Skip to content

Instantly share code, notes, and snippets.

@manurautela

manurautela/kernel_and_user_trace_001.cpp

Created October 5, 2021 15:09
Show Gist options
  • Save manurautela/1c5079dff426c338aa9e2fe6e3f8d0de to your computer and use it in GitHub Desktop.
Save manurautela/1c5079dff426c338aa9e2fe6e3f8d0de to your computer and use it in GitHub Desktop.
Download ZIP
krabs etw parse sysmon events
Raw
kernel_and_user_trace_001.cpp
// Copyright (c) Microsoft. All rights reserved.
// Licensed under the MIT license. See LICENSE file in the project root for full license information.
// This example shows how to use a user_trace and a kernel_trace in the same program.
#include <iostream>
#include <thread>
#include <condition_variable>
#include "..\..\krabs\krabs.hpp"
#include "examples.h"
#pragma warning(disable: 4505)
// Sysmon task id taken from manifest
#define SysmonProcessCreate 1
#define SysmonFilecreationtimechanged 2
#define SysmonNetworkconnectiondetected 3
#define Sysmonservicestatechanged 4
#define SysmonProcessterminated 5
#define SysmonDriverloaded 6
#define SysmonImageloaded 7
#define SysmonCreateRemoteThreaddetected 8
#define SysmonRawAccessReaddetected 9
#define SysmonProcessaccessed 10
#define SysmonFilecreated 11
#define SysmonRegistryobjectaddedordeleted 12
#define SysmonRegistryvalueset 13
#define SysmonRegistryobjectrenamed 14
#define SysmonFilestreamcreated 15
#define Sysmonconfigstatechanged 16
#define SysmonPipeCreated 17
#define SysmonPipeConnected 18
#define SysmonWmiEventFilteractivitydetected 19
#define SysmonWmiEventConsumeractivitydetected 20
#define SysmonWmiEventConsumerToFilteractivitydetected 21
#define SysmonDnsquery 22
#define SysmonFileDelete 23
#define SysmonClipboardchanged 24
#define SysmonProcessTampering 25
static void setup_ps_provider(krabs::provider<>& provider);
static void setup_image_load_provider(krabs::kernel::image_load_provider& provider);
static void setup_sysmon_provider(krabs::provider<>& provider);
static void set_trace_properties(krabs::user_trace& user) {
// Get system info to be used for calculating numbers for trace buffers
SYSTEM_INFO sysinfo;
GetSystemInfo(&sysinfo);
auto nr_processors = sysinfo.dwNumberOfProcessors;
// Create custom event properties to be used for trace session
EVENT_TRACE_PROPERTIES properties = {0};
properties.BufferSize = 1024;
properties.MinimumBuffers = nr_processors * 2 + 1;
properties.MaximumBuffers = properties.MinimumBuffers + 1;
properties.FlushTimer = 2;
properties.LogFileMode = EVENT_TRACE_REAL_TIME_MODE;
// Set trace properties
user.set_trace_properties(&properties);
}
static void diplay_trace_stats(krabs::user_trace& user) {
// Before stopping trace, let's dump some stats about the trace
krabs::trace_stats sysmon_trace_stats = user.query_stats();
std::cout << "***************** TRACE STATS ****************" << std::endl;
std::cout << "BuffersCount: " << sysmon_trace_stats.buffersCount << std::endl;
std::cout << "BuffersFree: " << sysmon_trace_stats.buffersFree << std::endl;
std::cout << "BuffersWritten: " << sysmon_trace_stats.buffersWritten << std::endl;
std::cout << "BuffersLost: " << sysmon_trace_stats.buffersLost << std::endl;
std::cout << "EventsTotal: " << sysmon_trace_stats.eventsTotal << std::endl;
std::cout << "EventsHandled: " << sysmon_trace_stats.eventsHandled << std::endl;
std::cout << "EventsLost: " << sysmon_trace_stats.eventsLost << std::endl;
std::cout << "***************** TRACE STATS ****************" << std::endl;
}
void kernel_and_user_trace_001::start()
{
// user_trace instances should be used for any non-kernel traces that are defined
// by components or programs in Windows. You can have multiple ETW traces in a given
// program but each trace object will consume one thread.
krabs::user_trace user;
krabs::kernel_trace kernel;
set_trace_properties(user);
// A trace can have any number of providers, which are identified by GUID or
// a specific trace name.
//
// The GUIDs are defined by the components that emit events, and their GUIDs can
// usually be found with various ETW tools (like wevutil or Microsoft Message Analyzer).
