Update Hayabusa ruleset

.github/workflows/test.yml

@@ -25,7 +25,7 @@ jobs:
       with:
         repository: velocidex/velociraptor
         tag: v0.72
-        fileName: "*v0.72.0-linux-amd64"
+        fileName: "velociraptor-v0.72.4-linux-amd64-musl"
         out-file-path: tests
 
     - name: Run tests

rejected/windows_hayabusa_rejects.json

@@ -1,5 +1,9 @@
 {
  "Rejects": [
+  {
+   "Path": "hayabusa/hayabusa/builtin/Crypto-DPAPI_Debug/CryptoDPAPI_16385_Info_DPAPI-Access.yml",
+   "Error": "Missing Source: '*/windows/*'"
+  },
   {
    "Path": "hayabusa/hayabusa/builtin/Partition_Diagnostic/PartitionDiagnostic_1006_Info_DeviceConn.yml",
    "Error": "Missing Source: '*/windows/*'"
@@ -18,12 +22,20 @@
   },
   {
    "Path": "hayabusa/hayabusa/builtin/Security/LogonLogoff/Logon/Sec_4625_Med_LogonFail_WrongPW_PW-Guessing_Cnt.yml",
-   "Error": "yaml: unmarshal errors:\n  line 29: cannot unmarshal !!str `https:/...` into []string"
+   "Error": "yaml: unmarshal errors:\n  line 28: cannot unmarshal !!str `https:/...` into []string"
   },
   {
    "Path": "hayabusa/hayabusa/builtin/Security/LogonLogoff/Logon/Sec_4648_Med_ExplicitLogon_PW-Spray_Cnt.yml",
    "Error": "yaml: unmarshal errors:\n  line 27: cannot unmarshal !!str `https:/...` into []string"
   },
+  {
+   "Path": "hayabusa/hayabusa/builtin/TerminalServices-Gateway_Op/RDS_Gateway_Disconnect.yml",
+   "Error": "Missing Source: '*/windows/*'"
+  },
+  {
+   "Path": "hayabusa/hayabusa/builtin/TerminalServices-Gateway_Op/RDS_Gateway_Logon.yml",
+   "Error": "Missing Source: '*/windows/*'"
+  },
   {
    "Path": "hayabusa/hayabusa/builtin/TerminalServices-RDPClient_Op/RDP-Client_1024_Info_ConnAttempt.yml",
    "Error": "Missing Source: '*/windows/*'"
@@ -52,10 +64,6 @@
    "Path": "hayabusa/hayabusa/builtin/WinRM_Op/WinRM_6_Info_SessCreated.yml",
    "Error": "Missing Source: '*/windows/*'"
   },
-  {
-   "Path": "hayabusa/hayabusa/sysmon/Sysmon_1_Info_ProcExec.yml",
-   "Error": "yaml: unmarshal errors:\n  line 32: mapping key \"sample-evtx\" already defined at line 29"
-  },
   {
    "Path": "hayabusa/hayabusa/sysmon/Sysmon_1_Low_ExeFileRenamed.yml",
    "Error": "Invalid modifier endswithfield"

src/logsources.go

@@ -374,6 +374,7 @@ var valid_modifiers = map[string]bool{
 	"vql":          true,
 	"base64":       true,
 	"base64offset": true,
+	"windash":      true,
 }
 
