: ["sysmon_13"] + image_path: ["sysmon_13"] + integrity_level: ["sysmon_13"] + parent_command_line: ["sysmon_13"] + parent_guid: ["sysmon_13"] + pid: ["sysmon_13"] + ppid: ["sysmon_13"] + sha256_hash: ["sysmon_13"] + sid: ["sysmon_13"] diff --git a/data_model/registry.yaml b/data_model/registry.yaml index 3812dc76..c799c42a 100644 --- a/data_model/registry.yaml +++ b/data_model/registry.yaml @@ -44,3 +44,43 @@ fields: - name: new_content description: The data within the new value, or the new name of a key, after an edit event. example: \%SystemRoot%\system32\svchost.exe, HKLM\SYSTEM\CurrentControlSet\services\RpcSs +coverage_map: + add: + data: ["autoruns_13.98", "sysmon_13"] + fqdn: ["sysmon_13"] + hostname: ["autoruns_13.98"] + hive: ["autoruns_13.98", "sysmon_13"] + key: ["autoruns_13.98", "sysmon_13"] + image_path: ["sysmon_13"] + pid: ["sysmon_13"] + type: ["autoruns_13.98"] + user: ["sysmon_13"] + value: ["autoruns_13.98"] + key_edit: + data: ["autoruns_13.98", "sysmon_13"] + fqdn: ["sysmon_13"] + hostname: ["autoruns_13.98"] + hive: ["autoruns_13.98", "sysmon_13"] + key: ["autoruns_13.98", "sysmon_13"] + image_path: ["sysmon_13"] + new_content: ["autoruns_13.98", "sysmon_13"] + pid: ["sysmon_13"] + type: ["autoruns_13.98"] + user: ["sysmon_13"] + value: ["autoruns_13.98", "sysmon_13"] + remove: + data: ["sysmon_13"] + fqdn: ["sysmon_13"] + hive: ["sysmon_13"] + key: ["sysmon_13"] + image_path: ["sysmon_13"] + pid: ["sysmon_13"] + user: ["sysmon_13"] + value_edit: + data: ["autoruns_13.98"] + hostname: ["autoruns_13.98"] + hive: ["autoruns_13.98"] + key: ["autoruns_13.98"] + new_content: ["autoruns_13.98"] + type: ["autoruns_13.98"] + value: ["autoruns_13.98"] diff --git a/data_model/service.yaml b/data_model/service.yaml index 61081c26..c8a98aef 100644 --- a/data_model/service.yaml +++ b/data_model/service.yaml @@ -43,3 +43,16 @@ fields: - name: uid description: The ID of SID of the user who acted on the service example: S-1-5-18 +coverage_map: + create: + command_line: ["autoruns_13.98"] + exe: ["autoruns_13.98"] + fqdn: ["autoruns_13.98"] + hostname: ["autoruns_13.98"] + image_path: ["autoruns_13.98"] + delete: + command_line: ["autoruns_13.98"] + exe: ["autoruns_13.98"] + fqdn: ["autoruns_13.98"] + hostname: ["autoruns_13.98"] + image_path: ["autoruns_13.98"] diff --git a/data_model/socket.yaml b/data_model/socket.yaml index c5e3b3e9..1603eb17 100644 --- a/data_model/socket.yaml +++ b/data_model/socket.yaml @@ -39,3 +39,31 @@ fields: - name: local_path description: In the case that a socket is used for local interprocess communication, the socket binds to a local filepath, and will usually be visible in the filesystem. This is the case with AF_UNIX type sockets. example: "/tmp/foo" +coverage_map: + bind: + family: ["osquery_4.6.0"] + image_path: ["osquery_4.6.0"] + local_address: ["osquery_4.6.0"] + local_port: ["osquery_4.6.0"] + pid: ["osquery_4.6.0"] + protocol: ["osquery_4.6.0"] + remote_address: ["osquery_4.6.0"] + remote_port: ["osquery_4.6.0"] + listen: + family: ["osquery_4.6.0"] + image_path: ["osquery_4.6.0"] + local_address: ["osquery_4.6.0"] + local_port: ["osquery_4.6.0"] + pid: ["osquery_4.6.0"] + protocol: ["osquery_4.6.0"] + remote_address: ["osquery_4.6.0"] + remote_port: ["osquery_4.6.0"] + close: + family: ["osquery_4.6.0"] + image_path: ["osquery_4.6.0"] + local_address: ["osquery_4.6.0"] + local_port: ["osquery_4.6.0"] + pid: ["osquery_4.6.0"] + protocol: ["osquery_4.6.0"] + remote_address: ["osquery_4.6.0"] + remote_port: ["osquery_4.6.0"] diff --git a/data_model/thread.yaml b/data_model/thread.yaml old mode 100755 new mode 100644 index 868c9eb1..cf28cc00 --- a/data_model/thread.yaml +++ b/data_model/thread.yaml @@ -56,3 +56,16 @@ fields: - name: uid description: The ID of SID of the user who directly or indirectly acted on the thread example: S-1-5-18 +coverage_map: + remote_create: + hostname: ["sysmon_13"] + src_pid: ["sysmon_13"] + src_tid: ["sysmon_13"] + start_address: ["sysmon_13"] + start_function: ["sysmon_13"] + start_module: ["sysmon_13"] + start_module_name: ["sysmon_13"] + tgt_pid: ["sysmon_13"] + tgt_tid: ["sysmon_13"] + uid: ["sysmon_13"] + user: ["sysmon_13"] diff --git a/data_model/user_session.yaml b/data_model/user_session.yaml old mode 100755 new mode 100644 diff --git a/docs/data_model/authentication.md b/docs/data_model/authentication.md old mode 100755 new mode 100644 index ece6b8a4..0b9cf264 --- a/docs/data_model/authentication.md +++ b/docs/data_model/authentication.md @@ -1,45 +1,126 @@ --- title: "Authentication" --- - An authentication event occurs whenever a user or process attempts to access a privileged system resource. Examples include logging into a system, or elevating privilege. ## Actions - |Action|Description| |---|---| -|failure|The event corresponding to an authentication service responding negatively to an authentication request. -|error|The event corresponding to the case when an authentication requests results in an any kind of unexpected error. -|success|The event corresponding to an authentication service responding positively to an authentication request. +|error|The event corresponding to the case when an authentication request results in any kind of unexpected error.| +|failure|The event corresponding to an authentication service responding negatively to an authentication request.| +|success|The event corresponding to an authentication service responding positively to an authentication request.| ## Fields - |Field|Description|Example| |---|---|---| -ad_domain|Active Directory domain from which the authentication request was generated; may differ from the target_ad_domain.|`ad2.mitre.org`| -app_name|Name of the application that made the authentication request.|`ssh, win:local`| -auth_service|The name of the service that was utilized to accomplish authentication.|`Okta, ActiveDirectory`| -auth_target|machine for which authentication was requested; may be different than the host that the request is made from.|`HOST2`| -decision_reason|The justification for approving or denying an authentication request.|`password is invalid`| -fqdn|The fully qualified domain name for the host from which authentication was requested.|`HOST1.mitre.org`| -hostname|Hostname of the host from which authentication was requested.|`HOST1`| -method|The authentication method that was used.|`SMAL, Kerberos`| -response_time|Duration of time it took for an authentication response to be received.|`12ms`| -target_ad_domain|The Active Directory domain within which authentication was requested.|`ad.mitre.org`| -target_uid|User ID or SID for the user being authenticated.|`S-1-5-19`| -target_user|Name of the user being authenticated; this only pertains to privilage escalation events where the current user is not necessarily the same as the target user.|`HOST1\LOCALUSER2`| -target_user_role|IPAM access control role for the user being authenticated; this only pertains to privilege escalation events where the current user is not necessarily the same as the target user.|`System Administrator Role`| -target_user_type|User ID or SID for the user being authenticated.|`Administrator, Standard, Guest`| -uid|User ID for the process that initiated the authentication request.|`S-1-5-18`| -user|Name of the user that initiated the request.|`HOST1\LOCALUSER1`| -user_agent|The user agent through which the request was made.|`aws-cli/2.0.0 Python/3.7.4 Darwin/18.7.0 botocore/2.0.0dev4`| -user_role|IPAM access control role for the user that initiated the authentication request.|`DNS Record Administrator Role`| -user_type|type of user that initiated the request.|`Administrator, Standard, Guest`| +ad_domain|Active Directory domain from which the authentication request was generated; may differ from the target_ad_domain.|ad2.mitre.org +app_name|Name of the application that made the authentication request|ssh, win:local +auth_service|The name of the service that was utilized to accomplish authentication|Okta, ActiveDirectory +auth_target|machine for which authentication was requested; may be different than the host that the request is made from.|HOST2 +decision_reason|The justification for approving or denying an authentication request.|password is invalid +fqdn|The fully qualified domain name for the host from which authentication was requested.|HOST1.mitre.org +hostname|Hostname of the host from which authentication was requested.|HOST1 +method|The authentication method that was used.|SMAL, Kerberos +response_time|Duration of time it took for an authentication response to be received.|12ms +target_ad_domain|The Active Directory domain within which authentication was requested.|ad.mitre.org +target_uid|User ID for the user being authenticated.|S-1-5-19 +target_user|Name of the user being authenticated; this only pertains to privilage escalation events where the current user is not necessarily the same as the target user.|HOST1\LOCALUSER2 +target_user_role|IPAM access control role for the user being authenticated; this only pertains to privilege escalation events where the current user is not necessarily the same as the target user.|System Administrator Role +target_user_type|type of user that was authenticated; this only pertains to privilege escalation events where the current user is not necessarily the same as the target user.|Administrator, Standard, Guest +uid|User ID for the process that initiated the authentication request.|S-1-5-18 +user|Name of the user that initiated the request.|HOST1\LOCALUSER1 +user_agent|The user agent through which the request was made.|aws-cli/2.0.0 Python/3.7.4 Darwin/18.7.0 botocore/2.0.0dev4 +user_role|IPAM access control role for the user that initiated the authentication request.|DNS Record Administrator Role +user_type|type of user that initiated the request.|Administrator, Standard, Guest ## Coverage Map - -| | **ad_domain** | **app_name** | **auth_service** | **auth_target** | **decision_reason** | **fqdn** | **hostname** | **method** | **response_time** | **target_ad_domain** | **target_uid** | **target_user** | **target_user_role** | **target_user_type** | **uid** | **user** | **user_agent** | **user_role** | **user_type | -|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---| -| **failure** | | | | | | | | | | | | | | | | | | | | -| **error** | | | | | | | | | | | | | | | | | | | | -| **success** | | | | | | | | | | | | | | | | | | | | + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
+ ad_domainapp_nameauth_serviceauth_targetdecision_reasonfqdnhostnamemethodresponse_timetarget_ad_domaintarget_uidtarget_usertarget_user_roletarget_user_typeuiduseruser_agentuser_roleuser_type
error
failure
success
\ No newline at end of file diff --git a/docs/data_model/data_model_with_sensors.md b/docs/data_model/data_model_with_sensors.md old mode 100755 new mode 100644 index f91bcb38..03dddeae --- a/docs/data_model/data_model_with_sensors.md +++ b/docs/data_model/data_model_with_sensors.md @@ -6,108 +6,1338 @@ The **Data Model**, strongly inspired by [CybOX](https://cyboxproject.github.io/ Compare the data model's use in analytics that map to [ATT&CK](https://attack.mitre.org/). + ## [authentication](authentication) -| | **ad_domain** | **app_name** | **auth_service** | **auth_target** | **decision_reason** | **fqdn** | **hostname** | **method** | **response_time** | **target_ad_domain** | **target_uid** | **target_user** | **target_user_role** | **target_user_type** | **uid** | **user** | **user_agent** | **user_role** | **user_type | -|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---| -| **failure** | | | | | | | | | | | | | | | | | | | | -| **error** | | | | | | | | | | | | | | | | | | | | -| **success** | | | | | | | | | | | | | | | | | | | | + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
+ ad_domainapp_nameauth_serviceauth_targetdecision_reasonfqdnhostnamemethodresponse_timetarget_ad_domaintarget_uidtarget_usertarget_user_roletarget_user_typeuiduseruser_agentuser_roleuser_type
error
failure
success
## [driver](driver) -| | **base_address** | **fqdn** | **hostname** | **image_path** | **md5_hash** | **module_name** | **pid** | **sha1_hash** | **sha256_hash** | **signature_valid** | **signer** | -|---|---|---|---|---|---|---|---|---|---|---|---| -| **load** | | [Sysmon](../sensors/sysmon_13) | | [Sysmon](../sensors/sysmon_13) | | | [Sysmon](../sensors/sysmon_13) | | [Sysmon](../sensors/sysmon_13) | [Sysmon](../sensors/sysmon_13) | [Sysmon](../sensors/sysmon_13) | | -| **unload**| | | | | | | | | | | | + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
+ base_addressfqdnhostnameimage_pathmd5_hashmodule_namepidsha1_hashsha256_hashsignature_validsigner
loadSysmonSysmonSysmonSysmonSysmonSysmon
unload
## [email](email) -| | **action_reason** | **attachment_mime_type** | **attachment_name** | **attachment_size** | **date** | **dest_address** | **dest_ip** | **dest_port** | **from** | **message_body** | **message_links** | **message_type** | **return_address** | **server_relay** | **smtp_uid** | **src_address** | **src_domain** | **src_ip** | **src_port** | **subject** | **to** | -|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|--|--| -| **block** | | | | | | | | | | | | | | | | | | | | | | -| **delete** | | | | | | | | | | | | | | | | | | | | | | -| **deliver** | | | | | | | | | | | | | | | | | | | | | | -| **redirect** | | | | | | | | | | | | | | | | | | | | | | -| **quarantine** | | | | | | | | | | | | | | | | | | | | | | + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
+ action_reasonattachment_mime_typeattachment_nameattachment_sizedatedest_addressdest_ipdest_portfrommessage_bodymessage_linksmessage_typereturn_addressserver_relaysmtp_uidsrc_addresssrc_domainsrc_ipsrc_portsubjectto
block
delete
deliver
quarantine
redirect
## [file](file) -| | **company** | **content** | **creation_time** | **file_extension** | **file_gid** | **file_group** | **file_name** | **file_path** | **file_uid** | **file_user** | **fqdn** | **hostname** | **image_path** | **link_target** | **md5_hash** | **mime_type** | **mode** | **pid** | **ppid** | **previous_creation_time** | **sha1_hash** | **sha256_hash** | **signature_valid** | **signer** | **uid** | **user** | -| ---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---| -| **create** | [Autoruns](../sensors/autoruns_13.98)
[Sysmon](../sensors/sysmon_13) | | [Autoruns](../sensors/autoruns_13.98)
[Sysmon](../sensors/sysmon_13) | | | | [Autoruns](../sensors/autoruns_13.98) | [Sysmon](../sensors/sysmon_13) | | | [Autoruns](../sensors/autoruns_13.98)
