plaso
plaso copied to clipboard
log2timeline
Add new rules in tag_windows.txt to application_execution tag
One line description of pull request
Add new tag in data/tag_windows.txt to "application_execution".
Description:
Add new tag in data/tag_windows.txt to "application_execution":
- Event "Microsoft-Windows-Program-Compatibility-Assistant" id 17 :
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="Microsoft-Windows-Program-Compatibility-Assistant" Guid="{}"/>
<EventID>17</EventID>
<Version>0</Version>
<Level>4</Level>
<Task>0</Task>
<Opcode>0</Opcode>
<Keywords>0x4000000000000000</Keywords>
<TimeCreated SystemTime="2020-07-03T09:12:24.307780200Z"/>
<EventRecordID>2</EventRecordID>
<Correlation/>
<Execution ProcessID="992" ThreadID="3588"/>
<Channel>Microsoft-Windows-Application-Experience/Program-Compatibility-Assistant</Channel>
<Computer>...</Computer>
<Security UserID="S-1-5-18"/>
</System>
<UserData>
<ResolverFiredEvent xmlns="http://www.microsoft.com/Windows/Diagnosis/PCA/events">
<ExePath>C:\Program Files (x86)\Google\Chrome\Application\chrome.exe</ExePath>
<ResolverName>WrpMitigation</ResolverName>
</ResolverFiredEvent>
</UserData>
</Event>
-
Event "Microsoft-Windows-Security-Auditing" id 4673:
- https://learn.microsoft.com/fr-fr/windows/security/threat-protection/auditing/event-4673
-
Event "Microsoft-Windows-Security-Auditing" id 4798 & 4799:
- https://learn.microsoft.com/fr-fr/windows/security/threat-protection/auditing/event-4798
- https://learn.microsoft.com/fr-fr/windows/security/threat-protection/auditing/event-4799
- https://resources.infosecinstitute.com/topic/advance-persistent-threat-lateral-movement-detection-windows-infrastructure-part/#:~:text=Event%20ID%20%E2%80%93%204799%3A%20Local%20group,is%20generated%20for%20the%20same.
-
Event sysmon id 1 :
- https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#event-id-1-process-creation
-
Event "Microsoft-Windows-Application-Experience" ID 500 & 505:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="Microsoft-Windows-Application-Experience" Guid="{}"/>
<EventID>500</EventID>
<Version>0</Version>
<Level>4</Level>
<Task>0</Task>
<Opcode>0</Opcode>
<Keywords>0x0800000000000000</Keywords>
<TimeCreated SystemTime="2018-02-15T12:09:42.471850900Z"/>
<EventRecordID>55</EventRecordID>
<Correlation/>
<Execution ProcessID="10352" ThreadID="9632"/>
<Channel>Microsoft-Windows-Application-Experience/Program-Telemetry</Channel>
<Computer>example</Computer>
<Security UserID="S-1-5-20"/>
</System>
<UserData>
<CompatibilityFixEvent xmlns="http://www.microsoft.com/Windows/Diagnosis/PCA/events">
<ProcessId>10352</ProcessId>
<StartTime>2018-02-15T12:09:42.466668000Z</StartTime>
<FixID>{}</FixID>
<Flags>0x00040102</Flags>
<ExePath>C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\{}\MPSigStub.exe</ExePath>
<FixName>RunAsInvoker</FixName>
</CompatibilityFixEvent>
</UserData>
</Event>
{"Event":{"System":{"Channel":"Microsoft-Windows-Application-Experience/Program-Telemetry","Computer":"example","Correlation":{},"EventID":"505","EventRecordID":"51","Execution":{"ProcessID":"4596","ThreadID":"5488"},"Keywords":"0x800000000000000","Level":"4","Opcode":"0","Provider":{"Guid":"","Name":"Microsoft-Windows-Application-Experience"},"Security":{"UserID":"S-1-5-18"},"Task":"0","TimeCreated":{"SystemTime":"2020-01-13T14:59:48.5438676Z"},"Version":"0"},"UserData":{"CompatibilityFixEvent":{"ExePath":"E:\\jdk1.6.0_18\\bin\\java.exe","FixID":","FixName":"010 Legacy Registry Entries (User Compat Flags)","Flags":"0x80010101","ProcessId":"4596","StartTime":"2020-01-13T14:59:48.4979961Z","xmlns":"http://www.microsoft.com/Windows/Diagnosis/PCA/events"}}}}
-
Extracted by plaso parser in data_type: 'windows:srum:application_usage'
-
Extracted by plaso parser in data_type: 'windows:registry:amcache'
-
Extracted by plaso parser in data_type: 'windows:timeline:user_engaged'
-
