tsale / edr-telemetry Goto Github PK

MD5 is only calculated on some events, i can see the following fields containing MD5 hashes:

• behaviors{}.md5
• behaviors{}.parent_details.parent_md5
• event.MD5String (event streams logs)
• properties.MD5HashData (vertex_type=module)

it's a little part of the detections but it is partially logged.

for the behaviors{} detections for example, i can see the following behaviors detected with md5 hashes:

• A file appears to be imitating a standard OS or otherwise benign filename and/or launched from an unusual location. This might be to masquerade malware. Review the file.
• A file classified as Adware/PUP based on its SHA256 hash was written to the file-system.
• A file written to the file-system meets the File Analysis ML algorithm's high-confidence threshold for malware.
• A file written to the file-system meets the File Analysis ML algorithm's low-confidence threshold for malware.
• A file written to the file-system meets the File Analysis ML algorithm's lowest-confidence threshold for malware.
• A file written to the file-system meets the machine learning-based on-sensor AV protection's high confidence threshold for malicious files.
• A file written to the file-system meets the machine learning-based on-sensor AV protection's medium confidence threshold for malicious files.
• A file written to the file-system surpassed a high-confidence adware detection threshold.
• A file written to the file-system surpassed a low-confidence adware detection threshold.
• A file written to the file-system surpassed a lowest-confidence adware detection threshold.
• A file written to the file-system surpassed a medium-confidence adware detection threshold.
• A module was loaded from an unusual path or with an unusual file name. Review the DLLs loaded by the process.
• A process appears to be tampering with the Falcon sensor configuration. If this is unexpected, it might be an adversary trying to disable the Falcon sensor. Review the process tree.
• A process associated with a known ransomware campaign launched. Investigate the host for signs of a ransomware attack.
• A process attempted to delete a Volume Shadow Snapshot.
• A process attempted to hide a Volume Shadow Snapshot.
• A process attempted to modify Falcon sensor auxiliary driver files. This is indicative of an attempt to tamper with Falcon sensor. Investigate the file system operation and process tree.
• A process attempted to modify Falcon sensor core driver files. This is indicative of an attempt to tamper with Falcon sensor. Investigate the file system operation and process tree.
• A process attempted to modify Falcon sensor installer related files. This is indicative of an attempt to tamper with Falcon sensor. Investigate the file system operation and process tree.
• A process attempted to modify Falcon sensor related service binaries. This is indicative of an attempt to tamper with Falcon sensor. Investigate the file system operation and process tree.
• A process attempted to modify a Falcon sensor folder. This is indicative of an attempt to tamper with Falcon sensor. Investigate the file system operation and process tree.
• A process attempted to modify a registry key or value used by Falcon sensor. This is indicative of an attempt to tamper with Falcon sensor. Investigate the registry operation and process tree.
• A process attempted to modify files used for Falcon sensor dynamic configuration. This is indicative of an attempt to tamper with Falcon sensor. Investigate the file system operation and process tree.
• A process attempted to modify injected libraries used by Falcon sensor. This is indicative of an attempt to tamper with Falcon sensor. Investigate the file system operation and process tree.
• A process attempted to uninstall the Falcon sensor in an unusual way. If this is unexpected, it might be an adversary trying to disable the Falcon sensor. Review the process tree.
• A process gathered information about the operating system or hardware. Adversaries can use this to identify system vulnerabilities. Review the process tree.
• A process launched that shares characteristics with mimikatz, a password dumping utility. mimikatz's primary purpose is to steal passwords. If credentials were dumped, change your passwords and investigate the process tree.
• A process loaded a module associated with known malware. Malware might have hijacked a benign process and loaded the malicious module to evade detection. Review the DLLs the process loaded.
• A process loaded a module that shares characteristics with a known malicious file. Review the modules loaded by the process.
• A process monitored keystrokes using the SetWindowsHook API. Adversaries often use this to intercept passwords and other sensitive information. Review the process tree
• A script launched from a location associated with a remote administration tool (RAT). RATs often blend in with other benign applications and might be used by adversaries to remotely control the host. Review the script.
• A suspicious process appears to be issuing commands indicative of VM or Sandbox checks. If this activity is unexpected, review the process tree.
• A suspicious process launched that might be related to a malicious file. If this activity is unexpected, review the file.
• An IP Address matched a Custom Intelligence Indicator (Custom IOC) with critical severity.
• An executable appears to have been manipulated to evade detection. Adversaries can abuse file names, paths, and headers to masquerade malware as a safe or legitimate file. Review the executable and process tree.
• An unexpected process ran svchost.exe. Adversaries can masquerade malware as a system process to evade detection. Review the executable.
• An unusual process accessed lsass. This might indicate an attempt to dump credentials. Investigate the process tree.
• Detected and blocked a heap spray attempt, which was likely part of an attempted exploit.
• Mshta attempted to launch a likely malicious payload from a remote path. Review the command line.
• Rundll32 has likely been abused by malware to launch a malicious payload. While the rundll32 process is benign, the DLL file it's loading is likely malicious. Review the file loaded by rundll32.
• This file is classified as Adware/PUP based on its SHA256 hash.
• This file meets the Adware/PUP Anti-malware ML algorithm's low-confidence threshold.
• This file meets the Adware/PUP Anti-malware ML algorithm's lowest-confidence threshold.
• This file meets the Adware/PUP algorithm's high-confidence threshold.
• This file meets the Adware/PUP algorithm's lowest-confidence threshold.
• This file meets the Behavioral Analysis ML algorithm's lowest-confidence threshold for malware. It might be malicious and/or part of an adversary's toolkit. Review the file.
• This file meets the File Analysis ML algorithm's high-confidence threshold for malware.
• This file meets the File Analysis ML algorithm's lowest-confidence threshold for malware.
• This file meets the machine learning-based on-sensor AV protection's high confidence threshold for malicious files.
• This file meets the machine learning-based on-sensor AV protection's low confidence threshold for malicious files.
• This file meets the machine learning-based on-sensor AV protection's lowest-confidence threshold for malicious files.
• This file meets the machine learning-based on-sensor AV protection's medium confidence threshold for malicious files.
• This file written to disk meets the Behavioral Analysis ML algorithm's lowest-confidence threshold for malware. It might be malicious and/or part of an adversary's toolkit. Review the file.
• Your IOC management action for this SHA256 hash is set to detect and/or block

