Skip to content

Commit

Permalink
[Security Solution] User can make Exceptions for Memory protection al…
Browse files Browse the repository at this point in the history
…erts (elastic#102196) (elastic#105397)

Co-authored-by: Esteban Beltran <[email protected]>
  • Loading branch information
kibanamachine and academo authored Jul 13, 2021
1 parent 182fd89 commit 0bec0e0
Show file tree
Hide file tree
Showing 10 changed files with 643 additions and 49 deletions.
33 changes: 33 additions & 0 deletions x-pack/plugins/security_solution/common/ecs/file/index.ts
Original file line number Diff line number Diff line change
Expand Up @@ -14,9 +14,42 @@ export interface CodeSignature {
subject_name: string[];
trusted: string[];
}

export interface Token {
integrity_level_name: string;
}

export interface MemoryPe {
imphash?: string;
}

export interface StartAddressDetails {
allocation_base?: number;
allocation_protection?: string;
allocation_size?: number;
allocation_type?: string;
bytes_address?: number;
bytes_allocation_offset?: number;
bytes_compressed?: string;
bytes_compressed_present?: string;
mapped_path?: string;
mapped_pe_detected?: boolean;
memory_pe_detected?: boolean;
region_base?: number;
region_protection?: string;
region_size?: number;
region_state?: string;
strings?: string;
memory_pe?: MemoryPe;
}

export interface Ext {
code_signature?: CodeSignature[] | CodeSignature;
original?: Original;
token?: Token;
start_address_allocation_offset?: number;
start_address_bytes_disasm_hash?: string;
start_address_details?: StartAddressDetails;
}
export interface Hash {
md5?: string[];
Expand Down
5 changes: 5 additions & 0 deletions x-pack/plugins/security_solution/common/ecs/index.ts
Original file line number Diff line number Diff line change
Expand Up @@ -30,6 +30,8 @@ import { ProcessEcs } from './process';
import { SystemEcs } from './system';
import { ThreatEcs } from './threat';
import { Ransomware } from './ransomware';
import { MemoryProtection } from './memory_protection';
import { Target } from './target_type';

export interface Ecs {
_id: string;
Expand Down Expand Up @@ -63,4 +65,7 @@ export interface Ecs {
// This should be temporary
eql?: { parentId: string; sequenceNumber: string };
Ransomware?: Ransomware;
// eslint-disable-next-line @typescript-eslint/naming-convention
Memory_protection?: MemoryProtection;
Target?: Target;
}
Original file line number Diff line number Diff line change
@@ -0,0 +1,13 @@
/*
* Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
* or more contributor license agreements. Licensed under the Elastic License
* 2.0; you may not use this file except in compliance with the Elastic License
* 2.0.
*/
export interface MemoryProtection {
cross_session?: boolean;
feature?: string;
parent_to_child?: boolean;
self_injection?: boolean;
unique_key_v1?: string;
}
Original file line number Diff line number Diff line change
Expand Up @@ -37,4 +37,5 @@ export interface ProcessParentData {
export interface Thread {
id?: number[];
start?: string[];
Ext?: Ext;
}
12 changes: 12 additions & 0 deletions x-pack/plugins/security_solution/common/ecs/target_type/index.ts
Original file line number Diff line number Diff line change
@@ -0,0 +1,12 @@
/*
* Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
* or more contributor license agreements. Licensed under the Elastic License
* 2.0; you may not use this file except in compliance with the Elastic License
* 2.0.
*/

import { ProcessEcs } from '../process';

export interface Target {
process: ProcessEcs;
}
221 changes: 194 additions & 27 deletions x-pack/plugins/security_solution/common/endpoint/generate_data.ts
Original file line number Diff line number Diff line change
Expand Up @@ -7,6 +7,7 @@

import uuid from 'uuid';
import seedrandom from 'seedrandom';
import { assertNever } from '@kbn/std';
import {
AlertEvent,
DataStream,
Expand Down Expand Up @@ -387,6 +388,12 @@ const eventsDefaultDataStream = {
namespace: 'default',
};

enum AlertTypes {
MALWARE = 'MALWARE',
MEMORY_SIGNATURE = 'MEMORY_SIGNATURE',
MEMORY_SHELLCODE = 'MEMORY_SHELLCODE',
}

const alertsDefaultDataStream = {
type: 'logs',
dataset: 'endpoint.alerts',
Expand Down Expand Up @@ -509,16 +516,15 @@ export class EndpointDocGenerator extends BaseDataGenerator {
data_stream: metadataDataStream,
};
}