[Sysmon](../sensors/sysmon_13) | [Autoruns](../sensors/autoruns_13.98) | [Sysmon](../sensors/sysmon_13) | | [Autoruns](../sensors/autoruns_13.98) | | | [Sysmon](../sensors/sysmon_13) | | | | | | [Sysmon](../sensors/sysmon_13) | | -| **delete** | | | | | | | | | | | [Sysmon](../sensors/sysmon_13) | | [Sysmon](../sensors/sysmon_13) | | | | | [Sysmon](../sensors/sysmon_13) | | | | | | | [Sysmon](../sensors/sysmon_13) | | -| **modify** | [Autoruns](../sensors/autoruns_13.98) | | [Autoruns](../sensors/autoruns_13.98) | | | | [Autoruns](../sensors/autoruns_13.98) | | | | [Autoruns](../sensors/autoruns_13.98) | [Autoruns](../sensors/autoruns_13.98) | | | [Autoruns](../sensors/autoruns_13.98) | | | | | | | [Autoruns](../sensors/autoruns_13.98) | [Autoruns](../sensors/autoruns_13.98) | [Autoruns](../sensors/autoruns_13.98) | | | -| **read** | | | | | | | | | | | | | | | | | | | | | | | | | | -| **timestomp** | | | [Sysmon](../sensors/sysmon_13) | | | | | [Sysmon](../sensors/sysmon_13) | | | [Sysmon](../sensors/sysmon_13) | | [Sysmon](../sensors/sysmon_13) | | | | | [Sysmon](../sensors/sysmon_13) | | [Sysmon](../sensors/sysmon_13) | | | | | [Sysmon](../sensors/sysmon_13) | | -| **write** | | | | | | | | | | | | | | | | | | | | | | | | | | -| **acl_modify** | | | | | | | | | | | | | | | | | | | | | | | | | | + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
+ companycontentcreation_timeextensionfile_namefile_pathfqdngidgrouphostnameimage_pathlink_targetmd5_hashmime_typemodeownerowner_uidpidppidprevious_creation_timesha1_hashsha256_hashsignature_validsigneruiduser
acl_modify
createAutoruns SysmonAutoruns SysmonAutorunsSysmonAutoruns SysmonAutorunsSysmonAutorunsSysmonSysmon
deleteSysmonSysmonSysmonSysmon
modifyAutorunsAutorunsAutorunsAutorunsAutorunsAutorunsAutorunsAutorunsAutoruns
read
timestompSysmonSysmonSysmonSysmonSysmonSysmonSysmon
write
## [flow](flow) -| | **application_protocol** | **content** | **dest_fqdn** | **dest_hostname** | **dest_ip** | **dest_port** | **end_time** | **exe** | **fqdn** | **hostname** | **image_path** | **in_bytes** | **out_bytes** | **network_direction** | **packet_count** | **pid** | **ppid** | **proto_info** | **src_fqdn** | **src_hostname** | **src_ip** | **src_port** | **start_time** | **tcp_flags** | **transport_protocol** | **uid** | **user** | -| ---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---| -| **end** | | | | | | | | | | | | | | | | | | | | | | | | | | | | -| **message** | | | | | | | | | | | | | | | | | | | | | | | | | | | | -| **start** | | | | [Sysmon](../sensors/sysmon_13) | [Sysmon](../sensors/sysmon_13)| [Sysmon](../sensors/sysmon_13) | | [Sysmon](../sensors/sysmon_13) | [Sysmon](../sensors/sysmon_13) | [Sysmon](../sensors/sysmon_13) | [Sysmon](../sensors/sysmon_13) | | | | | [Sysmon](../sensors/sysmon_13) | | | [Sysmon](../sensors/sysmon_13) | [Sysmon](../sensors/sysmon_13) | [Sysmon](../sensors/sysmon_13) | [Sysmon](../sensors/sysmon_13) | [Sysmon](../sensors/sysmon_13) | | [Sysmon](../sensors/sysmon_13) | [Sysmon](../sensors/sysmon_13) | [Sysmon](../sensors/sysmon_13) | + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
+ application_protocolcontentdest_fqdndest_hostnamedest_ipdest_portend_timeexefqdnhostnameimage_pathin_bytesnetwork_directionout_bytespacket_countpidppidproto_infosrc_fqdnsrc_hostnamesrc_ipsrc_portstart_timetcp_flagstransport_protocoluiduser
end
message
startSysmonSysmonSysmonSysmonSysmonSysmonSysmonSysmonSysmonSysmonSysmonSysmonSysmonSysmonSysmon
+ +## [http](http) + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
+ hostnamehttp_versionrequest_body_bytesrequest_body_contentrequest_referrerrequester_ip_addressresponse_body_bytesresponse_body_contentresponse_status_codeurl_domainurl_fullurl_remainderurl_schemeuser_agent_deviceuser_agent_fulluser_agent_nameuser_agent_version
get
post
put
tunnel
## [module](module) -| | **base_address** | **fqdn** | **hostname** | **image_path** | **md5_hash** | **module_name** | **module_path** | **pid** | **sha1_hash** | **sha256_hash** | **signature_valid** | **signer** | **tid** | -|---|---|---|---|---|---|---|---|---|---|---|---|---|---| -| **load** | | [Sysmon]( ../sensors/sysmon_13) | [Sysmon]( ../sensors/sysmon_13) | [Sysmon]( ../sensors/sysmon_13) | [Sysmon]( ../sensors/sysmon_13) | [Sysmon]( ../sensors/sysmon_13) | [Sysmon](../sensors/sysmon_13) | [Sysmon]( ../sensors/sysmon_13) | [Sysmon]( ../sensors/sysmon_13) | | [Sysmon](../sensors/sysmon_13) | [Sysmon](../sensors/sysmon_13) | [Sysmon](../sensors/sysmon_13) | -| **unload** | | | | | | | | | | | | | | + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
+ base_addressfqdnhostnameimage_pathmd5_hashmodule_namemodule_pathpidsha1_hashsha256_hashsignature_validsignertid
loadSysmonSysmonSysmonSysmonSysmonSysmonSysmonSysmonSysmonSysmonSysmon
unload
## [process](process) -| | **access_level** | **call_trace** | **command_line** | **current_working_directory** | **exe** | **env_vars** | **fqdn** | **guid** | **hostname** | **image_path** | **integrity_level** | **md5_hash** | **parent_command_line** | **parent_exe** | **parent_guid** | **parent_image_path** | **pid** | **ppid** | **sha1_hash** | **sha256_hash** | **sid** | **signer** | **signature_valid** | **target_address** | **target_guid** | **target_pid** | **target_name** | **user** | -|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---| -| **access** | [Sysmon](../sensors/sysmon_13) | [Sysmon](../sensors/sysmon_13) | | | | | [Sysmon](../sensors/sysmon_13) | [Sysmon](../sensors/sysmon_13) | | [Sysmon](../sensors/sysmon_13) | | | | | | | [Sysmon](../sensors/sysmon_13) | | | | [Sysmon](../sensors/sysmon_13) | | | | [Sysmon](../sensors/sysmon_13) | [Sysmon](../sensors/sysmon_13) | [Sysmon](../sensors/sysmon_13) | | -**create** | | | [Sysmon](../sensors/sysmon_13) | [Sysmon](../sensors/sysmon_13) | | | [Sysmon](../sensors/sysmon_13) | | | [Sysmon](../sensors/sysmon_13) | [Sysmon](../sensors/sysmon_13) | | [Sysmon](../sensors/sysmon_13) | | [Sysmon](../sensors/sysmon_13) | [Sysmon](../sensors/sysmon_13) | [Sysmon](../sensors/sysmon_13) | [Sysmon](../sensors/sysmon_13) | | [Sysmon](../sensors/sysmon_13) | [Sysmon](../sensors/sysmon_13) | | | | | | | | -| **terminate** | | | | | | | | | | | | | | | | | | | | | | | | | | | | - + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
+ access_levelcall_tracecommand_linecurrent_working_directoryenv_varsexefqdnguidhostnameimage_pathintegrity_levelmd5_hashparent_command_lineparent_exeparent_guidparent_image_pathpidppidsha1_hashsha256_hashsidsignature_validsignertarget_addresstarget_guidtarget_nametarget_piduiduser
accessSysmonSysmonSysmonSysmonSysmonSysmonSysmonSysmonSysmonSysmon
createSysmonSysmonSysmonSysmonSysmonSysmonSysmonSysmonSysmonSysmonSysmon
terminate
## [registry](registry) -| | **data** | **fqdn** | **hostname** | **hive** | **key** | **image_path** | **new_content** | **pid** | **type** | **user** | **value** | -|---|---|---|---|---|---|---|---|---|---|---|---| -| **add** | [Autoruns](../sensors/autoruns_13.98)
[Sysmon](../sensors/sysmon_13) | [Sysmon](../sensors/sysmon_13) | [Autoruns](../sensors/autoruns_13.98) | [Autoruns](../sensors/autoruns_13.98)
[Sysmon](../sensors/sysmon_13) | [Autoruns](../sensors/autoruns_13.98)
[Sysmon](../sensors/sysmon_13) | [Sysmon](../sensors/sysmon_13) | | [Sysmon](../sensors/sysmon_13) | [Autoruns](../sensors/autoruns_13.98)| [Sysmon](../sensors/sysmon_13) | [Autoruns](../sensors/autoruns_13.98) | -**key_edit** | [Autoruns](../sensors/autoruns_13.98)
[Sysmon](../sensors/sysmon_13) | [Sysmon](../sensors/sysmon_13) | [Autoruns](../sensors/autoruns_13.98) | [Autoruns](../sensors/autoruns_13.98)
[Sysmon](../sensors/sysmon_13) | [Autoruns](../sensors/autoruns_13.98)
[Sysmon](../sensors/sysmon_13) | [Sysmon](../sensors/sysmon_13) | [Autoruns](../sensors/autoruns_13.98)
[Sysmon](../sensors/sysmon_13) | [Sysmon](../sensors/sysmon_13) | [Autoruns](../sensors/autoruns_13.98) | [Sysmon](../sensors/sysmon_13) | [Autoruns](../sensors/autoruns_13.98)
[Sysmon](../sensors/sysmon_13) | -| **remove** | [Sysmon](../sensors/sysmon_13) | [Sysmon](../sensors/sysmon_13) | | [Sysmon](../sensors/sysmon_13) | [Sysmon](../sensors/sysmon_13) | [Sysmon](../sensors/sysmon_13) | | [Sysmon](../sensors/sysmon_13) | | [Sysmon](../sensors/sysmon_13) | | -| **value_edit** | [Autoruns](../sensors/autoruns_13.98) | | [Autoruns](../sensors/autoruns_13.98)| [Autoruns](../sensors/autoruns_13.98) | [Autoruns](../sensors/autoruns_13.98) | | [Autoruns](../sensors/autoruns_13.98) | | [Autoruns](../sensors/autoruns_13.98)| | [Autoruns](../sensors/autoruns_13.98) | + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
+ datafqdnhivehostnameimage_pathkeynew_contentpidtypeuservalue
addAutoruns SysmonSysmonAutoruns SysmonAutorunsSysmonAutoruns SysmonSysmonAutorunsSysmonAutoruns
key_editAutoruns SysmonSysmonAutoruns SysmonAutorunsSysmonAutoruns SysmonAutoruns SysmonSysmonAutorunsSysmonAutoruns Sysmon
removeSysmonSysmonSysmonSysmonSysmonSysmonSysmon
value_editAutorunsAutorunsAutorunsAutorunsAutorunsAutorunsAutoruns
## [service](service) -| | **command_line** | **exe** | **fqdn** | **hostname** | **image_path** | **name** | **pid** | **ppid** | **uid** | **user** | -|---|---|---|---|---|---|---|---|---|---|---| -| **create** | [Autoruns](https://car.mitre.org/wiki/Autoruns) | [Autoruns](https://car.mitre.org/wiki/Autoruns) | [Autoruns](https://car.mitre.org/wiki/Autoruns) | [Autoruns](https://car.mitre.org/wiki/Autoruns) | [Autoruns](https://car.mitre.org/wiki/Autoruns) | [Autoruns](https://car.mitre.org/wiki/Autoruns) | | | | | -| **delete** | [Autoruns](https://car.mitre.org/wiki/Autoruns) | [Autoruns](https://car.mitre.org/wiki/Autoruns) | [Autoruns](https://car.mitre.org/wiki/Autoruns) | [Autoruns](https://car.mitre.org/wiki/Autoruns) | [Autoruns](https://car.mitre.org/wiki/Autoruns) | [Autoruns](https://car.mitre.org/wiki/Autoruns) | | | | | -| **pause** | | | | | | | | | | | -| **start** | | | | | | | | | | | -| **stop** | | | | | | | | | | | + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
+ command_lineexefqdnhostnameimage_pathnamepidppiduiduser
createAutorunsAutorunsAutorunsAutorunsAutoruns
deleteAutorunsAutorunsAutorunsAutorunsAutoruns
pause
start
stop
## [socket](socket) -| | **family** | **image_path** | **local_address** | **local_path** | **local_port** | **pid** | **protocol** | **remote_address** | **remote_port** | **success** | -|---|---|---|---|---|---|---|---|---|---|---| -| **bind** | [osquery](../sensors/osquery_4.6.0) | [osquery](../sensors/osquery_4.6.0) | [osquery](../sensors/osquery_4.6.0) | | [osquery](../sensors/osquery_4.6.0) | [osquery](../sensors/osquery_4.6.0) | [osquery](../sensors/osquery_4.6.0) | [osquery](../sensors/osquery_4.6.0) | [osquery](../sensors/osquery_4.6.0) | | -| **listen** | [osquery](../sensors/osquery_4.6.0) | [osquery](../sensors/osquery_4.6.0) | [osquery](../sensors/osquery_4.6.0) | | [osquery](../sensors/osquery_4.6.0) | [osquery](../sensors/osquery_4.6.0) | [osquery](../sensors/osquery_4.6.0) | [osquery](../sensors/osquery_4.6.0) | [osquery](../sensors/osquery_4.6.0) | | -| **close** | [osquery](../sensors/osquery_4.6.0) | [osquery](../sensors/osquery_4.6.0) | [osquery](../sensors/osquery_4.6.0) | | [osquery](../sensors/osquery_4.6.0) | [osquery](../sensors/osquery_4.6.0) | o[osquery](../sensors/osquery_4.6.0) | [osquery](../sensors/osquery_4.6.0) | [osquery](../sensors/osquery_4.6.0) | | + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
+ familyimage_pathlocal_addresslocal_pathlocal_portpidprotocolremote_addressremote_portsuccess
bindosqueryosqueryosqueryosqueryosqueryosqueryosqueryosquery
closeosqueryosqueryosqueryosqueryosqueryosqueryosqueryosquery
listenosqueryosqueryosqueryosqueryosqueryosqueryosqueryosquery
## [thread](thread) -| | **hostname** | **src_pid** | **src_tid** | **stack_base** | **stack_limit** | **start_address** | **start_function** | **start_module** | **start_module_name** | **subprocess_tag** | **tgt_pid** | **tgt_tid** | **uid** | **user** | **user_stack_base** | **user_stack_limit** | -|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---| -| **create** | | | | | | | | | | | | | | | | | -| **remote_create** | [Sysmon]( ../sensors/sysmon_13) | [Sysmon]( ../sensors/sysmon_13) | [Sysmon]( ../sensors/sysmon_13) | | | [Sysmon]( ../sensors/sysmon_13) | [Sysmon]( ../sensors/sysmon_13) | [Sysmon]( ../sensors/sysmon_13) | [Sysmon]( ../sensors/sysmon_13) | |[Sysmon]( ../sensors/sysmon_13) |[Sysmon]( ../sensors/sysmon_13) | [Sysmon]( ../sensors/sysmon_13) | [Sysmon]( ../sensors/sysmon_13) | | | -| **suspend** | | | | | | | | | | | | | | | | | | -| **terminate** | | | | | | | | | | | | | | | | | + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
+ hostnamesrc_pidsrc_tidstack_basestack_limitstart_addressstart_functionstart_modulestart_module_nametgt_pidtgt_tiduiduseruser_stack_baseuser_stack_limit
create
remote_createSysmonSysmonSysmonSysmonSysmonSysmonSysmonSysmonSysmonSysmonSysmon
suspend
terminate
## [user_session](user_session) -| | **hostname** | **src_pid** | **src_tid** | **stack_base** | **stack_limit** | **start_address** | **start_function** | **start_module** | **start_module_name** | **subprocess_tag** | **tgt_pid** | **tgt_tid** | **uid** | **user** | **user_stack_base** | **user_stack_limit** | -|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---| -| **create** | | | | | | | | | | | | | | | | | -| **remote_create** | [Sysmon]( ../sensors/sysmon_13) | [Sysmon]( ../sensors/sysmon_13) | [Sysmon]( ../sensors/sysmon_13) | | | [Sysmon]( ../sensors/sysmon_13) | [Sysmon]( ../sensors/sysmon_13) | [Sysmon]( ../sensors/sysmon_13) | [Sysmon]( ../sensors/sysmon_13) | |[Sysmon]( ../sensors/sysmon_13) |[Sysmon]( ../sensors/sysmon_13) | [Sysmon]( ../sensors/sysmon_13) | [Sysmon]( ../sensors/sysmon_13) | | | -| **suspend** | | | | | | | | | | | | | | | | | | -| **terminate** | | | | | | | | | | | | | | | | | + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
+ dest_ipdest_porthostnamelogin_idlogin_successfullogin_typesrc_ipsrc_portuiduser
lock
login
logout
reconnect
unlock