I want to contribute data from Rapid7's InsightIDR product, however it's not necessarily a true EDR - it doesn't block/prevent, but creates detections and generates all the same kind of telemetry in a SIEM. Is this something that'd be accepted on the project?

A few things- this is a really neat table.

For Microsoft, MDE does consume the IMPHASH as telemetry, but its not made available for inspection to the end user/admin/consumer. This is not publicly documented that I could find. However, Defender AV clearly has this documented as something it uses for inspection speifically when Cloud Based protection is enabled. (reference: https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/cloud-protection-microsoft-antivirus-sample-submission?view=o365-worldwide

File Open - MDE does log file open in certain scenarios, below example:

The above screen cap is without Purview integration....PurviewDLP is the solution for tracking file opens, copies etc from Microsoft that MDE integrates with (reference: https://techcommunity.microsoft.com/t5/security-compliance-and-identity/common-questions-on-microsoft-purview-data-loss-prevention-for/ba-p/3732610

Agent State is tracked via the Agent Health in the Device Inventory and on the Device pages (ref:https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/check-sensor-status?view=o365-worldwide

Agent Keep Alive is reflected via the First Seen and Last Seen properties on the device page (ref:https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/machines-view-overview?view=o365-worldwide

Agent also logs to Event Logs detailed status ref: https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/event-error-codes?view=o365-worldwide

BITS transfer - arguably - https://github.com/Azure/Azure-Sentinel/tree/master/Hunting%20Queries/Microsoft%20365%20Defender/Execution/PowerShell%20downloads.yaml would have to poke around and see if non-ps initiated would show or not either in the telemetry or Advanced Hunting.