 func (self *CompilerContext) check_modifiers(

tests/testcases/hayabusa_windows.out.yaml

@@ -51,6 +51,71 @@ LET temp <= tempdir()[]LET _ <= copy(filename=testDir + "/test_files/EVTX-ATTACK
   },
   "_Source": "Windows.Hayabusa.Rules"
  },
+ {
+  "Timestamp": "2019-04-30T22:48:59.260851144Z",
+  "Computer": "IEWIN7",
+  "Channel": "Microsoft-Windows-Sysmon/Operational",
+  "EID": 1,
+  "Level": "informational",
+  "Title": "Proc Exec",
+  "RecordID": 10148,
+  "Details": "Cmdline: C:\\Windows\\system32\\vssvc.exe ¦ Proc: C:\\Windows\\System32\\VSSVC.exe ¦ User: NT AUTHORITY\\SYSTEM ¦ ParentCmdline: C:\\Windows\\system32\\services.exe ¦ LID: 999 ¦ LGUID: LogonGuid ¦ PID: 1892 ¦ PGUID: 365ABB72-D0DB-5CC8-0000-0010488A3C00 ¦ ParentPID: 464 ¦ ParentPGUID: ParentProcessGuid ¦ Description: Microsoft® Volume Shadow Copy Service ¦ Product: Microsoft® Windows® Operating System ¦ Company: Microsoft Corporation ¦ Hashes: SHA1=99894AEF71D9D3527F392CD71F66571110593876,MD5=209A3B1901B83AEB8527ED211CCE9E4C,SHA256=1A431F6409F8E0531F600F8F988ECECECB902DA26BBAAF1DE74A5CAC29A7CB44,IMPHASH=212B2417B4778F3EE9DE3F60458E953F",
+  "_Event": {
+   "System": {
+    "Provider": {
+     "Name": "Microsoft-Windows-Sysmon",
+     "Guid": "5770385F-C22A-43E0-BF4C-06F5698FFBD9"
+    },
+    "EventID": {
+     "Value": 1
+    },
+    "Version": 5,
+    "Level": 4,
+    "Task": 1,
+    "Opcode": 0,
+    "Keywords": 9223372036854775808,
+    "TimeCreated": {
+     "SystemTime": 1556664539.2608511
+    },
+    "EventRecordID": 10148,
+    "Correlation": {},
+    "Execution": {
+     "ProcessID": 1936,
+     "ThreadID": 1644
+    },
+    "Channel": "Microsoft-Windows-Sysmon/Operational",
+    "Computer": "IEWIN7",
+    "Security": {
+     "UserID": "S-1-5-18"
+    }
+   },
+   "EventData": {
+    "RuleName": "",
+    "UtcTime": "2019-04-30 22:48:59.151",
+    "ProcessGuid": "365ABB72-D0DB-5CC8-0000-0010488A3C00",
+    "ProcessId": 1892,
+    "Image": "C:\\Windows\\System32\\VSSVC.exe",
+    "FileVersion": "6.1.7600.16385 (win7_rtm.090713-1255)",
+    "Description": "Microsoft® Volume Shadow Copy Service",
+    "Product": "Microsoft® Windows® Operating System",
+    "Company": "Microsoft Corporation",
+    "CommandLine": "C:\\Windows\\system32\\vssvc.exe",
+    "CurrentDirectory": "C:\\Windows\\system32\\",
+    "User": "NT AUTHORITY\\SYSTEM",
+    "LogonGuid": "365ABB72-4322-5CC9-0000-0020E7030000",
+    "LogonId": 999,
+    "TerminalSessionId": 0,
+    "IntegrityLevel": "System",
+    "Hashes": "SHA1=99894AEF71D9D3527F392CD71F66571110593876,MD5=209A3B1901B83AEB8527ED211CCE9E4C,SHA256=1A431F6409F8E0531F600F8F988ECECECB902DA26BBAAF1DE74A5CAC29A7CB44,IMPHASH=212B2417B4778F3EE9DE3F60458E953F",
+    "ParentProcessGuid": "365ABB72-4321-5CC9-0000-001070530000",
+    "ParentProcessId": 464,
+    "ParentImage": "C:\\Windows\\System32\\services.exe",
+    "ParentCommandLine": "C:\\Windows\\system32\\services.exe"
+   },
+   "Message": ""