diff --git a/docs/data_model/driver.md b/docs/data_model/driver.md old mode 100755 new mode 100644 index 4961179d..47ba18f7 --- a/docs/data_model/driver.md +++ b/docs/data_model/driver.md @@ -1,35 +1,71 @@ --- title: "Driver" --- - A driver is software that runs in the operating system kernel. Drivers are generally used to allow a computer to communicate with hardware devices but have access to important kernel resources. ## Actions - |Action|Description| |---|---| |load|The event corresponding to the operating system kernel loading a driver into memory.| -|unload|The event corresponding to the operating system kernel unloading a driver from memory. +|unload|The event corresponding to the operating system kernel unloading a driver from memory.| ## Fields - |Field|Description|Example| |---|---|---| -base_address|A hex address indicating where the driver is loaded into the kernel.|`0xFFFFF8000405F000`| -fqdn|The fully qualified domain name of the host. Contains the hostname appended with the domain.|`HOST1.EXAMPLE_DOMAIN.COM`| -hostname|The hostname of the host, without the domain.|`HOST1`| -image_path|The file system location of the driver.|`C:\Windows\System32\drivers\scsiport.sys`| -md5_hash|The MD5 hash of the contents of the file located at `image_path`. The field is in hex notation, without the 0x prefix.|`5eb63bbbe01eeed093cb22bb8f5acdc3`| -module_name|The name of the driver or program.|`NvStreamKms.sys`| -pid|The Process ID that loaded or unloaded the driver.|`1533`| -sha1_hash|The SHA1 hash of the contents of the file located at `image_path`.|`2aae6c35c94fcfb415dbe95f408b9ce91ee846ed`| -sha256_hash|The SHA256 hash of the contents of the file located at `image_path`.|`68e656b251e67e8358bef8483ab0d51c6619f3e7a1a9f0e75838d41ff368f728`| -signature_valid|Boolean indicator of whether the driver is signed and whether the signature is current and not revoked.|`True`| -signer|The name of the organization which signed the driver.|`Microsoft Corporation`| +base_address|A hex address indicating where the driver is loaded into the kernel.|18446735277684027392 +fqdn|The fully qualified domain name of the host in which the process ran. Contains the hostname appended with the domain.|HOST1.EXAMPLE_DOMAIN.COM +hostname|The hostname of the host, without the domain.|HOST1 +image_path|The file system location of the driver.|C:\Windows\System32\drivers\scsiport.sys +md5_hash|The MD5 hash of the contents of the file located at `image_path`. The field is in hex notation, without the 0x prefix.|5eb63bbbe01eeed093cb22bb8f5acdc3 +module_name|The name of the driver or program.|NvStreamKms.sys +pid|The Process ID that loaded or unloaded the driver|1533 +sha1_hash|The SHA1 hash of the contents of the file located at `image_path`.|2aae6c35c94fcfb415dbe95f408b9ce91ee846ed +sha256_hash|The SHA256 hash of the contents of the file located at `image_path`.|68e656b251e67e8358bef8483ab0d51c6619f3e7a1a9f0e75838d41ff368f728 +signature_valid|Boolean indicator of whether the driver is signed and whether the signature is current and not revoked|True +signer|The name of the organization which signed the driver.|Microsoft Corporation ## Coverage Map - -| | **base_address** | **fqdn** | **hostname** | **image_path** | **md5_hash** | **module_name** | **pid** | **sha1_hash** | **sha256_hash** | **signature_valid** | **signer** | -|---|---|---|---|---|---|---|---|---|---|---|---| -| **load** | | [Sysmon](../sensors/sysmon_13) | | [Sysmon](../sensors/sysmon_13) | | | [Sysmon](../sensors/sysmon_13) | | [Sysmon](../sensors/sysmon_13) | [Sysmon](../sensors/sysmon_13) | [Sysmon](../sensors/sysmon_13) | | -| **unload**| | | | | | | | | | | | + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
+ base_addressfqdnhostnameimage_pathmd5_hashmodule_namepidsha1_hashsha256_hashsignature_validsigner
loadSysmonSysmonSysmonSysmonSysmonSysmon
unload
\ No newline at end of file diff --git a/docs/data_model/email.md b/docs/data_model/email.md old mode 100755 new mode 100644 index f9151074..96979db9 --- a/docs/data_model/email.md +++ b/docs/data_model/email.md @@ -1,51 +1,186 @@ --- title: "Email" --- - Email events are at the mail server level. ## Actions - |Action|Description| |---|---| -|block|The event corresponding to an email being blcoked by the email server. -|delete|The event corresponding to an email being deleted. -|deliver|The event corresponding to an email being sent to an end recipient. -|redirect|The event corresponding to an email being redirected. -|quarantine|The event corresponding to an email being qurantined for security reasons. +|block|The event corresponding to an email being blocked by the email server.| +|delete|The event corresponding to an email being deleted.| +|deliver|The event corresponding to an email being sent to an end recipient.| +|quarantine|The event corresponding to an email being quarantined for security reasons.| +|redirect|The event corresponding to an email being redirected.| ## Fields - |Field|Description|Example| |---|---|---| -action_reason|The rationale given for blocking, redirecting, or quarantining an email.|`Malformed Message`| -attachment_mime_type|The MIME type of the attachment.|`.docx`| -attachment_name|Filename of any email attachment that may exist.|`cuddly-cats.pdf`| -attachment_size|Filesize of the attachment.|`567 Kb`| -date|SMTP date header, which is actually a date time group.|`Thu Jul 18 09:30:00 PDT 2019`| -dest_address|Recipient email address, taken from the SMTP "Recipient" field.|`adam@example.com`| -dest_ip|The destination IP address for the email.|`221.174.222.111`| -dest_port|The destination port for the email.|`993`| -from|Displayed sender name from the Message Information header; can be easily forged.|`eve@trusted-advisors.com`| -message_body|Content of the email, not including subject.|`Hello World`| -message_links|URLs extracted from the email body.|`https://www.cnn.com`| -message_type|Content protocol of the message body|`html`| -return_address|Email address to which replies should be sent, also known as Return-Path or Reply-To; may differ from the src_address.|`eve_secondary@example.com`| -server_relay|The Received portion of the SMTP header, which provides the chain of hosts that the email passed through during delivery; each link usually contains an IP address, domain, and datetime group.|| -smtp_uid|Distinct ID used to distingquish emails.|`MN2PR09MB4876CCE7F183A83E6BA1C4C1CBF50@PP34399.prod.outlook.com`| -src_address|Email address of the sender, taken from the "Sender" SMTP field.|`eve@example.com`| -src_domain|The domain portion of the src_address.|`example.com`| -src_ip|Originating IP address.|`172.183.195.200`| -src_port|Originating port.|`1248`| -subject|Subject line of the email.|`Lo0k Younger Whl1e L0slng We19ht!!`| -to|The content of the To field in the email header; does not necessarily match up with real recipients.|`adam@example.com`| +action_reason|The rationale given for blocking, redirecting, or quarantining an email.|Malformed Message +attachment_mime_type|The MIME type of the attachment.|.docx +attachment_name|Filename of any email attachment that may exist.|cuddly-cats.pdf +attachment_size|Filesize of the attachment.|567 Kb +date|SMTP date header, which is actually a date time group.|Thu Jul 18 09:30:00 PDT 2019 +dest_address|Recipient email address, taken from the SMTP "Recipient" field.|adam@example.com +dest_ip|The destination IP address for the email.|221.174.222.111 +dest_port|The destination port for the email.|993 +from|Displayed sender name from the Message Information header; can be easily forged.|eve@trusted-advisors.com +message_body|Content of the email, not including subject.|Hello World +message_links|URLs extracted from the email body.|https://www.cnn.com +message_type|Content protocol of the message body|html +return_address|Email address to which replies should be sent, also known as Return-Path or Reply-To; may differ from the src_address.|eve_secondary@example.com +server_relay|The Received portion of the SMTP header, which provides the chain of hosts that the email passed through during delivery; each link usually contains an IP address, domain, and datetime group.| +smtp_uid|Distint ID used to distinguish emails.|MN2PR09MB4876CCE7F183A83E6BA1C4C1CBF50@PP34399.prod.outlook.com +src_address|Email address of the sender, taken from the "Sender" SMTP field.|eve@example.com +src_domain|The domain portion of the src_address.|example.com +src_ip|Originating IP address.|172.183.195.200 +src_port|Originating port.|1248 +subject|Subject line of the email.|Lo0k Younger Whl1e L0slng We19ht!! +to|the content of the To field in the email header; does not necessarily match up with real recipients.|adam@example.com ## Coverage Map - -| | **action_reason** | **attachment_mime_type** | **attachment_name** | **attachment_size** | **date** | **dest_address** | **dest_ip** | **dest_port** | **from** | **message_body** | **message_links** | **message_type** | **return_address** | **server_relay** | **smtp_uid** | **src_address** | **src_domain** | **src_ip** | **src_port** | **subject** | **to** | -|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|--|--| -| **block** | | | | | | | | | | | | | | | | | | | | | | -| **delete** | | | | | | | | | | | | | | | | | | | | | | -| **deliver** | | | | | | | | | | | | | | | | | | | | | | -| **redirect** | | | | | | | | | | | | | | | | | | | | | | -| **quarantine** | | | | | | | | | | | | | | | | | | | | | | + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
+ action_reasonattachment_mime_typeattachment_nameattachment_sizedatedest_addressdest_ipdest_portfrommessage_bodymessage_linksmessage_typereturn_addressserver_relaysmtp_uidsrc_addresssrc_domainsrc_ipsrc_portsubjectto
block
delete
deliver
quarantine
redirect
\ No newline at end of file diff --git a/docs/data_model/file.md b/docs/data_model/file.md old mode 100755 new mode 100644 index c0593471..cc970d4a --- a/docs/data_model/file.md +++ b/docs/data_model/file.md @@ -1,60 +1,281 @@ --- title: "File" --- - A resource for storing information available to a computer program. ## Actions - |Action|Description| |---|---| -|timestomp|The modification of an attribute, such as creation time. The file metadata may change, but the contents of the file remain the same.| +|acl_modify|The event corresponding with changing permissions on a file.| |create|The event corresponding to the creation of a file.| |delete|The event corresponding to the deletion of a file.| |modify|The event corresponding to the modification of a file or its metadata.| |read|The event corresponding to the accessing of a file to be read.| +|timestomp|The modification of an attribute, such as creation time. The file metadata may change, but the contents of the file remain the same.| |write|The event corresponding to the accessing of a file in order to write new instructions or information into a file.| -|acl_modify|The event corresponding with changing permissions on a file.| ## Fields - |Field|Description|Example| |---|---|---| -|company|The name of the organization listed in the file located at `image_path`. -|content|The contents of the file.|`Hello World`| -|creation_time|The creation time of the file as described in UTC and including the date.|`05/14/2015 12:47:06`| -|extension|The file extension of the file.|`docx`| -|file_name|The name of the file.|`MyWordDoc.docx`| -|file_path|The full path to the file on the file system.|`C:\users\fakeuser\documents\MyFile.docx`| -|gid|The group ID of the file|`801`| -|group|The group owner of the file|`admin`| -|owner_uid|The user ID or SID of the owner of the file.|`501`| -|owner|The username of the owner of the file.|`adam`| -|fqdn|The fully qualified domain name of the host. Contains the hostname appended with the domain.|`HOST1.EXAMPLE_DOMAIN.COM`| -|hostname|The hostname of the host, without the domain.|`HOST1`| -|image_path|The file system location of the executable that is associated with the `pid` that generated this event.|`C:\Windows\system32\notepad.exe`| -|link_target|The target path of a symbolic link.|`C:\my_special_file.exe`| -|md5_hash|An MD5 hash of the contents of the file located at `image_path`. The field is in hex notation, without the 0x prefix.|`5eb63bbbe01eeed093cb22bb8f5acdc3`| -|mime_type|The MIME type of the file.|`PE`| -|mode|The mode or permissions set of the file.|`0644 (linux) or NTFS ACL`| -|pid|The process ID for the process that generated this file event, represented in decimal notation.|`738`| -|ppid|The process ID of the parent process of the process associated with this file event, represented in decimal notation.|`1860`| -|previous_creation_time|The creation_time associated with the file before it was changed for this file event.|`05/14/2015 12:47:06`| -|sha1_hash|The SHA1 hash of the contents of the file located at `image_path`.|`2aae6c35c94fcfb415dbe95f408b9ce91ee846ed`| -|sha256_hash|The SHA256 hash of the contents of the file located at `image_path`.|`68e656b251e67e8358bef8483ab0d51c6619f3e7a1a9f0e75838d41ff368f728`| -|signer|The company listed on the certificate of the program at `image_path` if that program is signed.|`Microsoft Corporation`| -|signature_valid|Boolean indicator of whether the signature is valid; empty if file is not signed.|`True`| -|user|The user context in which the thread that caused this event was running. May be a local, domain or SYSTEM user. Formatted as "\\\\". Because threads are allowed to impersonate users, this may be different than the user context of the process.|`HOST1\LOCALUSER`| -|uid|The user ID or SID for the acting entity.|`S-1-5-18`| +company|The name of the organization listed in the file located at `image_path`.| +content|The contents of the file.|Hello World +creation_time|The creation time of the file as described in UTC and including the date.|05/14/2015 12:47:06 +extension|The file extension of the file.|.docx +file_name|The name of the file.|MyWordDoc.docx +file_path|The full path to the file on the file system.|C:\users\fakeuser\documents\MyFile. +fqdn|The fully qualified domain name of the host. Contains the hostname appended with the domain.|HOST1.EXAMPLE_DOMAIN.COM +gid|The group ID of the file.|801 +group|The group owner of the file.|admin +hostname|The hostname of the host, without the domain.|HOST1 +image_path|The file system location of the executable that is associated with the pid that generated this event.|C:\Windows\system32\notepad.exe +link_target|The target path of a symbolic link.|C:\my_special_file.exe +md5_hash|An MD5 hash of the contents of the file located at `image_path`. The field is in hex notation, without the 0x prefix.|5eb63bbbe01eeed093cb22bb8f5acdc3 +mime_type|The MIME type of the file.|PE +mode|The mode or permissions set of the file.|0644 (linux) or NTFS ACL +owner|The username of the owner of the file.|adam +owner_uid|The user ID of the owner of the file.|501 +pid|The process ID for the process that generated this file event, represented in decimal notation.|738 +ppid|The process ID of the parent process of the process associated with this file event, represented in decimal notation.|1860 +previous_creation_time|The creation_time associated with the file before it was changed for this file event.|05/14/2015 12:47:06 +sha1_hash|The SHA1 hash of the contents of the file located at `image_path`.|2aae6c35c94fcfb415dbe95f408b9ce91ee846ed +sha256_hash|The SHA256 hash of the contents of the file located at `image_path`.|68e656b251e67e8358bef8483ab0d51c6619f3e7a1a9f0e75838d41ff368f728 +signature_valid|Boolean indicator of whether the signature is valid; empty if file is not signed.|True +signer|The company listed on the certificate of the program at `image_path` if that program is signed.|Microsoft Corporation +uid|The user ID or SID for the acting entity.|S-1-5-18 +user|The user context in which the thread that caused this event was running. May be a local, domain or SYSTEM user. Formatted as \. Because threads are allowed to impersonate users, this may be different than the user context of the process.|HOST1\LOCALUSER ## Coverage Map - -| | **company** | **content** | **creation_time** | **file_extension** | **file_gid** | **file_group** | **file_name** | **file_path** | **file_uid** | **file_user** | **fqdn** | **hostname** | **image_path** | **link_target** | **md5_hash** | **mime_type** | **mode** | **pid** | **ppid** | **previous_creation_time** | **sha1_hash** | **sha256_hash** | **signature_valid** | **signer** | **uid** | **user** | -| ---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---| -| **create** | [Autoruns](../sensors/autoruns_13.98)
[Sysmon](../sensors/sysmon_13) | | [Autoruns](../sensors/autoruns_13.98)
[Sysmon](../sensors/sysmon_13) | | | | [Autoruns](../sensors/autoruns_13.98) | [Sysmon](../sensors/sysmon_13) | | | [Autoruns](../sensors/autoruns_13.98)