//krabs::provider<> ps_provider(krabs::guid(L"{A0C1853B-5C40-4B15-8766-3CF1C58F985A}"));
//krabs::kernel::image_load_provider image_load_provider;
// Both GUID and provider name works
//krabs::provider<> sysmon_provider(krabs::guid(L"5770385f-c22a-43e0-bf4c-06f5698ffbd9"));
krabs::provider<> sysmon_provider(L"Microsoft-Windows-Sysmon");
//setup_ps_provider(ps_provider);
//setup_image_load_provider(image_load_provider);
setup_sysmon_provider(sysmon_provider);
// The user_trace needs to know about the provider that we've set up.
// You can assign multiple providers to a single trace.
//user.enable(ps_provider);
user.enable(sysmon_provider);
//kernel.enable(image_load_provider);
// Begin listening for events. This call blocks, so if you want to do other things
// while this runs, you'll need to call this on another thread.
//
// Additionally, if multiple threads are enabling providers with a single trace object,
// you'll need to synchronize the call to start. Because 'start' is a blocking call,
// it will prevent any other thread from enabling additional providers.
std::thread user_thread([&user]() { user.start(); });
//std::thread kernel_thread([&kernel]() { kernel.start(); });
// Let the traces process for 30 seconds.
std::cout << "starting traces..." << std::endl;
Sleep(10000);
std::cout << "stopping traces..." << std::endl;
diplay_trace_stats(user);
user.stop();
//kernel.stop();
user_thread.join();
//kernel_thread.join();
}
void setup_ps_provider(krabs::provider<>& provider)
{
// user_trace providers typically have any and all flags, whose meanings are
// unique to the specific providers that are being invoked. To understand these
// flags, you'll need to look to the ETW event producer.
provider.any(0xf0010000000003ff);
// providers should be wired up with functions (or functors) that are called when
// events from that provider are fired.
provider.add_on_event_callback([](const EVENT_RECORD &record, const krabs::trace_context &trace_context) {
// Once an event is received, if we want krabs to help us analyze it, we need
// to snap in a schema to ask it for information.
krabs::schema schema(record, trace_context.schema_locator);
// We then have the ability to ask a few questions of the event.
std::wcout << L"Event " << schema.event_id();
std::wcout << L"(" << schema.event_name() << L") received." << std::endl;
if (schema.event_id() == 7937) {
// The event we're interested in has a field that contains a bunch of
// info about what it's doing. We can snap in a parser to help us get
// the property information out.
krabs::parser parser(schema);
// We have to explicitly name the type that we're parsing in a template
// argument.
// We could alternatively use try_parse if we didn't want an exception to
// be thrown in the case of failure.
std::wstring context = parser.parse<std::wstring>(L"ContextInfo");
std::wcout << L"\tContext: " << context << std::endl;
}
});
}
void setup_image_load_provider(krabs::kernel::image_load_provider& provider)
{
// Kernel providers accept all the typical callback mechanisms.
provider.add_on_event_callback([](const EVENT_RECORD &record, const krabs::trace_context &trace_context) {
krabs::schema schema(record, trace_context.schema_locator);
// Opcodes can be found on the kernel provider's documentation:
// https://msdn.microsoft.com/en-us/library/windows/desktop/aa364068(v=vs.85).aspx
if (schema.event_opcode() == 10) {
krabs::parser parser(schema);
std::wstring filename = parser.parse<std::wstring>(L"FileName");
std::wcout << L"Loaded image from file " << filename << std::endl;
}
});
}
bool sysmon_parse_guid(krabs::parser& parser, const wchar_t* guid_name, UUID* guid_out) {
bool success = false;
krabs::binary property_bytes;
if (parser.try_parse<krabs::binary>(guid_name, property_bytes)) {
guid_out = (UUID*)(property_bytes.bytes().data());
success = true;
}
return success;
}
std::string guid_to_string(GUID* guid) {
char guid_string[37];
snprintf(
guid_string, sizeof(guid_string),
"%08x-%04x-%04x-%02x%02x-%02x%02x%02x%02x%02x%02x",
guid->Data1, guid->Data2, guid->Data3,
guid->Data4[0], guid->Data4[1], guid->Data4[2],
guid->Data4[3], guid->Data4[4], guid->Data4[5],
guid->Data4[6], guid->Data4[7]);
return std::string(guid_string);
}
void setup_sysmon_provider(krabs::provider<>& provider) {
// user_trace providers typically have any and all flags, whose meanings are
// unique to the specific providers that are being invoked. To understand these
// flags, you'll need to look to the ETW event producer.