+  },
+  "_Source": "Windows.Hayabusa.Rules"
+ },
  {
   "Timestamp": "2019-04-30T22:49:08.760851144Z",
   "Computer": "IEWIN7",
@@ -220,6 +285,71 @@ LET temp <= tempdir()[]LET _ <= copy(filename=testDir + "/test_files/EVTX-ATTACK
   },
   "_Source": "Windows.Hayabusa.Rules"
  },
+ {
+  "Timestamp": "2019-04-30T22:49:09.760851144Z",
+  "Computer": "IEWIN7",
+  "Channel": "Microsoft-Windows-Sysmon/Operational",
+  "EID": 1,
+  "Level": "informational",
+  "Title": "Proc Exec",
+  "RecordID": 10151,
+  "Details": "Cmdline: \"C:\\Windows\\Installer\\MSI4FFD.tmp\" ¦ Proc: C:\\Windows\\Installer\\MSI4FFD.tmp ¦ User: IEWIN7\\IEUser ¦ ParentCmdline: C:\\Windows\\system32\\msiexec.exe /V ¦ LID: 65508 ¦ LGUID: LogonGuid ¦ PID: 3680 ¦ PGUID: 365ABB72-D0E4-5CC8-0000-00103CB73E00 ¦ ParentPID: 2080 ¦ ParentPGUID: ParentProcessGuid ¦ Description: ApacheBench command line utility ¦ Product: Apache HTTP Server ¦ Company: Apache Software Foundation ¦ Hashes: SHA1=06B1640F88EDC6A7CE3303CB14A505A86B061616,MD5=E40CF1CC132F25719F86F0FC5870910D,SHA256=A89385CCD4BE489CD069C65DA10A0B952CB3DE9090EF4C9F02E1368392CD66C5,IMPHASH=481F47BBB2C9C21E108D65F52B04C448",
+  "_Event": {
+   "System": {
+    "Provider": {
+     "Name": "Microsoft-Windows-Sysmon",
+     "Guid": "5770385F-C22A-43E0-BF4C-06F5698FFBD9"
+    },
+    "EventID": {
+     "Value": 1
+    },
+    "Version": 5,
+    "Level": 4,
+    "Task": 1,
+    "Opcode": 0,
+    "Keywords": 9223372036854775808,
+    "TimeCreated": {
+     "SystemTime": 1556664549.7608511
+    },
+    "EventRecordID": 10151,
+    "Correlation": {},
+    "Execution": {
+     "ProcessID": 1936,
+     "ThreadID": 1644
+    },
+    "Channel": "Microsoft-Windows-Sysmon/Operational",
+    "Computer": "IEWIN7",
+    "Security": {
+     "UserID": "S-1-5-18"
+    }
+   },
+   "EventData": {
+    "RuleName": "",
+    "UtcTime": "2019-04-30 22:49:08.604",
+    "ProcessGuid": "365ABB72-D0E4-5CC8-0000-00103CB73E00",
+    "ProcessId": 3680,
+    "Image": "C:\\Windows\\Installer\\MSI4FFD.tmp",
+    "FileVersion": "2.2.14",
+    "Description": "ApacheBench command line utility",
+    "Product": "Apache HTTP Server",
+    "Company": "Apache Software Foundation",
+    "CommandLine": "\"C:\\Windows\\Installer\\MSI4FFD.tmp\"",
+    "CurrentDirectory": "C:\\Windows\\system32\\",
+    "User": "IEWIN7\\IEUser",
+    "LogonGuid": "365ABB72-C494-5CC8-0000-0020E4FF0000",
+    "LogonId": 65508,
+    "TerminalSessionId": 1,
+    "IntegrityLevel": "High",
+    "Hashes": "SHA1=06B1640F88EDC6A7CE3303CB14A505A86B061616,MD5=E40CF1CC132F25719F86F0FC5870910D,SHA256=A89385CCD4BE489CD069C65DA10A0B952CB3DE9090EF4C9F02E1368392CD66C5,IMPHASH=481F47BBB2C9C21E108D65F52B04C448",
+    "ParentProcessGuid": "365ABB72-D0DA-5CC8-0000-0010216F3C00",
+    "ParentProcessId": 2080,
+    "ParentImage": "C:\\Windows\\System32\\msiexec.exe",
+    "ParentCommandLine": "C:\\Windows\\system32\\msiexec.exe /V"
+   },
+   "Message": ""
+  },