[Sysmon](../sensors/sysmon_13) | [Autoruns](../sensors/autoruns_13.98) | [Sysmon](../sensors/sysmon_13) | | [Autoruns](../sensors/autoruns_13.98) | | | [Sysmon](../sensors/sysmon_13) | | | | | | [Sysmon](../sensors/sysmon_13) | | -| **delete** | | | | | | | | | | | [Sysmon](../sensors/sysmon_13) | | [Sysmon](../sensors/sysmon_13) | | | | | [Sysmon](../sensors/sysmon_13) | | | | | | | [Sysmon](../sensors/sysmon_13) | | -| **modify** | [Autoruns](../sensors/autoruns_13.98) | | [Autoruns](../sensors/autoruns_13.98) | | | | [Autoruns](../sensors/autoruns_13.98) | | | | [Autoruns](../sensors/autoruns_13.98) | [Autoruns](../sensors/autoruns_13.98) | | | [Autoruns](../sensors/autoruns_13.98) | | | | | | | [Autoruns](../sensors/autoruns_13.98) | [Autoruns](../sensors/autoruns_13.98) | [Autoruns](../sensors/autoruns_13.98) | | | -| **read** | | | | | | | | | | | | | | | | | | | | | | | | | | -| **timestomp** | | | [Sysmon](../sensors/sysmon_13) | | | | | [Sysmon](../sensors/sysmon_13) | | | [Sysmon](../sensors/sysmon_13) | | [Sysmon](../sensors/sysmon_13) | | | | | [Sysmon](../sensors/sysmon_13) | | [Sysmon](../sensors/sysmon_13) | | | | | [Sysmon](../sensors/sysmon_13) | | -| **write** | | | | | | | | | | | | | | | | | | | | | | | | | | -| **acl_modify** | | | | | | | | | | | | | | | | | | | | | | | | | | + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
+ companycontentcreation_timeextensionfile_namefile_pathfqdngidgrouphostnameimage_pathlink_targetmd5_hashmime_typemodeownerowner_uidpidppidprevious_creation_timesha1_hashsha256_hashsignature_validsigneruiduser
acl_modify
createAutoruns SysmonAutoruns SysmonAutorunsSysmonAutoruns SysmonAutorunsSysmonAutorunsSysmonSysmon
deleteSysmonSysmonSysmonSysmon
modifyAutorunsAutorunsAutorunsAutorunsAutorunsAutorunsAutorunsAutorunsAutoruns
read
timestompSysmonSysmonSysmonSysmonSysmonSysmonSysmon
write
\ No newline at end of file diff --git a/docs/data_model/flow.md b/docs/data_model/flow.md old mode 100755 new mode 100644 index 4a484a88..9356e4d0 --- a/docs/data_model/flow.md +++ b/docs/data_model/flow.md @@ -1,54 +1,166 @@ --- title: "Flow" --- - A sequence of packets from a source computer to a destination, which may be another host, a multicast group, or a broadcast domain. This may be captured at network or host level. ## Actions - |Action|Description| |---|---| -|start|The event corresponding to the beginning of collection of flow data in a given time period. -|end|The event corresponding to the ending of collection of flow data in a given time period. -|message|A flow message pertains to any event between start and end when content is sent over the connection (may imply TCP). This often implies use of traffic content collected via PCAP or a similar mechanism. +|end|The event corresponding to the ending of collection of flow data in a given time period.| +|message|A flow message pertains to any event between start and end when content is sent over the connection (may imply TCP). This often implies use of traffic content collected via PCAP or a similar mechanism.| +|start|The event corresponding to the beginning of collection of flow data in a given time period.| ## Fields - |Field|Description|Example| |---|---|---| -|application_protocol|The name of the layer 7 (OSI model) protocol contained within the flow.|`HTTP`| -|content|The ASCII printable characters of the flow. This corresponds to content from PCAP data or similar formats.|`GET https://www.google.com/ HTTP/1.1`| -|dest_ip|The destination IP address of the flow.|`192.168.1.5`| -|dest_port|The destination port of the flow.|`1900`| -|dest_fqdn|The fully qualified domain name that corresponds to `dest_ip`.|`dest_example.example.com`| -|dest_hostname|The hostname that corresponds to `dest_ip`|`test-pc`| -|end_time|The datetime stamp, in UTC, when the flow ended.|`5/15/2015 03:59:53.176 AM`| -|exe|The basename of the `image_path`. This will need to be collected from the host.|`Chrome.exe`| -|fqdn|The fully qualified domain name of the host. Contains the hostname appended with the domain.|`HOST1.EXAMPLE_DOMAIN.COM`| -|hostname|The hostname of the active host, without the domain.|`HOST1`| -|image_path|The file system path of the process that opened the flow. This will need to be collected from the host.|`C:\path\to\example.exe`| -|in_bytes|Integer value of total number of bytes received.|`13200`| -|out_bytes|Integer value of total number of bytes sent.|`1337`| -|network_direction|Direction of the original packet of the flow initiator, relative to network perimeter.|`in (flow originated outside the network and was directed into it)`| -|packet_count|The total packet count seen at time of logging.|`4`| -|pid|The process ID of the process that owns the socket responsible for the flow, represented in decimal notation. This will need to be collected from the host.|`738`| -|ppid|The process ID for the process's parent that owns the socket responsible for the flow, represented in decimal notation. This will need to be collected from the host.|`1860`| -|proto_info|A text decoded version of traffic in the flow specific to the protocol. The application layer information from the flow parsed according to the protocol in question. For instance, SMB information or HTTP headers and content.|`SMB2 Write Request Len:165 Off:0 Fileusername\private\filename.pptx`, `SRVSVC NetShareGetInfo response`| -|src_ip|The source IP address of the flow.|`10.0.0.54`| -|src_port|The source port of the flow packet.|`50438`| -|src_fqdn|The fully qualified domain name that corresponds to `src_ip`.|`src_domain.example.com`| -|src_hostname|The hostname that corresponds to `src_ip`.|`src_example`| -|start_time|The starting time date stamp, in UTC, of the flow data.|`05/14/2015 11:59:59 PM`| -|tcp_flags|TCP flags.|`SYN, ACK, PSH`| -|transport_protocol|The name of the layer 4 (OSI model) network protocol contained within the flow|`TCP`| -|uid|User ID or SID of the flow-handling entity|`S-1-5-18`| -|user|The user that ran the process.|`HOST1\LOCALUSER`| - +application_protocol|Name of the layer 7 protocol contained within the flow.|HTTP +content|The ASCII printable characters of the flow. This corresponds to content from PCAP data or similar formats.|GET https://www.google.com/ HTTP/1.1 +dest_fqdn|The fully qualified domain name that corresponds to `dest_ip`.|dest_example.example.com +dest_hostname|The hostname that corresponds to `dest_ip`.|dest_example +dest_ip|The destination IP address of the flow.|192.168.1.5 +dest_port|The destination port of the flow.|192.168.1.5 +end_time|The datetime stamp, in UTC, when the flow ended.|05/15/2015 03:59:53.176 AM +exe|The basename of the `image_path`. This will need to be collected from the host.|Chrome.exe +fqdn|The fully qualified domain name of the host. Contains the hostname appended with the domain.|HOST1.EXAMPLE_DOMAIN.COM +hostname|The hostname of the host, without the domain.|HOST1 +image_path|The file system path of the process that opened the flow. This will need to be collected from the host.|C:\path\to\example.exe +in_bytes|Integer value of total number of bytes received.|13200 +network_direction|Direction of the original of the flow initiator, relative to network perimiter.|in (flow originated outside the network and was directed into it) +out_bytes|Integer value of total number of bytes sent.|1337 +packet_count|The total packet count seen at time of logging.|4 +pid|The total packet count seen at time of logging.|738 +ppid|The process ID for the process’s parent that owns the socket responsible for the flow, represented in decimal notation. This will need to be collected from the host.|1860 +proto_info|A text decoded version of traffic in the flow specific to the protocol. The application layer information from the flow parsed according to the protocol in question. For instance, SMB information or HTTP headers and content.|SMB2 Write Request Len:165 Off:0 Fileusername\private\filename.pptx, SRVSVC NetShareGetInfo response +src_fqdn|The fully qualified domain name that corresponds to `src_ip`.|src_domain.example.com +src_hostname|The hostname that corresponds to `src_ip`.|src_example +src_ip|The source IP address of the flow.|10.0.0.54 +src_port|The source port of the flow.|50438 +start_time|The starting time date stamp, in UTC, of the flow data.|05/14/2015 11:59:59 PM +tcp_flags|flags turned on in the TCP header.|ACK, PSH +transport_protocol|Layer 4 protocol contained within the flow.|TCP +uid|User ID or SID of the flow-handling entity.|S-1-5-18 +user|The user that ran the process.|HOST1\LOCALUSER ## Coverage Map - -| | **application_protocol** | **content** | **dest_fqdn** | **dest_hostname** | **dest_ip** | **dest_port** | **end_time** | **exe** | **fqdn** | **hostname** | **image_path** | **in_bytes** | **out_bytes** | **network_direction** | **packet_count** | **pid** | **ppid** | **proto_info** | **src_fqdn** | **src_hostname** | **src_ip** | **src_port** | **start_time** | **tcp_flags** | **transport_protocol** | **uid** | **user** | -| ---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---| -| **end** | | | | | | | | | | | | | | | | | | | | | | | | | | | | -| **message** | | | | | | | | | | | | | | | | | | | | | | | | | | | | -| **start** | | | | [Sysmon](../sensors/sysmon_13) | [Sysmon](../sensors/sysmon_13)| [Sysmon](../sensors/sysmon_13) | | [Sysmon](../sensors/sysmon_13) | [Sysmon](../sensors/sysmon_13) | [Sysmon](../sensors/sysmon_13) | [Sysmon](../sensors/sysmon_13) | | | | | [Sysmon](../sensors/sysmon_13) | | | [Sysmon](../sensors/sysmon_13) | [Sysmon](../sensors/sysmon_13) | [Sysmon](../sensors/sysmon_13) | [Sysmon](../sensors/sysmon_13) | [Sysmon](../sensors/sysmon_13) | | [Sysmon](../sensors/sysmon_13) | [Sysmon](../sensors/sysmon_13) | [Sysmon](../sensors/sysmon_13) | + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
+ application_protocolcontentdest_fqdndest_hostnamedest_ipdest_portend_timeexefqdnhostnameimage_pathin_bytesnetwork_directionout_bytespacket_countpidppidproto_infosrc_fqdnsrc_hostnamesrc_ipsrc_portstart_timetcp_flagstransport_protocoluiduser
end
message
startSysmonSysmonSysmonSysmonSysmonSysmonSysmonSysmonSysmonSysmonSysmonSysmonSysmonSysmonSysmon
\ No newline at end of file diff --git a/docs/data_model/http.md b/docs/data_model/http.md index 34dc04fd..463c1ada 100644 --- a/docs/data_model/http.md +++ b/docs/data_model/http.md @@ -1,45 +1,137 @@ --- -title: "File" +title: "HTTP" --- - HTTP events represents requests made over the network via the HTTP protocol. ## Actions - |Action|Description| |---|---| -|get|The event corresponding to an HTTP GET request. -|post|The event corresponding to an HTTP POST request. -|put|The event corresponding to an HTTP PUT request. -|tunnel|The event corresponding to an HTTP TUNNEL request. +|get|The event corresponding to an HTTP GET request.| +|post|The event corresponding to an HTTP POST request.| +|put|The event corresponding to an HTTP PUT request.| +|tunnel|The event corresponding to an HTTP TUNNEL request.| ## Fields - |Field|Description|Example| |---|---|---| -|hostname|hostname on which the request was seen.|HOST1 -|request_body_bytes|Integer value corresponding to the total number of bytes in the request.|180 -|http_version|HTTP version that is specified in the header.|1.1 -|request_body_content|Body of the HTTP request; usually specifies the exact content being requested.|varies as content is unique. If referrer is http://cnn.com as in example below, expect the body content to likely be an article from CNN. -|request_referrer|The URL from which the request was referred, if applicable.|http://cnn.com -|requester_ip_address|IP address from which the request was made.|151.101.131.5 -|response_body_types|Integer value corresponding to the total number of bytes in the response.|2910 -|response_body_content|Content of the response (does not include header).| -|response_status_code|HTTP protocol status code in response header|200 -|url_full|URL to which the HTTP request was sent|https://www.mitre.org/about/corporate-overview -|url_domain|Domain portion of the URL.|www.mitre.org -|url_remainder|the path after the root domain|/about/corporate-overview -|url_scheme|type of user that initiated the request.|https -|user_agent_full| User agent string associated with the request|HOST1\LOCALUSER1 -|user_agent_name|The user agent through which the request was made.|"Mozilla/5.0 (Linux; Android 7.0; SM-G930VC Build/NRD90M; wv)
AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/58.0.3029.83 Mobile Safari/537.36" -|user_agent_device|Device type from which request was made, identified by user_agent substring|SM-G930VC (Samgsung Galaxy S7) -|user_agent_version|User Agent Version. Note that some User Agent strings may not label versions in the same way.|4.0 +hostname|hostname on which the request was seen.|HOST1 +http_version|HTTP version that is specified in the header.|1.1 +request_body_bytes|Integer value corresponding to the total number of bytes in the request.|180 +request_body_content|Body of the HTTP request; usually specifies the exact content being requested.| +request_referrer|The URL from which the request was referred, if applicable.|http://cnn.com +requester_ip_address|IP address from which the request was made.|10.0.211.200 +response_body_bytes|Integer value corresponding to the total number of bytes in the response.|2910 +response_body_content|Content of the response (does not include header).| +response_status_code|HTTP protocol status code in response header|200 +url_domain|Domain portion of the URL.|www.mitre.org +url_full|URL to which the HTTP request was sent|https://www.mitre.org/about/corporate-overview +url_remainder|the path after the root domain|/about/corporate-overview +url_scheme|type of user that initiated the request.|https +user_agent_device|Device type from which request was made, identified by user_agent substring|SM-G930VC (Samgsung Galaxy S7) +user_agent_full|User agent string associated with the request|HOST1\LOCALUSER1 +user_agent_name|The user agent through which the request was made.|Mozilla/5.0 (Linux; Android 7.0; SM-G930VC Build/NRD90M; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/58.0.3029.83 Mobile Safari/537.36 +user_agent_version|User Agent Version. Note that some User Agent strings may not label versions in the same way.|4.0 ## Coverage Map - -| | **hostname** | **request_body_bytes** | **http_version** | **request_body_content** | **request_referrer** | **requester_ip_address** | **response_body_types** | **response_body_content** | **response_status_codes** | **url_full** | **url_domain** | **url_remainder** | **url_scheme** | **user_agent_full** | **user_agent_device** | **user_agent_version** | -| --- | --- | ---| --- | --- | --- | --- | --- | --- | --- | --- | --- | --- | --- | --- | --- | --- | -| **get** | | | | | | | | | | | | | | | | | -| **post** | | | | | | | | | | | | | | | | | -| **put** | | | | | | | | | | | | | | | | | -| **tunnel** | | | | | | | | | | | | | | | | | \ No newline at end of file + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
+ hostnamehttp_versionrequest_body_bytesrequest_body_contentrequest_referrerrequester_ip_addressresponse_body_bytesresponse_body_contentresponse_status_codeurl_domainurl_fullurl_remainderurl_schemeuser_agent_deviceuser_agent_fulluser_agent_nameuser_agent_version