//provider.any(0xf0010000000003ff);
provider.all(0x8000000000000000);
// providers should be wired up with functions (or functors) that are called when
// events from that provider are fired.
provider.add_on_event_callback([](const EVENT_RECORD& record, const krabs::trace_context& trace_context) {
// Once an event is received, if we want krabs to help us analyze it, we need
// to snap in a schema to ask it for information.
krabs::schema schema(record, trace_context.schema_locator);
// We then have the ability to ask a few questions of the event.
std::wcout << std::endl;
std::wcout << L"***************************************" << std::endl;
std::wcout << L"Event: " << schema.event_id() << std::endl;
std::wcout << L"provider: " << schema.provider_name() << std::endl;
std::wcout << L"task_name: " << schema.task_name() << std::endl;
std::wcout << L"opcode: " << schema.event_opcode() << std::endl;
std::wcout << L"opcode_name: " << schema.opcode_name() << std::endl;
switch (schema.event_id()) {
case SysmonProcessCreate:
{
// The event we're interested in has a field that contains a bunch of
// info about what it's doing. We can snap in a parser to help us get
// the property information out.
krabs::parser parser(schema);
// <template tid = "ProcessCreate(rule:ProcessCreate)Args_V5">
// <data name = "RuleName" inType = "win:UnicodeString" / >
// <data name = "UtcTime" inType = "win:UnicodeString" / >
// <data name = "ProcessGuid" inType = "win:GUID" / >
// <data name = "ProcessId" inType = "win:UInt32" / >
// <data name = "Image" inType = "win:UnicodeString" / >
// <data name = "FileVersion" inType = "win:UnicodeString" / >
// <data name = "Description" inType = "win:UnicodeString" / >
// <data name = "Product" inType = "win:UnicodeString" / >
// <data name = "Company" inType = "win:UnicodeString" / >
// <data name = "OriginalFileName" inType = "win:UnicodeString" / >
// <data name = "CommandLine" inType = "win:UnicodeString" / >
// <data name = "CurrentDirectory" inType = "win:UnicodeString" / >
// <data name = "User" inType = "win:UnicodeString" / >
// <data name = "LogonGuid" inType = "win:GUID" / >
// <data name = "LogonId" inType = "win:HexInt64" / >
// <data name = "TerminalSessionId" inType = "win:UInt32" / >
// <data name = "IntegrityLevel" inType = "win:UnicodeString" / >
// <data name = "Hashes" inType = "win:UnicodeString" / >
// <data name = "ParentProcessGuid" inType = "win:GUID" / >
// <data name = "ParentProcessId" inType = "win:UInt32" / >
// <data name = "ParentImage" inType = "win:UnicodeString" / >
// <data name = "ParentCommandLine" inType = "win:UnicodeString" / >
std::wstring RuleName = parser.parse<std::wstring>(L"RuleName");
std::wstring UtcTime = parser.parse<std::wstring>(L"UtcTime");
uint32_t ProcessId = parser.parse<uint32_t>(L"ProcessId");
std::wstring CommandLine = parser.parse<std::wstring>(L"CommandLine");
std::wstring Image = parser.parse<std::wstring>(L"Image");
std::wstring CurrentDirectory = parser.parse<std::wstring>(L"CurrentDirectory");
std::wstring User = parser.parse<std::wstring>(L"User");
std::wstring OriginalFileName = parser.parse<std::wstring>(L"OriginalFileName");
uint32_t TerminalSessionId = parser.parse<uint32_t>(L"TerminalSessionId");
std::wstring IntegrityLevel = parser.parse<std::wstring>(L"IntegrityLevel");
std::wstring Hashes = parser.parse<std::wstring>(L"Hashes");
uint32_t ParentProcessId = parser.parse<uint32_t>(L"ParentProcessId");
std::wstring ParentImage = parser.parse<std::wstring>(L"ParentImage");
std::wstring ParentCommandLine = parser.parse<std::wstring>(L"ParentCommandLine");
std::wcout << "RuleName: " << RuleName << std::endl;
std::wcout << "UtcTime: " << UtcTime << std::endl;
std::wcout << "ProcessId: " << ProcessId << std::endl;
std::wcout << "CommandLine: " << CommandLine << std::endl;