+  "_Source": "Windows.Hayabusa.Rules"
+ },
  {
   "Timestamp": "2019-04-30T22:49:09.792100906Z",
   "Computer": "IEWIN7",
@@ -278,6 +408,71 @@ LET temp <= tempdir()[]LET _ <= copy(filename=testDir + "/test_files/EVTX-ATTACK
   },
   "_Source": "Windows.Hayabusa.Rules"
  },
+ {
+  "Timestamp": "2019-04-30T22:49:10.198350429Z",
+  "Computer": "IEWIN7",
+  "Channel": "Microsoft-Windows-Sysmon/Operational",
+  "EID": 1,
+  "Level": "informational",
+  "Title": "Proc Exec",
+  "RecordID": 10153,
+  "Details": "Cmdline: cmd ¦ Proc: C:\\Windows\\System32\\cmd.exe ¦ User: IEWIN7\\IEUser ¦ ParentCmdline: \"C:\\Windows\\Installer\\MSI4FFD.tmp\" ¦ LID: 65508 ¦ LGUID: LogonGuid ¦ PID: 2892 ¦ PGUID: 365ABB72-D0E5-5CC8-0000-0010DADF3E00 ¦ ParentPID: 3680 ¦ ParentPGUID: ParentProcessGuid ¦ Description: Windows Command Processor ¦ Product: Microsoft® Windows® Operating System ¦ Company: Microsoft Corporation ¦ Hashes: SHA1=EE8CBF12D87C4D388F09B4F69BED2E91682920B5,MD5=AD7B9C14083B52BC532FBA5948342B98,SHA256=17F746D82695FA9B35493B41859D39D786D32B23A9D2E00F4011DEC7A02402AE,IMPHASH=CEEFB55F764020CC5C5F8F23349AB163",
+  "_Event": {
+   "System": {
+    "Provider": {
+     "Name": "Microsoft-Windows-Sysmon",
+     "Guid": "5770385F-C22A-43E0-BF4C-06F5698FFBD9"
+    },
+    "EventID": {
+     "Value": 1
+    },
+    "Version": 5,
+    "Level": 4,
+    "Task": 1,
+    "Opcode": 0,
+    "Keywords": 9223372036854775808,
+    "TimeCreated": {
+     "SystemTime": 1556664550.1983504
+    },
+    "EventRecordID": 10153,
+    "Correlation": {},
+    "Execution": {
+     "ProcessID": 1936,
+     "ThreadID": 1644
+    },
+    "Channel": "Microsoft-Windows-Sysmon/Operational",
+    "Computer": "IEWIN7",
+    "Security": {
+     "UserID": "S-1-5-18"
+    }
+   },
+   "EventData": {
+    "RuleName": "",
+    "UtcTime": "2019-04-30 22:49:09.276",
+    "ProcessGuid": "365ABB72-D0E5-5CC8-0000-0010DADF3E00",
+    "ProcessId": 2892,
+    "Image": "C:\\Windows\\System32\\cmd.exe",
+    "FileVersion": "6.1.7601.17514 (win7sp1_rtm.101119-1850)",
+    "Description": "Windows Command Processor",
+    "Product": "Microsoft® Windows® Operating System",
+    "Company": "Microsoft Corporation",
+    "CommandLine": "cmd",
+    "CurrentDirectory": "C:\\Windows\\system32\\",
+    "User": "IEWIN7\\IEUser",
+    "LogonGuid": "365ABB72-C494-5CC8-0000-0020E4FF0000",
+    "LogonId": 65508,
+    "TerminalSessionId": 1,
+    "IntegrityLevel": "High",
+    "Hashes": "SHA1=EE8CBF12D87C4D388F09B4F69BED2E91682920B5,MD5=AD7B9C14083B52BC532FBA5948342B98,SHA256=17F746D82695FA9B35493B41859D39D786D32B23A9D2E00F4011DEC7A02402AE,IMPHASH=CEEFB55F764020CC5C5F8F23349AB163",
+    "ParentProcessGuid": "365ABB72-D0E4-5CC8-0000-00103CB73E00",
+    "ParentProcessId": 3680,
+    "ParentImage": "C:\\Windows\\Installer\\MSI4FFD.tmp",
+    "ParentCommandLine": "\"C:\\Windows\\Installer\\MSI4FFD.tmp\""
+   },
+   "Message": ""
+  },
+  "_Source": "Windows.Hayabusa.Rules"
+ },
  {