get
post
put
tunnel
\ No newline at end of file diff --git a/docs/data_model/index.md b/docs/data_model/index.md old mode 100755 new mode 100644 index 3c89bfcc..9dcea2bd --- a/docs/data_model/index.md +++ b/docs/data_model/index.md @@ -8,19 +8,19 @@ The Data Model, strongly inspired by [CybOX](https://cyboxproject.github.io/), i |Object|Actions|Fields| |---|---|---| -|**[authentication](authentication)**|`error`
`failure`
`success`|`ad_domain`
`app_name`
`auth_service`
`auth_target`
`decision_reason`
`fqdn`
`hostname`
`fqdn`
`method`
`response_time`
`target_ad_domain`
`target_uid`
`target_user`
`target_user_role`
`target_user_type`
`uid`
`user`
`user_agent`
`user_role`| -|**[driver](driver)**|`load`
`unload`|`base_address`
`fqdn`
`hostname`
`image_path`
`md5_hash`
`module_name`
`pid`
`sha1_hash`
`sha256_hash`
`signer`
`signature_valid`| -|**[email](email)**|`block`
`delete`
`deliver`
`redirect`
`quarantine`|`action_reason`
`attachment_mime_type`
`attachment_name`
`attachment_size`
`date`
`dest_address`
`dest_ip`
`dest_port`
`from`
`message_body`
`message_links`
`message_type`
`return_address`
`server_relay`
`smtp_uid`
`src_address`
`src_domain`
`src_ip`
`src_port`
`subject`
`to`| -|**[file](file)**|`acl_modify`
`create`
`delete`
`modify`
`read`
`timestomp`
`write`|`content`
`company`
`creation_time`
`file_name`
`file_path`
`file_uid`
`file_user`
`file_extension`
`file_gid`
`file_gid`
`fqdn`
`hostname`
`image_path`
`link_target`
`md5_hash`
`mime_type`
`pid`
`ppid`
`previous_creation_time`
`sha1_hash`
`sha256_hash`
`signer`
`signature_valid`
`uid`
`user`| -|**[flow](flow)**|`end`
`message`
`start`|`application_protocol`
`content`
`dest_fqdn`
`dest_hostname`
`dest_ip`
`dest_port`
`end_time`
`exe`
`fqdn`
`hostname`
`image_path`
`in_bytes`
`network_direction`
`out_bytes`
`packet_count`
`pid`
`ppid`
`proto_info`
`protocol`
`src_fqdn`
`src_hostname`
`src_ip`
`src_port`
`start_time`
`tcp_flags`
`transport_protocol`
`uid`
`user`| -|**[http](http)**|`get`
`post`
`put`
`tunnel`|`hostname`
`http_version`
`response_body_bytes`
`response_body_content`
`response_status_code`
`request_body_bytes`
`request_body_content`
`request_referrer`
`requester_ip_address`
`url_full`
`url_domain`
`url_remainder`
`url_scheme`
`user_agent_full`
`user_agent_name`
`user_agent_device`
`user_agent_version`| -|**[module](module)**|`load`
`unload`|`base_address`
`fqdn`
`hostname`
`image_path`
`md5_hash`
`module_name`
`module_path`
`pid`
`sha1_hash`
`sha256_hash`
`signer`
`tid`
`signature_valid`| -|**[process](process)**|`access`
`create`
`terminate`|`access_level`
`call_trace`
`command_line`
`current_working_directory`
`env_vars`
`exe`
`fqdn`
`guid`
`hostname`
`integrity_level`
`image_path`
`md5_hash`
`parent_command_line`
`parent_exe`
`parent_guid`
`parent_image_path`
`pid`
`ppid`
`sha1_hash`
`sha256_hash`
`sid`
`signature_valid`
`signer`
`target_address`
`target_guid`
`taget_name`
`target_pid`
`uid`
`user`| -|**[registry](registry)**|`add`
`remove`
`key_edit`
`value_edit`|`data`
`fqdn`
`hive`
`hostname`
`image_path`
`key`
`pid`
`new_content`
`type`
`user`
`value`| +|**[authentication](authentication)**|`error`
`failure`
`success`|`ad_domain`
`app_name`
`auth_service`
`auth_target`
`decision_reason`
`fqdn`
`hostname`
`method`
`response_time`
`target_ad_domain`
`target_uid`
`target_user`
`target_user_role`
`target_user_type`
`uid`
`user`
`user_agent`
`user_role`
`user_type`| +|**[driver](driver)**|`load`
`unload`|`base_address`
`fqdn`
`hostname`
`image_path`
`md5_hash`
`module_name`
`pid`
`sha1_hash`
`sha256_hash`
`signature_valid`
`signer`| +|**[email](email)**|`block`
`delete`
`deliver`
`quarantine`
`redirect`|`action_reason`
`attachment_mime_type`
`attachment_name`
`attachment_size`
`date`
`dest_address`
`dest_ip`
`dest_port`
`from`
`message_body`
`message_links`
`message_type`
`return_address`
`server_relay`
`smtp_uid`
`src_address`
`src_domain`
`src_ip`
`src_port`
`subject`
`to`| +|**[file](file)**|`acl_modify`
`create`
`delete`
`modify`
`read`
`timestomp`
`write`|`company`
`content`
`creation_time`
`extension`
`file_name`
`file_path`
`fqdn`
`gid`
`group`
`hostname`
`image_path`
`link_target`
`md5_hash`
`mime_type`
`mode`
`owner`
`owner_uid`
`pid`
`ppid`
`previous_creation_time`
`sha1_hash`
`sha256_hash`
`signature_valid`
`signer`
`uid`
`user`| +|**[flow](flow)**|`end`
`message`
`start`|`application_protocol`
`content`
`dest_fqdn`
`dest_hostname`
`dest_ip`
`dest_port`
`end_time`
`exe`
`fqdn`
`hostname`
`image_path`
`in_bytes`
`network_direction`
`out_bytes`
`packet_count`
`pid`
`ppid`
`proto_info`
`src_fqdn`
`src_hostname`
`src_ip`
`src_port`
`start_time`
`tcp_flags`
`transport_protocol`
`uid`
`user`| +|**[http](http)**|`get`
`post`
`put`
`tunnel`|`hostname`
`http_version`
`request_body_bytes`
`request_body_content`
`request_referrer`
`requester_ip_address`
`response_body_bytes`
`response_body_content`
`response_status_code`
`url_domain`
`url_full`
`url_remainder`
`url_scheme`
`user_agent_device`
`user_agent_full`
`user_agent_name`
`user_agent_version`| +|**[module](module)**|`load`
`unload`|`base_address`
`fqdn`
`hostname`
`image_path`
`md5_hash`
`module_name`
`module_path`
`pid`
`sha1_hash`
`sha256_hash`
`signature_valid`
`signer`
`tid`| +|**[process](process)**|`access`
`create`
`terminate`|`access_level`
`call_trace`
`command_line`
`current_working_directory`
`env_vars`
`exe`
`fqdn`
`guid`
`hostname`
`image_path`
`integrity_level`
`md5_hash`
`parent_command_line`
`parent_exe`
`parent_guid`
`parent_image_path`
`pid`
`ppid`
`sha1_hash`
`sha256_hash`
`sid`
`signature_valid`
`signer`
`target_address`
`target_guid`
`target_name`
`target_pid`
`uid`
`user`| +|**[registry](registry)**|`add`
`key_edit`
`remove`
`value_edit`|`data`
`fqdn`
`hive`
`hostname`
`image_path`
`key`
`new_content`
`pid`
`type`
`user`
`value`| |**[service](service)**|`create`
`delete`
`pause`
`start`
`stop`|`command_line`
`exe`
`fqdn`
`hostname`
`image_path`
`name`
`pid`
`ppid`
`uid`
`user`| -|**[socket](socket)**|`bind`
`listen`
`close`|`family`
`image_path`
`local_address`
`local_path`
`local_port`
`pid`
`protocol`
`remote_address`
`remote_port`
`success`| -|**[thread](thread)**|`create`
`remote_create`
`suspend`
`terminate`|`hostname`
`src_pid`
`src_tid`
`stack_base`
`stack_limit`
`start_address`
`start_function`
`start_module`
`start_module_name`
`subprocess_tag`
`tgt_pid`
`tgt_tid`
`uid`
`user`
`user_stack_base`
`user_stack_limit`| -|**[user_session](user_session)**|`lock`
`login`
`logout`
`reconnect`
`unlock`|`dest_ip`
`dest_port`
`hostname`
`login_type`
`logon_id`
`login_successful`
`src_ip`
`src_port`
`uid`
`user`| +|**[socket](socket)**|`bind`
`close`
`listen`|`family`
`image_path`
`local_address`
`local_path`
`local_port`
`pid`
`protocol`
`remote_address`
`remote_port`
`success`| +|**[thread](thread)**|`create`
`remote_create`
`suspend`
`terminate`|`hostname`
`src_pid`
`src_tid`
`stack_base`
`stack_limit`
`start_address`
`start_function`
`start_module`
`start_module_name`
`tgt_pid`
`tgt_tid`
`uid`
`user`
`user_stack_base`
`user_stack_limit`| +|**[user_session](user_session)**|`lock`
`login`
`logout`
`reconnect`
`unlock`|`dest_ip`
`dest_port`
`hostname`
`login_id`
`login_successful`
`login_type`
`src_ip`
`src_port`
`uid`
`user`| ## What is the data model? @@ -31,9 +31,9 @@ In the Data Model an *object* is much like an [object in computer science](https An *action* refers to a state change or event that happens on an object, such as an object's creation, destruction, or modification. These are the verbs that describe that an object can do, and what can happen to an object. However, there are cases where sensors do not monitor actions in objects but merely scan for and check the presence of an object. Each action is represented in a coverage matrix (the 2D table). The actions are on the y-axis. ### Fields -A *field* refers to the observable properties of an object. These properties may contain flags, identifiers, data elements, or even references to other objects. In terms of vocabulary, fields are like the adjectives. They describe properties about an object. A [sensor](../Glossary#Sensor) monitors fields in the context of an object, and outputs these in some form of structured data. Once the data is ingested into a [SIEM](https://en.wikipedia.org/wiki/SIEM), the logs can be queried by forcing restrictions or patterns upon one or more objects, such as in an [analytic](../Glossary#Analytic). On the coverage matrix fields are on the x-axis. +A *field* refers to the observable properties of an object. These properties may contain flags, identifiers, data elements, or even references to other objects. In terms of vocabulary, fields are like the adjectives. They describe properties about an object. A [sensor](../resources/glossary#Sensor) monitors fields in the context of an object, and outputs these in some form of structured data. Once the data is ingested into a [SIEM](https://en.wikipedia.org/wiki/SIEM), the logs can be queried by forcing restrictions or patterns upon one or more objects, such as in an [analytic](../resources/glossary#Analytic). On the coverage matrix fields are on the x-axis. ### Coverage In order to gauge the usefulness of a sensor with respect to analytics, its output must be mapped into the Data Model. For each object that a sensor measures, it captures state. Some sensors periodically scan for objects, instead of monitoring for state changes. In these cases, state may be inferred by looking for changes in the properties of an object. -A summary of data model coverage is [here](data_model_with_sensors). +A summary of data model coverage is [here](data_model_with_sensors). \ No newline at end of file diff --git a/docs/data_model/module.md b/docs/data_model/module.md old mode 100755 new mode 100644 index c291ab30..6fdf7d55 --- a/docs/data_model/module.md +++ b/docs/data_model/module.md @@ -1,37 +1,79 @@ --- title: "Module" --- - Modules correspond to executable (and potentially non-executable) content, and are loaded as a contiguous region of memory into the address space of a process. Each process will have the main image loaded as a module and shared libraries (DLLs in Windows) and their dependencies. ## Actions - |Action|Description| |---|---| |load|A module load event occurs when a PE image (dll or exe) is loaded into a process.| |unload|When the module is unloaded from memory, upon destruction of the process or by calling an API such as FreeLibrary, the unload event is triggered.| ## Fields - |Field|Description|Example| |---|---|---| -|base_address|A hex address indicating where the module is loaded into the process’s virtual address space|`0xFFFFF8000405F000`| -|fqdn|The fully qualified domain name of the host. Contains the hostname appended with the domain.|`HOST1.EXAMPLE_DOMAIN.COM`| -|hostname|The hostname of the active host, without the domain.|`HOST1`| -|image_path|The file system location of the process image.|`C:\path\to\example.exe`| -|md5_hash|The MD5 hash of the contents of the file located at `module_path`. The field is in hex notation, without the 0x prefix.|`5eb63bbbe01eeed093cb22bb8f5acdc3`| -|module_path|The full file system path to the module loaded into the memory space of the process.|`C:\windows\system32\kernel32.exe`| -|module_name|The name of the file where the module is loaded on disk. This is also the string that is used internally by the program to lookup information about the module.|`kernel32.exe`| -|pid|Process ID of the process in which the module is loaded (or unloaded).|`738`| -|sha1_hash|The SHA1 hash of the contents of the file located at `image_path`.|`2aae6c35c94fcfb415dbe95f408b9ce91ee846ed`| -|sha256_hash|The SHA256 hash of the contents of the file located at `image_path`.|`68e656b251e67e8358bef8483ab0d51c6619f3e7a1a9f0e75838d41ff368f728`| -|signature_valid|Boolean indicator of whether the signature is current and not revoked.|`True`| -|signer|The name of the organization which signed the module.|`Microsoft Corporation`| -|tid|The thread ID of the thread responsible for the load or unload event.|`50`| +base_address|A hex address indicating where the module is loaded into the process’s virtual address space.|18446735277684027392 +fqdn|The fully qualified domain name of the host. Contains the hostname appended with the domain.|HOST1.EXAMPLE_DOMAIN.COM +hostname|The hostname of the host, without the domain.|HOST1 +image_path|The file system location of the process image.|C:\path\to\example.exe +md5_hash|The MD5 hash of the contents of the file located at `module_path`. The field is in hex notation, without the 0x prefix.|5eb63bbbe01eeed093cb22bb8f5acdc3 +module_name|The name of the file where the module is loaded on disk. This is also the string that is used internally by the program to lookup information about the module.|kernel32.exe +module_path|The full file system path to the module loaded into the memory space of the process.|C:\windows\system32\kernel32.exe +pid|Process ID of the process in which the module is loaded (or unloaded).|738 +sha1_hash|The SHA1 hash of the contents of the file located at `image_path`.|2aae6c35c94fcfb415dbe95f408b9ce91ee846ed +sha256_hash|The SHA256 hash of the contents of the file located at `image_path`.|68e656b251e67e8358bef8483ab0d51c6619f3e7a1a9f0e75838d41ff368f728 +signature_valid|Boolean indicator of whether the signature is current and not revoked|True +signer|The name of the organization which signed the module.|Microsoft Corporation +tid|The thread ID of the thread responsible for the load or unload event.|50 ## Coverage Map - -| | **base_address** | **fqdn** | **hostname** | **image_path** | **md5_hash** | **module_name** | **module_path** | **pid** | **sha1_hash** | **sha256_hash** | **signature_valid** | **signer** | **tid** | -|---|---|---|---|---|---|---|---|---|---|---|---|---|---| -| **load** | | [Sysmon]( ../sensors/sysmon_13) | [Sysmon]( ../sensors/sysmon_13) | [Sysmon]( ../sensors/sysmon_13) | [Sysmon]( ../sensors/sysmon_13) | [Sysmon]( ../sensors/sysmon_13) | [Sysmon](../sensors/sysmon_13) | [Sysmon]( ../sensors/sysmon_13) | [Sysmon]( ../sensors/sysmon_13) | | [Sysmon](../sensors/sysmon_13) | [Sysmon](../sensors/sysmon_13) | [Sysmon](../sensors/sysmon_13) | -| **unload** | | | | | | | | | | | | | | + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
+ base_addressfqdnhostnameimage_pathmd5_hashmodule_namemodule_pathpidsha1_hashsha256_hashsignature_validsignertid
loadSysmonSysmonSysmonSysmonSysmonSysmonSysmonSysmonSysmonSysmonSysmon
unload