std::wcout << "Image: " << Image << std::endl;
std::wcout << "CurrentDirectory: " << CurrentDirectory << std::endl;
std::wcout << "User: " << User << std::endl;
std::wcout << "OriginalFileName: " << OriginalFileName << std::endl;
std::wcout << "TerminalSessionId: " << TerminalSessionId << std::endl;
std::wcout << "IntegrityLevel: " << IntegrityLevel << std::endl;
std::wcout << "Hashes: " << Hashes << std::endl;
std::wcout << "ParentProcessId: " << ParentProcessId << std::endl;
std::wcout << "ParentCommandLine: " << ParentCommandLine << std::endl;
UUID ProcessGuid;
PCWSTR ProcessGuidStr = L"ProcessGuid";
if (sysmon_parse_guid(parser, ProcessGuidStr, &ProcessGuid)) {
std::string guid_str = guid_to_string(&ProcessGuid);
std::cout << "ProcessGuid: " << guid_str << std::endl;
}
UUID LogonGuid;
PCWSTR LogonGuidStr = L"LogonGuid";
if (sysmon_parse_guid(parser, LogonGuidStr, &LogonGuid)) {
std::string guid_str = guid_to_string(&LogonGuid);
std::cout << "LogonGuid: " << guid_str << std::endl;
}
UUID ParentProcessGuid;
PCWSTR ParentProcessGuidStr = L"ParentProcessGuid";
if (sysmon_parse_guid(parser, ParentProcessGuidStr, &ParentProcessGuid)) {
std::string guid_str = guid_to_string(&ParentProcessGuid);
std::cout << "ParentProcessGuid: " << guid_str << std::endl;
}
std::wcout << L"***************************************" << std::endl;
}
break;
case SysmonFilecreationtimechanged:
{
// <template tid = "Filecreationtimechanged(rule:FileCreateTime)Args_V5">
// <data name = "RuleName" inType = "win:UnicodeString" / >
// <data name = "UtcTime" inType = "win:UnicodeString" / >
// <data name = "ProcessGuid" inType = "win:GUID" / >
// <data name = "ProcessId" inType = "win:UInt32" / >
// <data name = "Image" inType = "win:UnicodeString" / >
// <data name = "TargetFilename" inType = "win:UnicodeString" / >
// <data name = "CreationUtcTime" inType = "win:UnicodeString" / >
// <data name = "PreviousCreationUtcTime" inType = "win:UnicodeString" / >
krabs::parser parser(schema);
std::wstring RuleName = parser.parse<std::wstring>(L"RuleName");
std::wstring UtcTime = parser.parse<std::wstring>(L"UtcTime");
uint32_t ProcessId = parser.parse<uint32_t>(L"ProcessId");
std::wstring Image = parser.parse<std::wstring>(L"Image");
std::wstring TargetFileName = parser.parse<std::wstring>(L"TargetFileName");
std::wstring CreationUtcTime = parser.parse<std::wstring>(L"CreationUtcTime");
std::wstring PreviousCreationUtcTime = parser.parse<std::wstring>(L"PreviousCreationUtcTime");
std::wcout << "RuleName: " << RuleName << std::endl;
std::wcout << "UtcTime: " << UtcTime << std::endl;
std::wcout << "ProcessId: " << ProcessId << std::endl;
std::wcout << "Image: " << Image << std::endl;
std::wcout << "TargetFileName: " << TargetFileName << std::endl;
std::wcout << "CreationUtcTime: " << CreationUtcTime << std::endl;
std::wcout << "PreviousCreationUtcTime: " << PreviousCreationUtcTime << std::endl;
UUID ProcessGuid;
PCWSTR ProcessGuidStr = L"ProcessGuid";
if (sysmon_parse_guid(parser, ProcessGuidStr, &ProcessGuid)) {
std::string guid_str = guid_to_string(&ProcessGuid);
std::cout << "ProcessGuid: " << guid_str << std::endl;
}
std::wcout << L"***************************************" << std::endl;
}
break;
case SysmonNetworkconnectiondetected:
{
// <template tid = "Networkconnectiondetected(rule:NetworkConnect)Args_V5">
// <data name = "RuleName" inType = "win:UnicodeString" / >
// <data name = "UtcTime" inType = "win:UnicodeString" / >
// <data name = "ProcessGuid" inType = "win:GUID" / >
// <data name = "ProcessId" inType = "win:UInt32" / >
// <data name = "Image" inType = "win:UnicodeString" / >
// <data name = "User" inType = "win:UnicodeString" / >
// <data name = "Protocol" inType = "win:UnicodeString" / >
// <data name = "Initiated" inType = "win:Boolean" / >