   "Timestamp": "2019-04-30T22:49:10.198350429Z",
   "Computer": "IEWIN7",
@@ -343,6 +538,71 @@ LET temp <= tempdir()[]LET _ <= copy(filename=testDir + "/test_files/EVTX-ATTACK
   },
   "_Source": "Windows.Hayabusa.Rules"
  },
+ {
+  "Timestamp": "2019-04-30T22:52:27.588975906Z",
+  "Computer": "IEWIN7",
+  "Channel": "Microsoft-Windows-Sysmon/Operational",
+  "EID": 1,
+  "Level": "informational",
+  "Title": "Proc Exec",
+  "RecordID": 10154,
+  "Details": "Cmdline: whoami ¦ Proc: C:\\Windows\\System32\\whoami.exe ¦ User: IEWIN7\\IEUser ¦ ParentCmdline: cmd ¦ LID: 65508 ¦ LGUID: LogonGuid ¦ PID: 1372 ¦ PGUID: 365ABB72-D1AB-5CC8-0000-0010DB1E4400 ¦ ParentPID: 2892 ¦ ParentPGUID: ParentProcessGuid ¦ Description: whoami - displays logged on user information ¦ Product: Microsoft® Windows® Operating System ¦ Company: Microsoft Corporation ¦ Hashes: SHA1=DC058F52AD8ACBD316827B6DCAC2434AB3CC515C,MD5=0EBF71E33EF09CA65D9683AFA999C473,SHA256=599EFD455AEEEFE2044A9B597061F271595033F5D0DF2C99DFDBCA8394BBCEC3,IMPHASH=C5352B949915AB8CD5E1844790D19274",
+  "_Event": {
+   "System": {
+    "Provider": {
+     "Name": "Microsoft-Windows-Sysmon",
+     "Guid": "5770385F-C22A-43E0-BF4C-06F5698FFBD9"
+    },
+    "EventID": {
+     "Value": 1
+    },
+    "Version": 5,
+    "Level": 4,
+    "Task": 1,
+    "Opcode": 0,
+    "Keywords": 9223372036854775808,
+    "TimeCreated": {
+     "SystemTime": 1556664747.588976
+    },
+    "EventRecordID": 10154,
+    "Correlation": {},
+    "Execution": {
+     "ProcessID": 1936,
+     "ThreadID": 1644
+    },
+    "Channel": "Microsoft-Windows-Sysmon/Operational",
+    "Computer": "IEWIN7",
+    "Security": {
+     "UserID": "S-1-5-18"
+    }
+   },
+   "EventData": {
+    "RuleName": "",
+    "UtcTime": "2019-04-30 22:52:27.588",
+    "ProcessGuid": "365ABB72-D1AB-5CC8-0000-0010DB1E4400",
+    "ProcessId": 1372,
+    "Image": "C:\\Windows\\System32\\whoami.exe",
+    "FileVersion": "6.1.7600.16385 (win7_rtm.090713-1255)",
+    "Description": "whoami - displays logged on user information",
+    "Product": "Microsoft® Windows® Operating System",
+    "Company": "Microsoft Corporation",
+    "CommandLine": "whoami",
+    "CurrentDirectory": "C:\\Windows\\system32\\",
+    "User": "IEWIN7\\IEUser",
+    "LogonGuid": "365ABB72-C494-5CC8-0000-0020E4FF0000",
+    "LogonId": 65508,
+    "TerminalSessionId": 1,
+    "IntegrityLevel": "High",
+    "Hashes": "SHA1=DC058F52AD8ACBD316827B6DCAC2434AB3CC515C,MD5=0EBF71E33EF09CA65D9683AFA999C473,SHA256=599EFD455AEEEFE2044A9B597061F271595033F5D0DF2C99DFDBCA8394BBCEC3,IMPHASH=C5352B949915AB8CD5E1844790D19274",
+    "ParentProcessGuid": "365ABB72-D0E5-5CC8-0000-0010DADF3E00",
+    "ParentProcessId": 2892,
+    "ParentImage": "C:\\Windows\\System32\\cmd.exe",
+    "ParentCommandLine": "cmd"
+   },
+   "Message": ""
+  },
+  "_Source": "Windows.Hayabusa.Rules"
+ },
  {
   "Timestamp": "2019-04-30T22:52:27.588975906Z",
   "Computer": "IEWIN7",