\ No newline at end of file diff --git a/docs/data_model/process.md b/docs/data_model/process.md old mode 100755 new mode 100644 index 7ed4995c..4bee996c --- a/docs/data_model/process.md +++ b/docs/data_model/process.md @@ -1,54 +1,176 @@ --- title: "Process" --- - A process is a running program on a computer. ## Actions - |Action|Description| |---|---| -|access|The event corresponding to a process accessing the memory space of another process. +|access|The vent corresponding to a process accessing the memory space of another process.| |create|The event corresponding to a process creation in Windows. In the kernel, these are often captured with the callback [PsSetCreateProcessNotifyRoutine](https://msdn.microsoft.com/en-us/library/windows/hardware/ff559951%28v=vs.85%29.aspx).| -|terminate|The event corresponding to a process destruction in Windows. In the kernel, these are also captured with the callback [PsSetCreateProcessNotifyRoutine](https://msdn.microsoft.com/en-us/library/windows/hardware/ff559951%28v=vs.85%29.aspx), but with point to a NULL structure.| +|terminate|The event corresponding to a process destruction in Windows. In the kernel, these are also captured with the callback [PsSetCreateProcessNotifyRoutine](https://msdn.microsoft.com/en-us/library/windows/hardware/ff559951%28v=vs.85%29.aspx), but with a pointer to a NULL structure.| ## Fields - |Field|Description|Example| |---|---|---| -|access_level|Permissions level at which the target process is accessed.|`0x40`| -|call_trace|The stack trace showing the context of a process open/access call.|`C:\Windows\SYSTEM32\ntdll.dll+a5594|C:\Windows\system32\KERNELBASE.dll+1e865`| -|command_line|The command line string contains all arguments passed to the process upon execution.|`example arg1 arg2`, `example.exe`, `C:\path\example.exe /flag1`| -|current_working_directory|The absolute path to the current working directory of the process.|`c:\windows\system32\`| -|exe|The basename of the `image_path`.|`example.exe`| -|env_vars|The environment variables within a process's memory space, as a string.|`SHELL=/bin/zsh`| -|fqdn|The fully qualified domain name of the host in which the process ran. Contains the hostname appended with the domain.|`HOST1.EXAMPLE_DOMAIN.COM`| -|guid|Globally unique identifier for the process.|`{f81d4fae-7dec-11d0-a765-00a0c91e6bf6}`| -|hostname|The hostname of the host, without the domain.|`HOST1`| -|image_path|The file path of the executable associated with this process. This may act as a pivot to [`file:file_path`](https://car.mitre.org/wiki/Data_Model/file#file_path).|`C:\path\to\example.exe`| -|integrity_level|The Windows integrity level associated with the process. MUST be one of: low, medium, high, or system.|`high`| -|md5_hash|The MD5 hash of the contents of the file located at `image_path`. The field is in hex notation, without the 0x prefix.|`5eb63bbbe01eeed093cb22bb8f5acdc3`| -|parent_command_line|All of the arguments passed to the parent process upon execution.|`c:\\windows\\system32\\dism.exe foo.xml`| -|parent_exe|The `exe` field of the parent process. This is a substring of `parent_image_path`|`example_parent.exe`| -|parent_guid|Globally unique identifier for the parent of the initiating process.|`{f81d4fae-7dec-11d0-a765-00a0c91e6bf6}`| -|parent_image_path|The `image_path` field of the parent process.|`C:\path\to\example_parent.exe`| -|pid|The process ID for the process, represented in decimal notation.|`738`| -|ppid|The process ID for the process's parent, represented in decimal notation. In the parent process, this will be the `pid` field.|`1860`| -|sha1_hash|The SHA1 hash of the contents of the file located at `image_path`.|`2aae6c35c94fcfb415dbe95f408b9ce91ee846ed`| -|sha256_hash|The SHA256 hash of the contents of the file located at `image_path`.|`68e656b251e67e8358bef8483ab0d51c6619f3e7a1a9f0e75838d41ff368f728`| -|sid|The security identifier or UID of the `user` token that the process is running under.|`S-1-5-18`| -|signer|The company that signed the file.|`True`| -|signature_valid|Boolean indicator of whether signature is current and not revoked.|`True`| -|target_address|Specific address range which is accessed by another process.|`08048000-0804c000`| -|target_guid|Globally Unique Identifier for the target process (only for process access events).|`{A23EAE89-BD56-5903-0000-0010E9D95EFC}`| -|target_pid|ID of the target process (only for process access events).|`1338`| -|target_name|Name of the process that is accessed.|`C:\Windows\System32\winlogon.exe`| -|user|The user token that process was created with. May be a local, domain or SYSTEM user. Formatted with "\\\\". Individual threads in the process may gain more privilege or change tokens, so the active token in any thread is not necessarily the one the process was created under.|`HOST1\LOCALUSER`| +access_level|Permissions level at which the target process is accessed.|64 +call_trace|Stack trace showing context of process open/access call.| +command_line|The command line string contains all arguments passed to the process upon execution.|example.exe arg1 arg2 +current_working_directory|The absolute path to the current working directory of the process.|c:\temp +env_vars|The environment variables within a process's memory space, as a string.|SHELL=/bin/zsh +exe|The basename of the `image_path`.|example.exe +fqdn|The fully qualified domain name of the host in which the process ran. Contains the hostname appended with the domain.|HOST1.EXAMPLE_DOMAIN.COM +guid|Global unique identifier for the initiating process.|{f81d4fae-7dec-11d0-a765-00a0c91e6bf6} +hostname|The hostname of the host, without the domain.|HOST1 +image_path|The file path of the executable associated with this process. This may act as a pivot to [file:file_path](https://car.mitre.org/wiki/Data_Model/file#file_path).|C:\path\to\example.exe +integrity_level|The Windows integrity level associated with the process. MUST be one of low, medium, high, or system.|High +md5_hash|The MD5 hash of the contents of the file located at `image_path`. The field is in hex notation, without the 0x prefix.|5eb63bbbe01eeed093cb22bb8f5acdc3 +parent_command_line|All of the arguments passed to the parent process upon execution.|c:\windows\system32\dism.exe foo.xml +parent_exe|The `exe` field of the parent process. This is a substring of `parent_image_path`.|example_parent.exe +parent_guid|Global unique identifier of the parent of the initiating process.|{f81d4fae-7dec-11d0-a765-00a0c91e6bf6} +parent_image_path|The `image_path` field of the parent process.|C:\path\to\example_parent.exe +pid|The process ID for the process, represented in decimal notation.|738 +ppid|The process ID for the process's parent, represented in decimal notation. In the parent process, this will be the `pid` field.|1860 +sha1_hash|The SHA1 hash of the contents of the file located at `image_path`.|2aae6c35c94fcfb415dbe95f408b9ce91ee846ed +sha256_hash|The SHA256 hash of the contents of the file located at `image_path`.|68e656b251e67e8358bef8483ab0d51c6619f3e7a1a9f0e75838d41ff368f728 +sid|The Windows security identifier of the `user` token that the process is running under.|S-1-5-18 +signature_valid|Boolean indicator of whether signature is current and not revoked.|True +signer|The name of the company that signed the file.|FooCorp +target_address|Specific address range which is accessed by another process.|08048000-0804c000 +target_guid|Global Unique Identifier for the target process (only for process access events).| +target_name|Name of the process that is accessed.|C:\Windows\System32\winlogon.exe +target_pid|ID of the target process (only for process access events).| +uid|User ID under which original process is running.|509 +user|The user token that process was created with. May be a local, domain or SYSTEM user. Formatted with "\". Individual threads in the process may gain more privilege or change tokens, so the active token in any thread is not necessarily the one the process was created under.|HOST1\LOCALUSER ## Coverage Map - -| | **access_level** | **call_trace** | **command_line** | **current_working_directory** | **exe** | **env_vars** | **fqdn** | **guid** | **hostname** | **image_path** | **integrity_level** | **md5_hash** | **parent_command_line** | **parent_exe** | **parent_guid** | **parent_image_path** | **pid** | **ppid** | **sha1_hash** | **sha256_hash** | **sid** | **signer** | **signature_valid** | **target_address** | **target_guid** | **target_pid** | **target_name** | **user** | -|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---| -| **access** | [Sysmon](../sensors/sysmon_13) | [Sysmon](../sensors/sysmon_13) | | | | | [Sysmon](../sensors/sysmon_13) | [Sysmon](../sensors/sysmon_13) | | [Sysmon](../sensors/sysmon_13) | | | | | | | [Sysmon](../sensors/sysmon_13) | | | | [Sysmon](../sensors/sysmon_13) | | | | [Sysmon](../sensors/sysmon_13) | [Sysmon](../sensors/sysmon_13) | [Sysmon](../sensors/sysmon_13) | | -**create** | | | [Sysmon](../sensors/sysmon_13) | [Sysmon](../sensors/sysmon_13) | | | [Sysmon](../sensors/sysmon_13) | | | [Sysmon](../sensors/sysmon_13) | [Sysmon](../sensors/sysmon_13) | | [Sysmon](../sensors/sysmon_13) | | [Sysmon](../sensors/sysmon_13) | [Sysmon](../sensors/sysmon_13) | [Sysmon](../sensors/sysmon_13) | [Sysmon](../sensors/sysmon_13) | | [Sysmon](../sensors/sysmon_13) | [Sysmon](../sensors/sysmon_13) | | | | | | | | -| **terminate** | | | | | | | | | | | | | | | | | | | | | | | | | | | | + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
+ access_levelcall_tracecommand_linecurrent_working_directoryenv_varsexefqdnguidhostnameimage_pathintegrity_levelmd5_hashparent_command_lineparent_exeparent_guidparent_image_pathpidppidsha1_hashsha256_hashsidsignature_validsignertarget_addresstarget_guidtarget_nametarget_piduiduser
accessSysmonSysmonSysmonSysmonSysmonSysmonSysmonSysmonSysmonSysmon
createSysmonSysmonSysmonSysmonSysmonSysmonSysmonSysmonSysmonSysmonSysmon
terminate
\ No newline at end of file diff --git a/docs/data_model/registry.md b/docs/data_model/registry.md old mode 100755 new mode 100644 index 8faa412c..96ce237a --- a/docs/data_model/registry.md +++ b/docs/data_model/registry.md @@ -1,40 +1,101 @@ --- title: "Registry" --- - The registry is a system-defined database in which applications and system components store and retrieve configuration data. The data stored in the registry varies according to the version of Microsoft Windows. Applications use the registry API to retrieve, modify, or delete registry data. ## Actions - |Action|Description| |---|---| |add|The event corresponding to the act of adding a registry key, hive, type, or value.| -|name_edit|The event corresponding to the act of editing the name of an existing registry key or value.| +|key_edit|The event corresponding to the act of editing the name of an existing registry key.| |remove|The event corresponding to the act of deleting an existing registry key, hive, type, or value.| -|value_edit|The event corresponding to the act of editing the contents of an existing registry value.| +|value_edit|The event corresponding to the act of editing the content of an existing registry value.| ## Fields - |Field|Description|Example| |---|---|---| -|fqdn|The fully qualified domain name for the host on which the registry access took place.|`host1.example.net`| -|hostname|The hostname of the host, without the domain.|`HOST1`| -|hive|The logical group of keys, subkeys, and values in the registry.|`HKEY_CURRENT_USER, HKEY_LOCAL_MACHINE` -|key|The registry key specified in the event. Similar to a folder in a traditional file system,|`HKLM\SYSTEM\CurrentControlSet\services\RpcSs`| -|image_path|Inherited from the [process](https://car.mitre.org/wiki/Data_Model/process) that made the registry access.|`C:\Windows\System32\cmd.exe`| -|new_content|The data within the new value, or the new name of a key or value, after an edit event.|`\%SystemRoot%\system32\svchost.exe, HKLM\SYSTEM\CurrentControlSet\services\RpcSs`| -|pid|Inherited from the [process](https://car.mitre.org/wiki/Data_Model/process) that made the registry access.|`1337`| -|user|The user context in which the thread that caused this event was running. May be a local, domain or SYSTEM user. Formatted as "\\\\". Because threads are allowed to impersonate users, this may be different than the user context of the process.| | -|value|The descriptive name for the data being stored in the key.|`InstalledVersion`| -|value_data|The contents of the value, typically a text string.|`%SystemRoot%\system32\svchost.exe -k rpcss`| -|value_type|The type of data being stored in the value. Types include binary data, 32 bit numbers, strings, etc.|`REG_SZ`,`REG_MULTI_SZ`,`REG_DWORD`,`REG_BINARY`,`REG_QWORD`,`REG_EXPAND_SZ`| +data|The content of `value`, typically a text string.|\%SystemRoot%\system32\svchost.exe -k rpcss +fqdn|The fully qualified domain name for the host on which the registry access took place.|HOST1.EXAMPLE_DOMAIN.COM +hive|The logical group of keys, subkeys, and values in the registry.|HKEY_CURRENT_USER +hostname|The hostname of the host, without the domain.|HOST1 +image_path|Inherited from the [process](https://car.mitre.org/data_model/process) that made the registry access.|C:\path\to\example.exe +key|The registry key of the event. Similar to a folder in a traditional file system.|HKLM\SYSTEM\CurrentControlSet\services\RpcSs +new_content|The data within the new value, or the new name of a key, after an edit event.|\%SystemRoot%\system32\svchost.exe, HKLM\SYSTEM\CurrentControlSet\services\RpcSs +pid|Inherited from the [process](https://car.mitre.org/data_model/process) that made the registry access.|738 +type|The type of data being stored in `value`. Types include binary data, 32 bit numbers, strings, etc.|REG_BINARY +user|The user in the context of the process that performed the action on the registry key.|HOST1\LOCALUSER +value|The descriptive name for the data being stored.|InstalledVersion ## Coverage Map - -| | **data** | **fqdn** | **hostname** | **hive** | **key** | **image_path** | **new_content** | **pid** | **type** | **user** | **value** | -|---|---|---|---|---|---|---|---|---|---|---|---| -| **add** | [Autoruns](../sensors/autoruns_13.98)
[Sysmon](../sensors/sysmon_13) | [Sysmon](../sensors/sysmon_13) | [Autoruns](../sensors/autoruns_13.98) | [Autoruns](../sensors/autoruns_13.98)
[Sysmon](../sensors/sysmon_13) | [Autoruns](../sensors/autoruns_13.98)
[Sysmon](../sensors/sysmon_13) | [Sysmon](../sensors/sysmon_13) | | [Sysmon](../sensors/sysmon_13) | [Autoruns](../sensors/autoruns_13.98)| [Sysmon](../sensors/sysmon_13) | [Autoruns](../sensors/autoruns_13.98) | -| -**key_edit** | [Autoruns](../sensors/autoruns_13.98)
[Sysmon](../sensors/sysmon_13) | [Sysmon](../sensors/sysmon_13) | [Autoruns](../sensors/autoruns_13.98) | [Autoruns](../sensors/autoruns_13.98)< /br>[Sysmon](../sensors/sysmon_13) | [Autoruns](../sensors/autoruns_13.98)
[Sysmon](../sensors/sysmon_13) | [Sysmon](../sensors/sysmon_13) | [Autoruns](../sensors/autoruns_13.98)
[Sysmon](../sensors/sysmon_13) | [Sysmon](../sensors/sysmon_13) | [Autoruns](../sensors/autoruns_13.98) | [Sysmon](../sensors/sysmon_13) | [Autoruns](../sensors/autoruns_13.98)< /br>[Sysmon](../sensors/sysmon_13) | -| **remove** | [Sysmon](../sensors/sysmon_13) | [Sysmon](../sensors/sysmon_13) | | [Sysmon](../sensors/sysmon_13) | [Sysmon](../sensors/sysmon_13) | [Sysmon](../sensors/sysmon_13) | | [Sysmon](../sensors/sysmon_13) | | [Sysmon](../sensors/sysmon_13) | | -| **value_edit** | [Autoruns](../sensors/autoruns_13.98) | | [Autoruns](../sensors/autoruns_13.98)| [Autoruns](../sensors/autoruns_13.98) | [Autoruns](../sensors/autoruns_13.98) | | [Autoruns](../sensors/autoruns_13.98) | | [Autoruns](../sensors/autoruns_13.98)| | [Autoruns](../sensors/autoruns_13.98) | + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