MDE also integrates with Intel's TDT as well (hardware integration) https://www.intel.com/content/www/us/en/architecture-and-technology/vpro/hardware-shield/threat-detection-technology.html

hi there,

would it be possible to add a more verbose description as to what the values a capability can take mean?

i.e. i was about to create a pull request changing the "network activity > url" value for mde to "partially", as the relevant network events logged by mde don't reliably populate the url field. it sometimes only contains a domain or trims the url parameters vs. what is logged on a proxy at the same time.

that's when i realized that i was unsure whether this would fulfil the criteria for "partially" or if the events simply being present in whatever quality is already enough to qualify for "implemented".

similarly i was unsure about the following: mde allows seeing bits jobs activity in the ProcessEventsTable and NetworkEventsTable, but doesn't have something specially dedicated. would that be regarded "partially" or still "not implemented"? btw. should be bits jobs in the json, not bit jobs 😉.

cheers,
hrun

Please add wazuh in this list, it is open source edr/xdr....

I think there might be an issue with Pipe Connection and Pipe Creation on the CrowdStrike field.

From reading the CrowdStrike docs, I can see that there is an eventfield called SmbClientNamedPipeConnectEtw:
"
An event that indicates when a machine connects to a remote SMB (Server Message Block) named pipe. The event contains the pattern id of the associated indicator and is supported on all Windows platform except 8.1 and Server 2012 R2. Captured using the ETW consumer.
"

CrowdStrike also has: NamedPipeDetectInfo which has the following NamedPipeOperationType which can be:

1. Create
2. Open
3. Impersonate

File Renaming is captured as an ActionType under DeviceFileEvents

The value 🪵 is shown in the field 'Service Creation' in the 'MDE' Column where it should 🟩

Looks like Defender for Endpoint telemetry information is missing.

I can help get some stuff started based on what is available through Advanced Hunting. There may be additional data available in the device timeline as pointed out by Olaf Hartong, and potentially other sources locally. But I could at least provide a place to start if you don't mind having some fields with ❓ for a while

I think it could be helpful to know if an EDR captures shell commands/history. In particular, native shell commands don't spawn new processes, so most EDR won't naturally see them.

I would like to add Cisco Secure Endpoint EDR information.
Creating this issue for tracking.

Can you use colors, and or monikers that make it easier to tell who has what :) To some of us, Reds/Greens are not great to use for this. Standard black Y/N/P/? (yes no partial unknown) would work too. Pink/Red/Orange are hard to tell apart for my collogues. :) Love the repo!

This is super cool and useful thanks for shareing. One thing that would be a possible awesome contribution would be to know the isolation capabilties of these tools? ie. can you remotely isolate affected systems? Understood this list is more related to the telemtry output from the different tools but it would be cool to know some other capabilities the tools have and be able to benchmark them. Also another step could be to include the DFIR capabilties of the tools but understand this would need significant reserach and testing. Just throwing ideas out there. Great project thanks again!

SentinelOne does record local account creation. See screenshot.

I love this project but for me it lacks the telemetry protection information.
In sigmaHQ you can find many rule "evenlog clear", "etw Disable /Tamper " ....

Long time ago I add phant0m to atomic-red-team to test this.

Could there be one or more checkboxes for telemetry manipulation detection ?
Thanks

Is it possible to add a "console" category for logs generated through actions performed on the EDR console? This category could include:

• User login attempts: Successful/Failed
• Remote Commands/Shell executed on endpoint agents by logged-in users
• User management: creation, modification, and deletion
• MFA operations: enabling and disabling

The list stated that Cortex XDR does not have FILE Open telemetry, but it's available for Linux an Mac, this should marked as partially at least reference: https://docs-cortex.paloaltonetworks.com/r/Cortex-XDR/Cortex-XDR-Pro-Administrator-Guide/Endpoint-Data-Collection

I am collecting telemetry data in Splunk for CrowdStrike, and I have "vertex_type=domain", it should include DNS queries (even with the sampling)

Not sure how you want to integrate, but sharing some notes on potential mappings:

Process Activity = https://attack.mitre.org/datasources/DS0009/
Process Creation = https://attack.mitre.org/datasources/DS0009/#Process%20Creation
Process Termination = https://attack.mitre.org/datasources/DS0009/#Process%20Termination
Process Access = https://attack.mitre.org/datasources/DS0009/#Process%20Access
Image/Library Loaded = https://attack.mitre.org/datasources/DS0011/#Module%20Load
Remote Thread Creation = partially https://attack.mitre.org/datasources/DS0009/#OS%20API%20Execution & https://attack.mitre.org/datasources/DS0009/#Process%20Access (? 🤷 )
Process Tampering Activity = https://attack.mitre.org/datasources/DS0009/#Process%20Modification

