diff --git a/CHANGELOG.next.asciidoc b/CHANGELOG.next.asciidoc index 7e28ee25aa57..d33b48af9e73 100644 --- a/CHANGELOG.next.asciidoc +++ b/CHANGELOG.next.asciidoc @@ -523,6 +523,7 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d - Fill `event.provider`. {pull}13937[13937] - Add support for user management events to the Security module. {pull}13530[13530] - GA the Winlogbeat `sysmon` module. {pull}14326[14326] +- Add support for event ID 4688 & 4689 (Process create & exit) to the Security module. {issue}14038[14038] ==== Deprecated diff --git a/winlogbeat/docs/modules/security.asciidoc b/winlogbeat/docs/modules/security.asciidoc index 295a0aedd23a..a0fc158e2b15 100644 --- a/winlogbeat/docs/modules/security.asciidoc +++ b/winlogbeat/docs/modules/security.asciidoc @@ -14,6 +14,8 @@ The module has transformations for the following event IDs: * 4647 - User initiated logoff (interactive logon types). * 4648 - A logon was attempted using explicit credentials. * 4672 - Special privileges assigned to new logon. +* 4688 - A new process has been created. +* 4689 - A process has exited. * 4720 - A user account was created. * 4722 - A user account was enabled. * 4723 - An attempt was made to change an account's password. diff --git a/x-pack/winlogbeat/module/security/_meta/docs.asciidoc b/x-pack/winlogbeat/module/security/_meta/docs.asciidoc index 295a0aedd23a..a0fc158e2b15 100644 --- a/x-pack/winlogbeat/module/security/_meta/docs.asciidoc +++ b/x-pack/winlogbeat/module/security/_meta/docs.asciidoc @@ -14,6 +14,8 @@ The module has transformations for the following event IDs: * 4647 - User initiated logoff (interactive logon types). * 4648 - A logon was attempted using explicit credentials. * 4672 - Special privileges assigned to new logon. +* 4688 - A new process has been created. +* 4689 - A process has exited. * 4720 - A user account was created. * 4722 - A user account was enabled. * 4723 - An attempt was made to change an account's password. diff --git a/x-pack/winlogbeat/module/security/config/winlogbeat-security.js b/x-pack/winlogbeat/module/security/config/winlogbeat-security.js index d5305e7f3f25..6a8dda197de3 100644 --- a/x-pack/winlogbeat/module/security/config/winlogbeat-security.js +++ b/x-pack/winlogbeat/module/security/config/winlogbeat-security.js @@ -24,6 +24,8 @@ var security = (function () { "4625": "logon-failed", "4634": "logged-out", "4672": "logged-in-special", + "4688": "created-process", + "4689": "exited-process", "4720": "added-user-account", "4722": "enabled-user-account", "4723": "changed-password", @@ -1192,6 +1194,49 @@ var security = (function () { target: "", }); + var renameNewProcessFields = new processor.Chain() + .Convert({ + fields: [ + {from: "winlog.event_data.NewProcessId", to: "process.pid", type: "long"}, + {from: "winlog.event_data.NewProcessName", to: "process.executable"}, + {from: "winlog.event_data.ParentProcessName", to: "process.parent.executable"} + ], + mode: "rename", + ignore_missing: true, + fail_on_error: false, + }) + .Add(function(evt) { + var name = evt.Get("process.name"); + if (name) { + return; + } + var exe = evt.Get("process.executable"); + if (!exe) { + return; + } + evt.Put("process.name", path.basename(exe)); + }) + .Add(function(evt) { + var name = evt.Get("process.parent.name"); + if (name) { + return; + } + var exe = evt.Get("process.parent.executable"); + if (!exe) { + return; + } + evt.Put("process.parent.name", path.basename(exe)); + }) + .Add(function(evt) { + var cl = evt.Get("winlog.event_data.CommandLine"); + if (!cl) { + return; + } + evt.Put("process.args", winlogbeat.splitCommandLine(cl)); + evt.Put("process.command_line", cl); + }) + .Build(); + // Handles 4634 and 4647. var logoff = new processor.Chain() .Add(copyTargetUser) @@ -1235,6 +1280,26 @@ var security = (function () { .Add(addActionDesc) .Build(); + var event4688 = new processor.Chain() + .Add(copySubjectUser) + .Add(renameNewProcessFields) + .Add(addActionDesc) + .Add(function(evt) { + evt.Put("event.category", "process"); + evt.Put("event.type", "process_start"); + }) + .Build(); + + var event4689 = new processor.Chain() + .Add(copySubjectUser) + .Add(renameCommonAuthFields) + .Add(addActionDesc) + .Add(function(evt) { + evt.Put("event.category", "process"); + evt.Put("event.type", "process_end"); + }) + .Build(); + var userMgmtEvts = new processor.Chain() .Add(copyTargetUser) .Add(copySubjectUserLogonId) @@ -1267,6 +1332,12 @@ var security = (function () { // 4672 - Special privileges assigned to new logon. 