+ datafqdnhivehostnameimage_pathkeynew_contentpidtypeuservalue
addAutoruns SysmonSysmonAutoruns SysmonAutorunsSysmonAutoruns SysmonSysmonAutorunsSysmonAutoruns
key_editAutoruns SysmonSysmonAutoruns SysmonAutorunsSysmonAutoruns SysmonAutoruns SysmonSysmonAutorunsSysmonAutoruns Sysmon
removeSysmonSysmonSysmonSysmonSysmonSysmonSysmon
value_editAutorunsAutorunsAutorunsAutorunsAutorunsAutorunsAutoruns
\ No newline at end of file diff --git a/docs/data_model/service.md b/docs/data_model/service.md old mode 100755 new mode 100644 index c8128f21..e1d2b90c --- a/docs/data_model/service.md +++ b/docs/data_model/service.md @@ -1,40 +1,109 @@ --- title: "Service" --- - Services, or a service application, can be started automatically at system boot, by a user through the services control panel applet, or by an application that uses service functions. Services can execute even when no user is logged into the system. ## Actions - |Action|Description| |---|---| -|create|The event corresponding to the act of creating a new service. -|delete|The event corresponding to the act of deleting a service. -|pause|The event corresponding to the act of pausing a currently running service. -|start|The event corresponding to the act of starting a new service. -|stop|The event corresponding to the act of stopping a service that is currently running. +|create|The event corresponding to the act of creating a new service.| +|delete|The event corresponding to the act of deleting a service.| +|pause|The event corresponding to the act of pausing a currently running service.| +|start|The event corresponding to the act of starting a new service.| +|stop|The event corresponding to the act of stopping a service that is currently running.| ## Fields - |Field|Description|Example| |---|---|---| -|command_line|The command line that service is started with.|`C:\windows\system32\svchost.exe -k rpcss` -|exe|The executable for the service.|`svchost.exe` -|fqdn|The fully qualified domain name of the host. Contains the hostname appended with the domain.|`Example: HOST1.EXAMPLE_DOMAIN.COM` -|hostname|The hostname of the host, without the domain.|`HOST1` -|image_path|Where in the file system the executable is located.|`C:\path\to\example.exe` -|name|The name of the service.|`RpcSs` -|ppid|The process ID of the process's parent, represented in decimal notation. In the parent process, this will be the pid field.|`1860` -|pid|The process ID for the process, represented in decimal notation.|`738` -|uid|The ID or SID of the user who acted on the service.|`S-1-5-18` -|user|The user context in which the thread that caused this event was running. May be a local, domain or SYSTEM user. Formatted as "\\\\". Because threads are allowed to impersonate users, this may be different than the user context of the process. For service events, the user is almost always NT AUTHORITY\SYSTEM.|`NT AUTHORITY\SYSTEM` +command_line|The command line that service is started with.|C:\windows\system32\svchost.exe -k rpcss +exe|The executable for the service.|svchost.exe +fqdn|The fully qualified domain name of the host. Contains the hostname appended with the domain.|HOST1.EXAMPLE_DOMAIN.COM +hostname|The hostname of the host, without the domain.|HOST1 +image_path|Where in the file system the service executable is located.|C:\path\to\example.exe +name|The name of the service.|RpcSs +pid|The process ID for the process of the service, represented in decimal notation.|718 +ppid|The process ID of the process’s parent or the service, represented in decimal notation. In the parent process, this will be the pid field.|1860 +uid|The ID of SID of the user who acted on the service|S-1-5-18 +user|The user token that service was created with.|HOST1\LOCALUSER ## Coverage Map - -| | **command_line** | **exe** | **fqdn** | **hostname** | **image_path** | **name** | **pid** | **ppid** | **uid** | **user** | -|---|---|---|---|---|---|---|---|---|---|---| -| **create** | [Autoruns](../sensors/autoruns_13.98) | [Autoruns](../sensors/autoruns_13.98) | [Autoruns](../sensors/autoruns_13.98) | [Autoruns](../sensors/autoruns_13.98) | [Autoruns](../sensors/autoruns_13.98) | | | | | | -| **delete** | [Autoruns](../sensors/autoruns_13.98) | [Autoruns](../sensors/autoruns_13.98) | [Autoruns](../sensors/autoruns_13.98) | [Autoruns](../sensors/autoruns_13.98) | [Autoruns](../sensors/autoruns_13.98) | | | | | | -| **pause** | | | | | | | | | | | -| **start** | | | | | | | | | | | -| **stop** | | | | | | | | | | | + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
+ command_lineexefqdnhostnameimage_pathnamepidppiduiduser
createAutorunsAutorunsAutorunsAutorunsAutoruns
deleteAutorunsAutorunsAutorunsAutorunsAutoruns
pause
start
stop
\ No newline at end of file diff --git a/docs/data_model/socket.md b/docs/data_model/socket.md old mode 100755 new mode 100644 index 0f4758f5..4b323924 --- a/docs/data_model/socket.md +++ b/docs/data_model/socket.md @@ -1,37 +1,81 @@ --- title: "Socket" --- - -Socket events are low-level events that may or may not result in a flow. Socket listening events in particular can be helpful in detecting malicious activity. +Socket events are low-level events that may or may not result in a flow. Socket listenining events in particular can be helpful in detecting malicious activity. ## Actions - |Action|Description| |---|---| -|bind|The event corresponding to a socket binding to a specific address. -|listen|The event corresponding to a socket being opened into a listening status, usually on a specific local port.| +|bind|The event corresponding to a socket binding to a specific address| |close|The event corresponding to a socket being closed.| +|listen|The event corresponding to a socket being opened into a listening status, usually on a specific local port.| ## Fields - |Field|Description|Example| |---|---|---| -|family|The type of socket in question.|`AF_UNIX, AF_INET, AF_INET6`| -|image_path|Path to the executable that initiated the socket event.|`C:/user/adam/malware.exe`| -|local_address|IP address on which the socket will accept connections; does not include the port number.|`10.0.211.200`| -|local_path|In the case that a socket is used for local interprocess communication, the socket binds to a local filepath, and will usually be visible in the filesystem. This is the case with AF_UNIX type sockets.|`/tmp/foo`| -|local_port|Port number on which the socket is bound at the local end. This pertains to TCP and UDP sockets but not IP sockets.|`48777`| -|pid|ID of the process that acted on the socket.|`3930`| -|protocol|The type of connection that was attempted on the socket.|`TCP`| -|remote_address|IP address with which the socket is communicating on the remote end.|`199.121.21.20`| -|remote_port|Port number on which the socket is bound at the remote end.|`559`| -|success|Boolean indicator of whether the socket event was successful (e.g. the socket was created as requested).|`True`| +family|The type of socket in question|AF_UNIX, AF_INET, AF_INET6 +image_path|Path to the executable that initiated the socket event.|C:/user/adam/malware.exe +local_address|IP address on which the socket will accept connections; does not include the port number.|10.0.211.200 +local_path|In the case that a socket is used for local interprocess communication, the socket binds to a local filepath, and will usually be visible in the filesystem. This is the case with AF_UNIX type sockets.|/tmp/foo +local_port|Port number on which the socket is bound at the local end. This pertains to TCP and UDP sockets but not IP sockets.|48777 +pid|ID of the process that acted on the socket|3930 +protocol|The type of connection that was attempted on the socket|TCP +remote_address|IP address with which the socket is communicating on the remote end.|199.121.21.20 +remote_port|Port number on which the socket is bound at the remote end.|559 +success|Boolean indicator of whether the socket event was successful (e.g. the socket was created as requested)|True ## Coverage Map - -| | **family** | **image_path** | **local_address** | **local_path** | **local_port** | **pid** | **protocol** | **remote_address** | **remote_port** | **success** | -|---|---|---|---|---|---|---|---|---|---|---| -| **bind** | [osquery](../sensors/osquery_4.6.0) | [osquery](../sensors/osquery_4.6.0) | [osquery](../sensors/osquery_4.6.0) | | [osquery](../sensors/osquery_4.6.0) | [osquery](../sensors/osquery_4.6.0) | [osquery](../sensors/osquery_4.6.0) | [osquery](../sensors/osquery_4.6.0) | [osquery](../sensors/osquery_4.6.0) | | -| **listen** | [osquery](../sensors/osquery_4.6.0) | [osquery](../sensors/osquery_4.6.0) | [osquery](../sensors/osquery_4.6.0) | | [osquery](../sensors/osquery_4.6.0) | [osquery](../sensors/osquery_4.6.0) | [osquery](../sensors/osquery_4.6.0) | [osquery](../sensors/osquery_4.6.0) | [osquery](../sensors/osquery_4.6.0) | | -| **close** | [osquery](../sensors/osquery_4.6.0) | [osquery](../sensors/osquery_4.6.0) | [osquery](../sensors/osquery_4.6.0) | | [osquery](../sensors/osquery_4.6.0) | [osquery](../sensors/osquery_4.6.0) | o[osquery](../sensors/osquery_4.6.0) | [osquery](../sensors/osquery_4.6.0) | [osquery](../sensors/osquery_4.6.0) | | - + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
+ familyimage_pathlocal_addresslocal_pathlocal_portpidprotocolremote_addressremote_portsuccess
bindosqueryosqueryosqueryosqueryosqueryosqueryosqueryosquery
closeosqueryosqueryosqueryosqueryosqueryosqueryosqueryosquery
listenosqueryosqueryosqueryosqueryosqueryosqueryosqueryosquery
\ No newline at end of file diff --git a/docs/data_model/thread.md b/docs/data_model/thread.md old mode 100755 new mode 100644 index ac505bdf..85230dba --- a/docs/data_model/thread.md +++ b/docs/data_model/thread.md @@ -1,44 +1,125 @@ --- title: "Thread" --- - A thread of execution is the smallest sequence of programmed instructions that can be managed independently by a scheduler, which is typically part of the operating system. A thread is typically a component of a process. Multiple threads can exist within the same process and share resources such as memory, while different processes do not share these resources. The threads of a process share executable code instructions and context, such as the values of variables at any given moment. ## Actions - |Action|Description| |---|---| |create|The event corresponding to the act of creating a new thread.| +|remote_create|A subset of thread create events that correspond to thread injection, that is, when a process creates a thread in another process. For a remote_create event the src_pid and tgt_pid are different.| |suspend|The event corresponding to the act of suspending a thread which is currently running.| |terminate|The event corresponding to the act of terminating a running thread.| -|remote_create|A subset of thread create events that correspond to thread injection, that is, when a process creates a thread in another process. For a remote_create event the src_pid and tgt_pid are different.| ## Fields - |Field|Description|Example| |---|---|---| -|hostname|The hostname of the active host, without the domain.|`HOST1`| -|src_pid|The process ID of the process that created the thread.|`6016`| -|src_tid|The thread ID of the thread that created the event.|`9012`| -|stack_base|The base address of the thread’s stack.|`0xfffff880081a9000`| -|stack_limit|The limit of the thread’s stack.|`0xfffff880081a3000`| -|start_address|The memory address at which the thread's execution starts.|`0xfffff880046dc3e0`| -|start_function|The function at `start_address`|`LoadLibrary`| -|start_module|The module in which `start_address` resides.|`C:\windows\system32\ntdll.dll`| -|start_module_name|The short name of the `start_module.`|`ntdll.dll`| -|subprocess_tag|Identifies the service if the thread is owned by a service; otherwise, it is listed as zero.|`0`| -|tgt_pid|The process ID of the process in which the new thread runs.|`4`| -|tgt_tid|The thread ID of the new thread that was created.|`6964`| -|uid|The ID or SID of the user who directly or indirectly acted on the thread.|`S-1-5-18`| -|user|The user context in which the source thread was running. May be a local, domain or SYSTEM user. Formatted as "\\\\". Because threads are allowed to impersonate users, this may be different than the user context of the process.|`HOST1\LOCALUSER`| -|user_stack_base|The base address of the thread’s stack.|`0x0`| -|user_stack_limit|The limit of the thread’s stack.|`0x0`| +hostname|The hostname of the active host, without the domain.|HOST1 +src_pid|The process ID of the process that created the thread.|6016 +src_tid|The thread ID of the thread that created the event.|9012 +stack_base|The base address of the thread's stack.|18446735827508301824 +stack_limit|The limit of the thread's stack.|18446735827508277248 +start_address|The memory address at which the thread's execution starts.|18446735827446645728 +start_function|The function at `start_address`.|LoadLibrary +start_module|The module in which `start_address` resides.|C:\windows\system32\ntdll.dll +start_module_name|The short name of the `start_module`.|ntdll.dll +tgt_pid|The process ID of the process in which the new thread runs.|232 +tgt_tid|The thread ID of the new thread that was created.|6964 +uid|The ID of SID of the user who directly or indirectly acted on the thread|S-1-5-18 +user|The user context in which the source thread was running. May be a local, domain or SYSTEM user. Formatted as \. Because threads are allowed to impersonate users, this may be different than the user context of the process.|HOST1\LOCALUSER +user_stack_base|The base address of the thread's stack.|0 +user_stack_limit|The limit of the thread's stack.|0 ## Coverage Map - -| | **hostname** | **src_pid** | **src_tid** | **stack_base** | **stack_limit** | **start_address** | **start_function** | **start_module** | **start_module_name** | **subprocess_tag** | **tgt_pid** | **tgt_tid** | **uid** | **user** | **user_stack_base** | **user_stack_limit** | -|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---| -| **create** | | | | | | | | | | | | | | | | | -| **remote_create** | [Sysmon]( ../sensors/sysmon_13) | [Sysmon]( ../sensors/sysmon_13) | [Sysmon]( ../sensors/sysmon_13) | | | [Sysmon]( ../sensors/sysmon_13) | [Sysmon]( ../sensors/sysmon_13) | [Sysmon]( ../sensors/sysmon_13) | [Sysmon]( ../sensors/sysmon_13) | |[Sysmon]( ../sensors/sysmon_13) |[Sysmon]( ../sensors/sysmon_13) | [Sysmon]( ../sensors/sysmon_13) | [Sysmon]( ../sensors/sysmon_13) | | | -| **suspend** | | | | | | | | | | | | | | | | | | -| **terminate** | | | | | | | | | | | | | | | | | + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
+ hostnamesrc_pidsrc_tidstack_basestack_limitstart_addressstart_functionstart_modulestart_module_nametgt_pidtgt_tiduiduseruser_stack_baseuser_stack_limit
create
remote_createSysmonSysmonSysmonSysmonSysmonSysmonSysmonSysmonSysmonSysmonSysmon
suspend
terminate