// <data name = "SourceIsIpv6" inType = "win:Boolean" / >
// <data name = "SourceIp" inType = "win:UnicodeString" / >
// <data name = "SourceHostname" inType = "win:UnicodeString" / >
// <data name = "SourcePort" inType = "win:UInt16" / >
// <data name = "SourcePortName" inType = "win:UnicodeString" / >
// <data name = "DestinationIsIpv6" inType = "win:Boolean" / >
// <data name = "DestinationIp" inType = "win:UnicodeString" / >
// <data name = "DestinationHostname" inType = "win:UnicodeString" / >
// <data name = "DestinationPort" inType = "win:UInt16" / >
// <data name = "DestinationPortName" inType = "win:UnicodeString" / >
krabs::parser parser(schema);
std::wstring RuleName = parser.parse<std::wstring>(L"RuleName");
std::wstring UtcTime = parser.parse<std::wstring>(L"UtcTime");
uint32_t ProcessId = parser.parse<uint32_t>(L"ProcessId");
std::wstring Image = parser.parse<std::wstring>(L"Image");
std::wstring User = parser.parse<std::wstring>(L"User");
std::wstring Protocol = parser.parse<std::wstring>(L"Protocol");
bool Initiated = parser.parse<bool>(L"Initiated");
bool SourceIsIpv6 = parser.parse<bool>(L"SourceIsIpv6");
std::wstring SourceIp = parser.parse<std::wstring>(L"SourceIp");
std::wstring SourceHostname = parser.parse<std::wstring>(L"SourceHostname");
std::uint16_t SourcePort = parser.parse<std::uint16_t>(L"SourcePort");
std::wstring SourcePortName = parser.parse<std::wstring>(L"SourcePortName");
bool DestinationIsIpv6 = parser.parse<bool>(L"SourceIsIpv6");
std::wstring DestinationIp = parser.parse<std::wstring>(L"DestinationIp");
std::wstring DestinationHostname = parser.parse<std::wstring>(L"DestinationHostname");
std::uint16_t DestinationPort = parser.parse<std::uint16_t>(L"DestinationPort");
std::wstring DestinationPortName = parser.parse<std::wstring>(L"DestinationPortName");
std::wcout << "RuleName: " << RuleName << std::endl;
std::wcout << "UtcTime: " << UtcTime << std::endl;
std::wcout << "ProcessId: " << ProcessId << std::endl;
std::wcout << "Image: " << Image << std::endl;
std::wcout << "User: " << User << std::endl;
std::wcout << "Protocol: " << Protocol << std::endl;
std::wcout << "Initiated: " << Initiated << std::endl;
std::wcout << "SourceIsIpv6: " << SourceIsIpv6 << std::endl;
std::wcout << "SourceIp: " << SourceIp << std::endl;
std::wcout << "SourcePort: " << SourcePort << std::endl;
std::wcout << "SourcePortName: " << SourcePortName << std::endl;
std::wcout << "DestinationIsIpv6: " << DestinationIsIpv6 << std::endl;
std::wcout << "DestinationIp: " << DestinationIp << std::endl;
std::wcout << "DestinationPort: " << DestinationPort << std::endl;
std::wcout << "DestinationPortName: " << DestinationPortName << std::endl;
UUID ProcessGuid;
PCWSTR ProcessGuidStr = L"ProcessGuid";
if (sysmon_parse_guid(parser, ProcessGuidStr, &ProcessGuid)) {
std::string guid_str = guid_to_string(&ProcessGuid);
std::cout << "ProcessGuid: " << guid_str << std::endl;
}
std::wcout << L"***************************************" << std::endl;
}
break;
case Sysmonservicestatechanged:
{
// <template tid = "SysmonservicestatechangedArgs_V3">
// <data name = "UtcTime" inType = "win:UnicodeString" / >
// <data name = "State" inType = "win:UnicodeString" / >
// <data name = "Version" inType = "win:UnicodeString" / >
// <data name = "SchemaVersion" inType = "win:UnicodeString" / >
krabs::parser parser(schema);
std::wstring UtcTime = parser.parse<std::wstring>(L"UtcTime");
std::wstring State = parser.parse<std::wstring>(L"State");
std::wstring Version = parser.parse<std::wstring>(L"Version");
std::wstring SchemaVersion = parser.parse<std::wstring>(L"SchemaVersion");
std::wcout << "UtcTime: " << UtcTime << std::endl;
std::wcout << "State: " << State << std::endl;
std::wcout << "Version: " << Version << std::endl;