4672: event4672.Run, + // 4688 - A new process has been created. + 4688: event4688.Run, + + // 4689 - A process has exited. + 4689: event4689.Run, + // 4720 - A user account was created 4720: userMgmtEvts.Run, diff --git a/x-pack/winlogbeat/module/security/test/testdata/security-windows2019_4688_Process_Created.evtx b/x-pack/winlogbeat/module/security/test/testdata/security-windows2019_4688_Process_Created.evtx new file mode 100644 index 000000000000..7fbf06c41a95 Binary files /dev/null and b/x-pack/winlogbeat/module/security/test/testdata/security-windows2019_4688_Process_Created.evtx differ diff --git a/x-pack/winlogbeat/module/security/test/testdata/security-windows2019_4688_Process_Created.evtx.golden.json b/x-pack/winlogbeat/module/security/test/testdata/security-windows2019_4688_Process_Created.evtx.golden.json new file mode 100644 index 000000000000..96a209580909 --- /dev/null +++ b/x-pack/winlogbeat/module/security/test/testdata/security-windows2019_4688_Process_Created.evtx.golden.json @@ -0,0 +1,73 @@ +[ + { + "@timestamp": "2019-11-14T17:10:15.1515514Z", + "event": { + "action": "created-process", + "category": "process", + "code": 4688, + "kind": "event", + "module": "security", + "provider": "Microsoft-Windows-Security-Auditing", + "type": "process_start" + }, + "log": { + "level": "information" + }, + "message": "A new process has been created.\n\nCreator Subject:\n\tSecurity ID:\t\tS-1-5-21-1610636575-2290000098-1654242922-1000\n\tAccount Name:\t\tvagrant\n\tAccount Domain:\t\tVAGRANT\n\tLogon ID:\t\t0x274A2\n\nTarget Subject:\n\tSecurity ID:\t\tS-1-0-0\n\tAccount Name:\t\t-\n\tAccount Domain:\t\t-\n\tLogon ID:\t\t0x0\n\nProcess Information:\n\tNew Process ID:\t\t0x11cc\n\tNew Process Name:\tC:\\Windows\\System32\\wevtutil.exe\n\tToken Elevation Type:\t%%1937\n\tMandatory Label:\t\tS-1-16-12288\n\tCreator Process ID:\t0x122c\n\tCreator Process Name:\tC:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\n\tProcess Command Line:\t\"C:\\Windows\\system32\\wevtutil.exe\" cl Security\n\nToken Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.\n\nType 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.\n\nType 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.\n\nType 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.", + "process": { + "args": [ + "C:\\Windows\\system32\\wevtutil.exe", + "cl", + "Security" + ], + "command_line": "\"C:\\Windows\\system32\\wevtutil.exe\" cl Security", + "executable": "C:\\Windows\\System32\\wevtutil.exe", + "name": "wevtutil.exe", + "parent": { + "executable": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe", + "name": "powershell.exe" + }, + "pid": 4556 + }, + "user": { + "domain": "VAGRANT", + "id": "S-1-5-21-1610636575-2290000098-1654242922-1000", + "name": "vagrant" + }, + "winlog": { + "api": "wineventlog", + "channel": "Security", + "computer_name": "vagrant", + "event_data": { + "CommandLine": "\"C:\\Windows\\system32\\wevtutil.exe\" cl Security", + "MandatoryLabel": "S-1-16-12288", + "ProcessId": "0x122c", + "SubjectDomainName": "VAGRANT", + "SubjectLogonId": "0x274a2", + "SubjectUserName": "vagrant", + "SubjectUserSid": "S-1-5-21-1610636575-2290000098-1654242922-1000", + "TargetDomainName": "-", + "TargetLogonId": "0x0", + "TargetUserName": "-", + "TargetUserSid": "S-1-0-0", + "TokenElevationType": "%%1937" + }, + "event_id": 4688, + "keywords": [ + "Audit Success" + ], + "opcode": "Info", + "process": { + "pid": 4, + "thread": { + "id": 5076 + } + }, + "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "provider_name": "Microsoft-Windows-Security-Auditing", + "record_id": 5010, + "task": "Process Creation", + "version": 2 + } + } +] \ No newline at end of file diff --git a/x-pack/winlogbeat/module/security/test/testdata/security-windows2019_4689_Process_Exited.evtx b/x-pack/winlogbeat/module/security/test/testdata/security-windows2019_4689_Process_Exited.evtx new file mode 100644 index 000000000000..57d3f17c2af9 Binary files /dev/null and b/x-pack/winlogbeat/module/security/test/testdata/security-windows2019_4689_Process_Exited.evtx differ diff --git a/x-pack/winlogbeat/module/security/test/testdata/security-windows2019_4689_Process_Exited.evtx.golden.json b/x-pack/winlogbeat/module/security/test/testdata/security-windows2019_4689_Process_Exited.evtx.golden.json new file mode 100644 index 000000000000..9be0fd765ca5 --- /dev/null +++ b/x-pack/winlogbeat/module/security/test/testdata/security-windows2019_4689_Process_Exited.evtx.golden.json @@ -0,0 +1,161 @@ +[ + { + "@timestamp": "2019-11-14T21:26:49.4961966Z", + "event": { + "action": "exited-process", + "category": "process", + "code": 4689, + "kind": "event", + "module": "security", + "provider": "Microsoft-Windows-Security-Auditing", + "type": "process_end" + }, + "log": { + "level": "information" + }, + "message": "A process has exited.