File Manipulation = https://attack.mitre.org/datasources/DS0022/
File Creation = https://attack.mitre.org/datasources/DS0022/#File%20Creation
File Opened = https://attack.mitre.org/datasources/DS0022/#File%20Access
File Deletion = https://attack.mitre.org/datasources/DS0022/#File%20Deletion
File Modification = https://attack.mitre.org/datasources/DS0022/#File%20Modification
File Renaming = https://attack.mitre.org/datasources/DS0022/#File%20Modification

User Account Activity = https://attack.mitre.org/datasources/DS0002/
Local Account Creation = https://attack.mitre.org/datasources/DS0002/#User%20Account%20Creation
Local Account Modification = https://attack.mitre.org/datasources/DS0002/#User%20Account%20Modification
Local Account Deletion = https://attack.mitre.org/datasources/DS0002/#User%20Account%20Deletion
Account Login = https://attack.mitre.org/datasources/DS0002/#User%20Account%20Authentication + https://attack.mitre.org/datasources/DS0028/#Logon%20Session%20Creation
Account Logoff = [null]

Network Activity = https://attack.mitre.org/datasources/DS0029/
TCP Connection = https://attack.mitre.org/datasources/DS0029/#Network%20Connection%20Creation
UDP Connection = https://attack.mitre.org/datasources/DS0029/#Network%20Connection%20Creation
URL = https://attack.mitre.org/datasources/DS0029/#Network%20Traffic%20Content (? 🤷)
DNS Query = https://attack.mitre.org/datasources/DS0029/#Network%20Traffic%20Content (? 🤷)
File Downloaded =https://attack.mitre.org/datasources/DS0029/#Network%20Traffic%20Content + https://attack.mitre.org/datasources/DS0022/#File%20Creation (? 🤷)

Hash Algorithms = https://attack.mitre.org/datasources/DS0022/#File%20Metadata (? 🤷)
MD5 = https://attack.mitre.org/datasources/DS0022/#File%20Metadata (? 🤷)
SHA = https://attack.mitre.org/datasources/DS0022/#File%20Metadata (? 🤷)
IMPHASH = https://attack.mitre.org/datasources/DS0022/#File%20Metadata (? 🤷)

Registry Activity = https://attack.mitre.org/datasources/DS0024/
Key/Value Creation = https://attack.mitre.org/datasources/DS0024/#Windows%20Registry%20Key%20Creation
Key/Value Modification = https://attack.mitre.org/datasources/DS0024/#Windows%20Registry%20Key%20Modification
Key/Value Deletion = https://attack.mitre.org/datasources/DS0024/#Windows%20Registry%20Key%20Deletion

Schedule Task Activity = https://attack.mitre.org/datasources/DS0003/
Scheduled Task Creation = https://attack.mitre.org/datasources/DS0003/#Scheduled%20Job%20Creation
Scheduled Task Modification = https://attack.mitre.org/datasources/DS0003/#Scheduled%20Job%20Modification
Scheduled Task Deletion = https://attack.mitre.org/datasources/DS0003/#Scheduled%20Job%20Modification (? 🤷)

Service Activity = https://attack.mitre.org/datasources/DS0019/
Service Creation = https://attack.mitre.org/datasources/DS0019/#Service%20Creation
Service Modification = https://attack.mitre.org/datasources/DS0019/#Service%20Modification
Service Deletion = https://attack.mitre.org/datasources/DS0019/#Service%20Modification (? 🤷)

Driver/Module Activity = https://attack.mitre.org/datasources/DS0027/
Driver Loaded = https://attack.mitre.org/datasources/DS0027/#Driver%20Load
Driver Modification = https://attack.mitre.org/datasources/DS0022/#File%20Modification (? 🤷)
Driver Unloaded = [null]