Registries path key:
- '\Compatibility Assistant\Store' : https://techcommunity.microsoft.com/t5/ask-the-performance-team/the-program-compatibility-assistant-part-two/ba-p/372543
- '\Explorer\FeatureUsage\AppSwitched' : https://www.crowdstrike.com/blog/how-to-employ-featureusage-for-windows-10-taskbar-forensics/
- '\Explorer\FeatureUsage\AppLauch' : https://www.crowdstrike.com/blog/how-to-employ-featureusage-for-windows-10-taskbar-forensics/
- '\Explorer\FeatureUsage\AppBadgeUpdated' : https://www.crowdstrike.com/blog/how-to-employ-featureusage-for-windows-10-taskbar-forensics/
- '\Explorer\FeatureUsage\ShowJumpView' : https://www.crowdstrike.com/blog/how-to-employ-featureusage-for-windows-10-taskbar-forensics/
- '\Search\RecentApps\': https://andreafortuna.org/2018/05/23/forensic-artifacts-evidences-of-program-execution-on-windows-systems/
- '\Services\bam\UserSettings\' : https://andreafortuna.org/2018/05/23/forensic-artifacts-evidences-of-program-execution-on-windows-systems/
- 'WinClient\SoftwareMonitoring\MonitorLog\': ivanti "Softmon.exe" is responsible for monitoring every executable that is launched and logs in the registry
- 'Microsoft\RADAR\HeapLeakDetection\DiagnosedApplications\': http://windowsir.blogspot.com/2011/09/registry-stuff.html
Notes:
All contributions to Plaso undergo code review. This makes sure that the code has appropriate test coverage and conforms to the Plaso style guide.
One of the maintainers will examine your code, and may request changes. Check off the items below in order, and then a maintainer will review your code.
Checklist:
- [ ] Automated checks (Travis, Codecov, Codefactor )pass
- [ ] No new new dependencies are required or l2tdevtools has been updated
- [ ] Reviewer assigned
@lprat FYI tests are failing due to an issue flagged by the linter
tests/data/tag_windows.py:275:171: E0001: (unicode error) 'unicodeescape' codec can't decode bytes in position 113-114: truncated \xXX escape (<unknown>, line 275) (syntax-error)
Codecov Report
Base: 85.77% // Head: 85.71% // Decreases project coverage by -0.05% :warning:
Coverage data is based on head (
737a960) compared to base (aa36de5). Patch has no changes to coverable lines.
Additional details and impacted files
@@ Coverage Diff @@
## main #4376 +/- ##
==========================================
- Coverage 85.77% 85.71% -0.06%
==========================================
Files 413 413
Lines 35449 35430 -19
==========================================
- Hits 30407 30370 -37
- Misses 5042 5060 +18
| Impacted Files | Coverage Δ | |
|---|---|---|
| plaso/parsers/text_plugins/ios_logd.py | 88.33% <0.00%> (-3.34%) |
:arrow_down: |
| plaso/parsers/text_plugins/sophos_av.py | 83.60% <0.00%> (-3.28%) |
:arrow_down: |
| plaso/parsers/text_plugins/selinux.py | 89.06% <0.00%> (-3.13%) |
:arrow_down: |
| plaso/parsers/text_plugins/xchatscrollback.py | 89.06% <0.00%> (-3.13%) |
:arrow_down: |
| plaso/parsers/text_plugins/dpkg.py | 87.69% <0.00%> (-3.08%) |
:arrow_down: |
| plaso/single_process/extraction_engine.py | 76.25% <0.00%> (-2.92%) |
:arrow_down: |
| plaso/parsers/text_plugins/aws_elb_access.py | 95.26% <0.00%> (-2.70%) |
:arrow_down: |
| plaso/parsers/text_plugins/setupapi.py | 93.50% <0.00%> (-2.60%) |
:arrow_down: |
| plaso/parsers/text_plugins/interface.py | 85.71% <0.00%> (-2.53%) |
:arrow_down: |
| plaso/parsers/text_plugins/snort_fastlog.py | 93.97% <0.00%> (-2.41%) |
:arrow_down: |
| ... and 56 more |
Help us with your feedback. Take ten seconds to tell us how you rate us. Have a feature suggestion? Share it here.
:umbrella: View full report at Codecov.
:loudspeaker: Do you have feedback about the report comment? Let us know in this issue.
![codecov[bot] avatar](https://avatars.githubusercontent.com/in/254?v=4 "Published by a pub.dev verified publisher"){kind=small}
@lprat no worries, take your time. I'll try to have a look tomorrow, when time permits.