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-21-1610636575-2290000098-1654242922-1000\n\tAccount Name:\t\tvagrant\n\tAccount Domain:\t\tVAGRANT\n\tLogon ID:\t\t0x274A2\n\nProcess Information:\n\tProcess ID:\t0x1524\n\tProcess Name:\tC:\\Windows\\System32\\wevtutil.exe\n\tExit Status:\t0x0", + "process": { + "executable": "C:\\Windows\\System32\\wevtutil.exe", + "name": "wevtutil.exe", + "pid": 5412 + }, + "user": { + "domain": "VAGRANT", + "id": "S-1-5-21-1610636575-2290000098-1654242922-1000", + "name": "vagrant" + }, + "winlog": { + "api": "wineventlog", + "channel": "Security", + "computer_name": "vagrant", + "event_data": { + "Status": "0x0", + "SubjectDomainName": "VAGRANT", + "SubjectLogonId": "0x274a2", + "SubjectUserName": "vagrant", + "SubjectUserSid": "S-1-5-21-1610636575-2290000098-1654242922-1000" + }, + "event_id": 4689, + "keywords": [ + "Audit Success" + ], + "opcode": "Info", + "process": { + "pid": 4, + "thread": { + "id": 1168 + } + }, + "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "provider_name": "Microsoft-Windows-Security-Auditing", + "record_id": 7538, + "task": "Process Termination" + } + }, + { + "@timestamp": "2019-11-14T21:27:46.9609089Z", + "event": { + "action": "exited-process", + "category": "process", + "code": 4689, + "kind": "event", + "module": "security", + "provider": "Microsoft-Windows-Security-Auditing", + "type": "process_end" + }, + "log": { + "level": "information" + }, + "message": "A process has exited.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-21-1610636575-2290000098-1654242922-1000\n\tAccount Name:\t\tvagrant\n\tAccount Domain:\t\tVAGRANT\n\tLogon ID:\t\t0x274F1\n\nProcess Information:\n\tProcess ID:\t0xf94\n\tProcess Name:\tC:\\Windows\\System32\\taskhostw.exe\n\tExit Status:\t0x0", + "process": { + "executable": "C:\\Windows\\System32\\taskhostw.exe", + "name": "taskhostw.exe", + "pid": 3988 + }, + "user": { + "domain": "VAGRANT", + "id": "S-1-5-21-1610636575-2290000098-1654242922-1000", + "name": "vagrant" + }, + "winlog": { + "api": "wineventlog", + "channel": "Security", + "computer_name": "vagrant", + "event_data": { + "Status": "0x0", + "SubjectDomainName": "VAGRANT", + "SubjectLogonId": "0x274f1", + "SubjectUserName": "vagrant", + "SubjectUserSid": "S-1-5-21-1610636575-2290000098-1654242922-1000" + }, + "event_id": 4689, + "keywords": [ + "Audit Success" + ], + "opcode": "Info", + "process": { + "pid": 4, + "thread": { + "id": 500 + } + }, + "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "provider_name": "Microsoft-Windows-Security-Auditing", + "record_id": 7542, + "task": "Process Termination" + } + }, + { + "@timestamp": "2019-11-14T21:28:18.4605129Z", + "event": { + "action": "exited-process", + "category": "process", + "code": 4689, + "kind": "event", + "module": "security", + "provider": "Microsoft-Windows-Security-Auditing", + "type": "process_end" + }, + "log": { + "level": "information" + }, + "message": "A process has exited.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-21-1610636575-2290000098-1654242922-1000\n\tAccount Name:\t\tvagrant\n\tAccount Domain:\t\tVAGRANT\n\tLogon ID:\t\t0x274A2\n\nProcess Information:\n\tProcess ID:\t0xac8\n\tProcess Name:\tC:\\Windows\\System32\\wevtutil.exe\n\tExit Status:\t0x0", + "process": { + "executable": "C:\\Windows\\System32\\wevtutil.exe", + "name": "wevtutil.exe", + "pid": 2760 + }, + "user": { + "domain": "VAGRANT", + "id": "S-1-5-21-1610636575-2290000098-1654242922-1000", + "name": "vagrant" + }, + "winlog": { + "api": "wineventlog", + "channel": "Security", + "computer_name": "vagrant", + "event_data": { + "Status": "0x0", + "SubjectDomainName": "VAGRANT", + "SubjectLogonId": "0x274a2", + "SubjectUserName": "vagrant", + "SubjectUserSid": "S-1-5-21-1610636575-2290000098-1654242922-1000" + }, + "event_id": 4689, + "keywords": [ + "Audit Success" + ], + "opcode": "Info", + "process": { + "pid": 4, + "thread": { + "id": 5636 + } + }, + "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "provider_name": "Microsoft-Windows-Security-Auditing", + "record_id": 7544, + "task": "Process Termination" + } + } +] \ No newline at end of file