/**
* Creates an alert from the simulated host represented by this EndpointDocGenerator
* Creates a malware alert from the simulated host represented by this EndpointDocGenerator
* @param ts - Timestamp to put in the event
* @param entityID - entityID of the originating process
* @param parentEntityID - optional entityID of the parent process, if it exists
* @param ancestry - an array of ancestors for the generated alert
* @param alertsDataStream the values to populate the data_stream fields when generating alert documents
*/
public generateAlert({
public generateMalwareAlert({
ts = new Date().getTime(),
entityID = this.randomString(10),
parentEntityID,
Expand Down Expand Up @@ -619,37 +625,198 @@ export class EndpointDocGenerator extends BaseDataGenerator {
},
},
},
dll: [
{
pe: {
architecture: 'x64',
dll: this.getAlertsDefaultDll(),
};
}

/**
* Creates a memory alert from the simulated host represented by this EndpointDocGenerator
* @param ts - Timestamp to put in the event
* @param entityID - entityID of the originating process
* @param parentEntityID - optional entityID of the parent process, if it exists
* @param ancestry - an array of ancestors for the generated alert
* @param alertsDataStream the values to populate the data_stream fields when generating alert documents
*/
public generateMemoryAlert({
ts = new Date().getTime(),
entityID = this.randomString(10),
parentEntityID,
ancestry = [],
alertsDataStream = alertsDefaultDataStream,
alertType,
}: {
ts?: number;
entityID?: string;
parentEntityID?: string;
ancestry?: string[];
alertsDataStream?: DataStream;
alertType?: AlertTypes;
} = {}): AlertEvent {
const processName = this.randomProcessName();
const isShellcode = alertType === AlertTypes.MEMORY_SHELLCODE;
const newAlert: AlertEvent = {
...this.commonInfo,
data_stream: alertsDataStream,
'@timestamp': ts,
ecs: {
version: '1.6.0',
},
// disabling naming-convention to accommodate external field
// eslint-disable-next-line @typescript-eslint/naming-convention
Memory_protection: {
feature: isShellcode ? 'shellcode_thread' : 'signature',
self_injection: true,
},
event: {
action: 'start',
kind: 'alert',
category: 'malware',
code: isShellcode ? 'malicious_thread' : 'memory_signature',
id: this.seededUUIDv4(),
dataset: 'endpoint',
module: 'endpoint',
type: 'info',
sequence: this.sequence++,
},
file: {},
process: {
pid: 2,
name: processName,
start: ts,
uptime: 0,
entity_id: entityID,
executable: `C:/fake/${processName}`,
parent: parentEntityID ? { entity_id: parentEntityID, pid: 1 } : undefined,
hash: {
md5: 'fake md5',
sha1: 'fake sha1',
sha256: 'fake sha256',
},
Ext: {
ancestry,
code_signature: [
{
trusted: false,
subject_name: 'bad signer',
},
],
user: 'SYSTEM',
token: {
integrity_level_name: 'high',
},
code_signature: {
subject_name: 'Cybereason Inc',
trusted: true,
malware_signature: {
all_names: 'Windows.Trojan.FakeAgent',
identifier: 'diagnostic-malware-signature-v1-fake',
},
},
},
dll: this.getAlertsDefaultDll(),
};