Device Operations = https://attack.mitre.org/datasources/DS0016/
Virtual Disk Mount = https://attack.mitre.org/datasources/DS0016/#Drive%20Creation
USB Device Unmount = https://attack.mitre.org/datasources/DS0016/#Drive%20Creation
USB Device Mount = https://attack.mitre.org/datasources/DS0016/#Drive%20Creation

Other Relevant Events
Group Policy Modification = https://attack.mitre.org/datasources/DS0026/#Active%20Directory%20Object%20Modification (? 🤷)

Named Pipe Activity = https://attack.mitre.org/datasources/DS0023/
Pipe Creation = https://attack.mitre.org/datasources/DS0023/#Named%20Pipe%20Metadata (? 🤷)
Pipe Connection = https://attack.mitre.org/datasources/DS0023/#Named%20Pipe%20Metadata (? 🤷)

EDR SysOps = https://attack.mitre.org/datasources/DS0013/
Agent Start = https://attack.mitre.org/datasources/DS0013/#Host%20Status (? 🤷)
Agent Stop = https://attack.mitre.org/datasources/DS0013/#Host%20Status (? 🤷)
Agent Install = https://attack.mitre.org/datasources/DS0013/#Host%20Status (? 🤷)
Agent Uninstall = https://attack.mitre.org/datasources/DS0013/#Host%20Status (? 🤷)
Agent Tampering = https://attack.mitre.org/datasources/DS0013/#Host%20Status (? 🤷)
Agent Keep-Alive = https://attack.mitre.org/datasources/DS0013/#Host%20Status (? 🤷)
Agent Errors = https://attack.mitre.org/datasources/DS0013/#Host%20Status (? 🤷)

WMI Activity = https://attack.mitre.org/datasources/DS0005/
WmiEventConsumerToFilter = https://attack.mitre.org/datasources/DS0005/#WMI%20Creation
WmiEventConsumer = https://attack.mitre.org/datasources/DS0005/#WMI%20Creation
WmiEventFilter = https://attack.mitre.org/datasources/DS0005/#WMI%20Creation

BIT JOBS Activity = [null]
BIT JOBS Activity = [null]

PowerShell Activity = https://attack.mitre.org/datasources/DS0012/ + https://attack.mitre.org/datasources/DS0017/
Script-Block Activity = https://attack.mitre.org/datasources/DS0012/#Script%20Execution

Please can add trend solution in this list ?
Tks
Diego

Hello,

Regarding Crowdstrike telemetry, some events are generated only when EDR detects suspicious behavior in the same process tree (Event FileOpenInfo related to File Opened operation for example).

This does not mean that the box should be red, but it may be useful to add if a condition is necessary for the generation of the event.

Any interest in adding https://github.com/0xrawsec/whids ?

It would be good to break out Windows vs. Linux telemetry for EDR as the two platforms have much different coverage needs. Linux coverage can cover process attacks like Windows. However, it also has a lot of non-process based data that need to have good telemetry to detect attacks.

I'd propose as a starting point these high level-categories for telemetry type data:

Processes (process activity, creation times, owners, binary data, network activity, etc.)
Files (general coverage for file attributes, creation times, owners, hashes, entropy, etc.)
Directories (general directory coverage for attributes like files above, etc.)
Logs (syslog, utmp, btmp, wtmp, lastlog, log data, etc.)
Users (accounts, passwords, SSH keys, login activity, etc.)
Kernel (kernel modules, status, etc.)
Systemd (services, lingering processes, general systemd units).
Scheduled Tasks (cron/at/systemd running, owners, etc.)

Wanted to see if there was any thoughts about mapping to MITRE ATT&CK as it would be a great map across the industry and usable at scale. If theres been work on this done private I'd be interested to assist or work with it.

First thanks for all the handwork with this project.

For v0.2 of the telemetry-generator.ps1 would it be possible to add a check if Invoke-AtomicRedTeam is already installed?
Could work something like so

...
# Function that checks if Invoke-AtomicRedTeam is already installed
function Check-ARTInstalled {
    try {
        Get-Command Invoke-AtomicTest -ErrorAction Stop | Out-Null
        return $true
    }
    catch {
        return $false
    }
}
...
# Install Invoke-Atomic if not already installed
if (-not (Check-ARTInstalled)) {
    Install-ART
}
...

Thanks again!