\ No newline at end of file diff --git a/docs/data_model/user_session.md b/docs/data_model/user_session.md old mode 100755 new mode 100644 index 849b7c65..2e271192 --- a/docs/data_model/user_session.md +++ b/docs/data_model/user_session.md @@ -1,40 +1,109 @@ --- title: "User Session" --- - User sessions are the user activities undertaken on the computer in the course of conducting standard user actions. ## Actions - |Action|Description| |---|---| -|lock|The event corresponding to the act of a user locking a machine such that they are still logged into the machine but unable to access it without re-entering credentials, effectively entering the machine into a locked state. -|login|The event corresponding to the act of a user logging into a machine. -|logout|The event corresponding to the act of a user logging out of a machine. -|reconnect|The event corresponding to the act of a user reconnecting when an RDP session disconnects but the user is not logged off. -|unlock|The event corresponding to the act of a user unlocking a machine currently in a locked state. +|lock|The event corresponding to the act of a user locking a machine such that they are still logged into the machine but unable to access it without re-entering credentials, effectively entering the machine into a locked state.| +|login|The event corresponding to the act of a user logging into a machine.| +|logout|The event corresponding to the act of a user logging out of a machine.| +|reconnect|The event corresponding to the act of a user reconnecting when an RDP session disconnects but the user is not logged off.| +|unlock|The event corresponding to the act of a user unlocking a machine currently in a locked state.| ## Fields - |Field|Description|Example| |---|---|---| -|dest_ip|The destination IP address of the user session. Only applicable to remote or RDP sessions.|`192.168.1.5` -|dest_port|The destination port of the user session. Only applicable to remote or RDP sessions.|`1900` -|hostname|The hostname of the host, without the domain.|`HOST1` -|login_successful|Boolean indicator of whether a login attempt was successful.|`False` -|login_type|The type of login that was accomplished or attempted.|`interactive`,`local`,`rdp`,`remote` -|login_id|A hex value corresponding to the session. The login id will persist until logout occurs.|`0xf61f3` -|src_ip|The source IP address of the user session. Only applicable to remote or RDP sessions.|`10.0.0.54` -|src_port|The source port of the user session. Only applicable to remote or RDP sessions.|`50438` -|uid|ID or SID of the user for which a session event occured.|`S-1-5-18` -|user|The user affiliated with the session. May be a local, domain or SYSTEM user.|`HOST1\LOCALUSER` +dest_ip|The destination IP address of the user session. Only applicable to remote or RDP sessions.|192.168.1.5 +dest_port|The destination port of the user session. Only applicable to remote or RDP sessions.|1900 +hostname|The hostname of the host, without the domain.|HOST1 +login_id|A hex value corresponding to the session. The logon id will persist until logout occurs.|1008115 +login_successful|Boolean indicator of whether a login attempt was successful|False +login_type|The type of login that was accomplished or attempted|interactive,local,rdp,remote +src_ip|The source IP address of the user session. Only applicable to remote or RDP sessions.|10.0.0.54 +src_port|The source port of the user session. Only applicable to remote or RDP sessions.|50438 +uid|ID or SID of the user for which a session event ocurred|S-1-5-18 +user|The user affiliated with the session. May be a local, domain or SYSTEM user.|HOST1\LOCALUSER ## Coverage Map - -| | **dest_ip** | **dest_port** | **hostname** | **login_successful** | **login_type** | **logon_id** | **src_ip** | **src_port** | **uid** | **user** | -|---|---|---|---|---|---|---|---|---|---|---| -| **lock** | | | | | | | | | | | -| **login** | | | | | | | | | | | -| **logout** | | | | | | | | | | | -| **reconnect** | | | | | | | | | | | -| **unlock** | | | | | | | | | | | + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
+ dest_ipdest_porthostnamelogin_idlogin_successfullogin_typesrc_ipsrc_portuiduser
lock
login
logout
reconnect
unlock
\ No newline at end of file diff --git a/docs/index.md b/docs/index.md index 8bfe215a..dd7a4a60 100644 --- a/docs/index.md +++ b/docs/index.md @@ -9,7 +9,7 @@ Analytics stored in CAR contain the following information: * a *hypothesis* which explains the idea behind the analytic * the *information domain* or the primary domain the analytic is designed to operate within (e.g. host, network, process, external) * references to [ATT&CK](https://attack.mitre.org/) Techniques and Tactics that the analytic detects -* the [Glossary](Glossary) +* the [Glossary](resources/glossary) * a pseudocode description of how the analytic might be implemented * a unit test which can be run to trigger the analytic diff --git a/docs/wiki/Category:Sensors/index.html b/docs/wiki/Category:Sensors/index.html new file mode 100644 index 00000000..af0bc0ee --- /dev/null +++ b/docs/wiki/Category:Sensors/index.html @@ -0,0 +1 @@ + \ No newline at end of file diff --git a/docs/wiki/Help:Contents/index.html b/docs/wiki/Help:Contents/index.html new file mode 100644 index 00000000..dd6a448b --- /dev/null +++ b/docs/wiki/Help:Contents/index.html @@ -0,0 +1 @@ + \ No newline at end of file diff --git a/docs/wiki/Help:Glossary/index.html b/docs/wiki/Help:Glossary/index.html new file mode 100644 index 00000000..72217038 --- /dev/null +++ b/docs/wiki/Help:Glossary/index.html @@ -0,0 +1 @@ + \ No newline at end of file diff --git a/scripts/datamodel_index_template.md b/scripts/datamodel_index_template.md new file mode 100644 index 00000000..8cf84471 --- /dev/null +++ b/scripts/datamodel_index_template.md @@ -0,0 +1,27 @@ +--- +title: Data Model +--- + +The Data Model, strongly inspired by [CybOX](https://cyboxproject.github.io/), is an organization of the objects that may be monitored from a host-based or network-based perspective. Each object on can be identified by two dimensions: its actions and fields. When paired together, the three-tuple of `(object, action, field)` acts like a coordinate, and describe what properties and state changes of the object can be captured by a sensor. + +## Summary + +|Object|Actions|Fields| +|---|---|---|{% for model_name, model in datamodels.items()|sort(attribute='0') %} +|**[{{ model_name }}]({{ model_name }})**|{{ model['actions']|sort(attribute='name')|map(attribute='name')|map('backtick')|join('
') }}|{{ model['fields']|sort(attribute='name')|map(attribute='name')|map('backtick')|join('
') }}|{% endfor %} + +## What is the data model? + +### Objects +In the Data Model an *object* is much like an [object in computer science](https://en.wikipedia.org/wiki/Object_(computer_science)). These are the items that data actually represent, such as hosts, files, connections, etc. Objects are the nouns of the Data Model vocabulary. + +### Actions +An *action* refers to a state change or event that happens on an object, such as an object's creation, destruction, or modification. These are the verbs that describe that an object can do, and what can happen to an object. However, there are cases where sensors do not monitor actions in objects but merely scan for and check the presence of an object. Each action is represented in a coverage matrix (the 2D table). The actions are on the y-axis. + +### Fields +A *field* refers to the observable properties of an object. These properties may contain flags, identifiers, data elements, or even references to other objects. In terms of vocabulary, fields are like the adjectives. They describe properties about an object. A [sensor](../resources/glossary#Sensor) monitors fields in the context of an object, and outputs these in some form of structured data. Once the data is ingested into a [SIEM](https://en.wikipedia.org/wiki/SIEM), the logs can be queried by forcing restrictions or patterns upon one or more objects, such as in an [analytic](../resources/glossary#Analytic). On the coverage matrix fields are on the x-axis. + +### Coverage +In order to gauge the usefulness of a sensor with respect to analytics, its output must be mapped into the Data Model. For each object that a sensor measures, it captures state. Some sensors periodically scan for objects, instead of monitoring for state changes. In these cases, state may be inferred by looking for changes in the properties of an object. + +A summary of data model coverage is [here](data_model_with_sensors). diff --git a/scripts/datamodel_index_with_sensors_template.md b/scripts/datamodel_index_with_sensors_template.md new file mode 100644 index 00000000..fe5db046 --- /dev/null +++ b/scripts/datamodel_index_with_sensors_template.md @@ -0,0 +1,22 @@ +--- +title: "Data Model with Sensors" +--- + +The **Data Model**, strongly inspired by [CybOX](https://cyboxproject.github.io/), is an organization of the objects that may be monitored from a host-based or network-based perspective. Each object can be identified by two dimensions: its actions and fields. When paired together, the three-tuple of `(object, action, field)` act like a coordinate, and describe what properties and state changes of the object can be captured by a sensor. + +Compare the data model's use in analytics that map to [ATT&CK](https://attack.mitre.org/). + +{% for model_name, model in datamodels.items()|sort(attribute='0') %} +## [{{ model_name }}]({{ model_name }}) + + + + {% endfor %} + {% for action in model['actions']|sort(attribute='name') %} + + {% for field in model['fields']|sort(attribute='name') %} + {% endfor %} + {% endfor %} +
{% for field in model['fields']|sort(attribute='name') %} + {{ field['name'] }}
{{ action['name'] }}{% if 'coverage_map' in model and action['name'] in model['coverage_map'] and field['name'] in model['coverage_map'][action['name']] %}{{ model['coverage_map'][action['name']][field['name']]|join(' ') }}{% endif %}
+{% endfor %} diff --git a/scripts/datamodel_schema.yaml b/scripts/datamodel_schema.yaml index bf9c1aa7..d0e5985b 100644 --- a/scripts/datamodel_schema.yaml +++ b/scripts/datamodel_schema.yaml @@ -3,6 +3,7 @@ name: str() description: str() actions: list(include('action')) fields: list(include('field')) +coverage: map(map(str(), key=str()), key=str(), required=False) --- action: name: str() diff --git a/scripts/datamodel_template.md b/scripts/datamodel_template.md new file mode 100644 index 00000000..c73a95c2 --- /dev/null +++ b/scripts/datamodel_template.md @@ -0,0 +1,26 @@ +--- +title: "{{ datamodel['name'] }}" +--- +{{ datamodel['description'] }} + +## Actions +|Action|Description| +|---|---|{% for action in datamodel['actions']|sort(attribute='name') %} +|{{ action['name'] }}|{{ action['description'] }}|{% endfor %} + +## Fields +|Field|Description|Example| +|---|---|---|{% for field in datamodel['fields']|sort(attribute='name') %} +{{ field['name'] }}|{{ field['description'] }}|{% if 'example' in field %}{{ field['example'] }}{% endif %}{% endfor %} + +## Coverage Map + + + {% endfor %} + {% for action in datamodel['actions']|sort(attribute='name') %} + + {% for field in datamodel['fields']|sort(attribute='name') %} + {% endfor %} + {% endfor %} +
{% for field in datamodel['fields']|sort(attribute='name') %} + {{ field['name'] }}
{{ action['name'] }}{% if 'coverage_map' in datamodel and action['name'] in datamodel['coverage_map'] and field['name'] in datamodel['coverage_map'][action['name']] %}{{ datamodel['coverage_map'][action['name']][field['name']]|join(' ') }}{% endif %}
diff --git a/scripts/generate_datamodels.py b/scripts/generate_datamodels.py new file mode 100644 index 00000000..5467ef47 --- /dev/null +++ b/scripts/generate_datamodels.py @@ -0,0 +1,72 @@ +""" +This script generates the data model portion of the site for each YAML data model mapping file. +""" +from jinja2 import Environment, FileSystemLoader +from pathlib import Path +from yaml import safe_load + +def parse_yaml(): + datamodel_files = (Path(__file__).parents[1] / "data_model").glob("*.yaml") + datamodels = {} + for file in datamodel_files: + with open(file, encoding="utf-8") as f: + datamodels[file.stem] = safe_load(f.read()) + return datamodels + +def cached_load_sensor(): + sensors = {} + def load_sensor(filename): + if filename not in sensors: + sensor_file = Path(__file__).parents[1] / "sensors" / f"{filename}.yaml" + with open(sensor_file, encoding="utf-8") as f: + sensors[filename] = safe_load(f.read()) + return sensors[filename] + return load_sensor + +def replace_sensor_names_with_html(datamodels, load_sensor): + def replace_sensor_name_with_html(sensor_filename): + return f"{load_sensor(sensor_filename)['sensor_name']}" + + for model in datamodels.values(): + if 'coverage_map' in model: + for action in model['coverage_map']: + for field, sensor_filenames in model['coverage_map'][action].items(): + model['coverage_map'][action][field] = [replace_sensor_name_with_html(sensor_filename) for sensor_filename in sensor_filenames] + +def create_jinja_environment(): + def backtick_wrapper_filter(value): + return f'`{value}`' + + # autoescape set to false since it's needed to have the html links be generated properly and cause the templates / input data are controlled by us + jinja_env = Environment(loader=FileSystemLoader('.'), autoescape=False) + jinja_env.filters['backtick'] = backtick_wrapper_filter + + return jinja_env + +def generate_markdown(datamodels, jinja_env): + datamodel_template = jinja_env.get_template('datamodel_template.md') + for model in datamodels: + with open(f'../docs/data_model/{model}.md', 'w', encoding='utf-8') as f: + f.write(datamodel_template.render(datamodel=datamodels[model])) + +def generate_index(datamodels, jinja_env): + index_template = jinja_env.get_template('datamodel_index_template.md') + with open('../docs/data_model/index.md', 'w', encoding='utf-8') as f: + f.write(index_template.render(datamodels=datamodels)) + +def generate_index_with_sensors(datamodels, jinja_env): + index_template = jinja_env.get_template('datamodel_index_with_sensors_template.md') + with open('../docs/data_model/data_model_with_sensors.md', 'w', encoding='utf-8') as f: + f.write(index_template.render(datamodels=datamodels)) + +def main(): + datamodels = parse_yaml() + replace_sensor_names_with_html(datamodels, cached_load_sensor()) + Path('../docs/data_model').mkdir(exist_ok=True) + jinja_env = create_jinja_environment() + generate_markdown(datamodels, jinja_env) + generate_index(datamodels, jinja_env) + generate_index_with_sensors(datamodels, jinja_env) + +if __name__ == "__main__": + main() diff --git a/scripts/redirects.csv b/scripts/redirects.csv index 91d04022..609b467c 100644 --- a/scripts/redirects.csv +++ b/scripts/redirects.csv @@ -1,6 +1,6 @@ /wiki/Main_Page,/ /caret,https://mitre-attack.github.io/caret -/wiki/Help:Glossary,/Glossary +/wiki/Help:Glossary,/resources/glossary /wiki/Help:Contents,/ /wiki/Full_Analytic_List,/analytics /wiki/Contribute,/CONTRIBUTING @@ -63,4 +63,4 @@ /wiki/CAR-2016-04-002,/analytics/CAR-2016-04-002 /wiki/CAR-2014-12-001,/analytics/CAR-2014-12-001 /wiki/CAR-2014-11-008,/analytics/CAR-2014-11-008 -/wiki/CAR-2013-05-009,/analytics/CAR-2013-05-009 \ No newline at end of file +/wiki/CAR-2013-05-009,/analytics/CAR-2013-05-009