hash: {
md5: '1f2d082566b0fc5f2c238a5180db7451',
sha1: 'ca85243c0af6a6471bdaa560685c51eefd6dbc0d',
sha256: '8ad40c90a611d36eb8f9eb24fa04f7dbca713db383ff55a03aa0f382e92061a2',
// shellcode_thread memory alert have an additional process field
if (isShellcode) {
newAlert.Target = {
process: {
thread: {
Ext: {
start_address_allocation_offset: 0,
start_address_bytes_disasm_hash: 'a disam hash',
start_address_details: {
allocation_type: 'PRIVATE',
allocation_size: 4000,
region_size: 4000,
region_protection: 'RWX',
memory_pe: {
imphash: 'a hash',
},
},
},
},
},
};
}
return newAlert;
}
/**
* Creates an alert from the simulated host represented by this EndpointDocGenerator
* @param ts - Timestamp to put in the event
* @param entityID - entityID of the originating process
* @param parentEntityID - optional entityID of the parent process, if it exists
* @param ancestry - an array of ancestors for the generated alert
* @param alertsDataStream the values to populate the data_stream fields when generating alert documents
*/
public generateAlert({
ts = new Date().getTime(),
entityID = this.randomString(10),
parentEntityID,
ancestry = [],
alertsDataStream = alertsDefaultDataStream,
}: {
ts?: number;
entityID?: string;
parentEntityID?: string;
ancestry?: string[];
alertsDataStream?: DataStream;
} = {}): AlertEvent {
const alertType = this.randomChoice(Object.values(AlertTypes));
switch (alertType) {
case AlertTypes.MALWARE:
return this.generateMalwareAlert({
ts,
entityID,
parentEntityID,
ancestry,
alertsDataStream,
});
case AlertTypes.MEMORY_SIGNATURE:
case AlertTypes.MEMORY_SHELLCODE:
return this.generateMemoryAlert({
ts,
entityID,
parentEntityID,
ancestry,
alertsDataStream,
alertType,
});
default:
return assertNever(alertType);
}
}

path: 'C:\\Program Files\\Cybereason ActiveProbe\\AmSvc.exe',
Ext: {
compile_time: 1534424710,
mapped_address: 5362483200,
mapped_size: 0,
malware_classification: {
identifier: 'Whitelisted',
score: 0,
threshold: 0,
version: '3.0.0',
},
/**
* Returns the default DLLs used in alerts
*/
private getAlertsDefaultDll() {
return [
{
pe: {
architecture: 'x64',
},
code_signature: {
subject_name: 'Cybereason Inc',
trusted: true,
},

hash: {
md5: '1f2d082566b0fc5f2c238a5180db7451',
sha1: 'ca85243c0af6a6471bdaa560685c51eefd6dbc0d',
sha256: '8ad40c90a611d36eb8f9eb24fa04f7dbca713db383ff55a03aa0f382e92061a2',
},

path: 'C:\\Program Files\\Cybereason ActiveProbe\\AmSvc.exe',
Ext: {
compile_time: 1534424710,
mapped_address: 5362483200,
mapped_size: 0,
malware_classification: {
identifier: 'Whitelisted',
score: 0,
threshold: 0,
version: '3.0.0',
},
},
],
};
},
];
}

/**
Expand Down
29 changes: 29 additions & 0 deletions x-pack/plugins/security_solution/common/endpoint/types/index.ts
Original file line number Diff line number Diff line change
Expand Up @@ -295,6 +295,31 @@ export type AlertEvent = Partial<{
}>;
}>;
}>;
// disabling naming-convention to accommodate external field
// eslint-disable-next-line @typescript-eslint/naming-convention
Memory_protection: Partial<{
feature: ECSField<string>;
self_injection: ECSField<boolean>;
}>;
Target: Partial<{
process: Partial<{
thread: Partial<{
Ext: Partial<{
start_address_allocation_offset: ECSField<number>;
start_address_bytes_disasm_hash: ECSField<string>;
start_address_details: Partial<{
allocation_type: ECSField<string>;
allocation_size: ECSField<number>;
region_size: ECSField<number>;
region_protection: ECSField<string>;
memory_pe: Partial<{
imphash: ECSField<string>;
}>;
}>;
}>;
}>;
}>;
}>;
process: Partial<{
command_line: ECSField<string>;
ppid: ECSField<number>;
Expand Down Expand Up @@ -328,6 +353,10 @@ export type AlertEvent = Partial<{
>;
}>;
user: ECSField<string>;
malware_signature: Partial<{
all_names: ECSField<string>;
identifier: ECSField<string>;
}>;
}>;
}>;
file: Partial<{
Expand Down
Loading

0 comments on commit 0bec0e0

Please sign in to comment.