diff --git a/enrichments/EN_0002_enrich_sysmon_event_id_1_with_parent_info.yml b/enrichments/EN_0002_enrich_sysmon_event_id_1_with_parent_info.yml new file mode 100644 index 0000000..346efe3 --- /dev/null +++ b/enrichments/EN_0002_enrich_sysmon_event_id_1_with_parent_info.yml @@ -0,0 +1,47 @@ +title: EN_0002_enrich_sysmon_event_id_1_with_parent_info +description: > + Enrich Sysmon Event ID 1 (Process Create) with Parent Integrity Level, + Parent User and Parent of Parent Image fields. +references: + - https://www.slideshare.net/heirhabarov/hunting-for-privilege-escalation-in-windows-environment +author: Teymur Kheirkhabarov +requirements: + - EN_0001_cache_sysmon_event_id_1_info +new_fields: + - event_data.ParentIntegrityLevel + - event_data.ParentUser + - event_data.ParentOfParentImage +config: | + We can use Logstash to enrich Sysmon Event ID 1 with data cached in Memcached. + Here is the config example: + + ``` + filter { + # Get previously cached information about parent process from cache to enrich process creation events (event id 1) + if [source_name] == "Microsoft-Windows-Sysmon" and [event_id] == 1 and [event_data][ParentProcessGuid] { + # Enrich event with additional information about process + memcached { + # get info from cache + hosts => ["127.0.0.1:11211"] + get => { + "%{computer_name}_%{[event_data][ParentProcessGuid]}" => "[@metadata][processinfo]" + } + } + if [@metadata][processinfo] { + kv { + source => "[@metadata][processinfo]" + target => "[@metadata][processinfo]" + field_split => "," + value_split => "=" + } + if [@metadata][processinfo][ParentImage] { + mutate { + add_field => { "[event_data][ParentIntegrityLevel]" => "%{[@metadata][processinfo][IntegrityLevel]}" } + add_field => { "[event_data][ParentUser]" => "%{[@metadata][processinfo][User]}" } + add_field => { "[event_data][ParentOfParentImage]" => "%{[@metadata][processinfo][ParentImage]}" } + } + } + } + } + } + ```