std::wcout << "SchemaVersion: " << SchemaVersion << std::endl;
std::wcout << L"***************************************" << std::endl;
}
break;
case SysmonProcessterminated:
{
// <template tid = "Processterminated(rule:ProcessTerminate)Args_V3">
// <data name = "RuleName" inType = "win:UnicodeString" / >
// <data name = "UtcTime" inType = "win:UnicodeString" / >
// <data name = "ProcessGuid" inType = "win:GUID" / >
// <data name = "ProcessId" inType = "win:UInt32" / >
// <data name = "Image" inType = "win:UnicodeString" / >
krabs::parser parser(schema);
std::wstring RuleName = parser.parse<std::wstring>(L"RuleName");
std::wstring UtcTime = parser.parse<std::wstring>(L"UtcTime");
uint32_t ProcessId = parser.parse<uint32_t>(L"ProcessId");
std::wstring Image = parser.parse<std::wstring>(L"Image");
std::wcout << "RuleName: " << RuleName << std::endl;
std::wcout << "UtcTime: " << UtcTime << std::endl;
std::wcout << "ProcessId: " << ProcessId << std::endl;
std::wcout << "Image: " << Image << std::endl;
UUID ProcessGuid;
PCWSTR ProcessGuidStr = L"ProcessGuid";
if (sysmon_parse_guid(parser, ProcessGuidStr, &ProcessGuid)) {
std::string guid_str = guid_to_string(&ProcessGuid);
std::cout << "ProcessGuid: " << guid_str << std::endl;
}
std::wcout << L"***************************************" << std::endl;
}
break;
case SysmonDriverloaded:
{
// <template tid = "Driverloaded(rule:DriverLoad)Args_V4">
// <data name = "RuleName" inType = "win:UnicodeString" / >
// <data name = "UtcTime" inType = "win:UnicodeString" / >
// <data name = "ImageLoaded" inType = "win:UnicodeString" / >
// <data name = "Hashes" inType = "win:UnicodeString" / >
// <data name = "Signed" inType = "win:UnicodeString" / >
// <data name = "Signature" inType = "win:UnicodeString" / >
// <data name = "SignatureStatus" inType = "win:UnicodeString" / >
krabs::parser parser(schema);
std::wstring RuleName = parser.parse<std::wstring>(L"RuleName");
std::wstring UtcTime = parser.parse<std::wstring>(L"UtcTime");
std::wstring ImageLoaded = parser.parse<std::wstring>(L"ImageLoaded");
std::wstring Hashes = parser.parse<std::wstring>(L"Hashes");
std::wstring Signed = parser.parse<std::wstring>(L"Signed");
std::wstring Signature = parser.parse<std::wstring>(L"Signature");
std::wstring SignatureStatus = parser.parse<std::wstring>(L"SignatureStatus");
std::wcout << "RuleName: " << RuleName << std::endl;
std::wcout << "UtcTime: " << UtcTime << std::endl;
std::wcout << "ImageLoaded: " << ImageLoaded << std::endl;
std::wcout << "Hashes: " << Hashes << std::endl;
std::wcout << "Signed: " << Signed << std::endl;
std::wcout << "Signature: " << Signature << std::endl;
std::wcout << "SignatureStatus: " << SignatureStatus << std::endl;
}
break;
case SysmonImageloaded:
{
// <template tid = "Imageloaded(rule:ImageLoad)Args_V3">
// <data name = "RuleName" inType = "win:UnicodeString" / >
// <data name = "UtcTime" inType = "win:UnicodeString" / >
// <data name = "ProcessGuid" inType = "win:GUID" / >
// <data name = "ProcessId" inType = "win:UInt32" / >
// <data name = "Image" inType = "win:UnicodeString" / >
// <data name = "ImageLoaded" inType = "win:UnicodeString" / >
// <data name = "FileVersion" inType = "win:UnicodeString" / >
// <data name = "Description" inType = "win:UnicodeString" / >
// <data name = "Product" inType = "win:UnicodeString" / >
// <data name = "Company" inType = "win:UnicodeString" / >
// <data name = "OriginalFileName" inType = "win:UnicodeString" / >
// <data name = "Hashes" inType = "win:UnicodeString" / >
// <data name = "Signed" inType = "win:UnicodeString" / >
// <data name = "Signature" inType = "win:UnicodeString" / >
// <data name = "SignatureStatus" inType = "win:UnicodeString" / >
krabs::parser parser(schema);
std::wstring RuleName = parser.parse<std::wstring>(L"RuleName");
std::wstring UtcTime = parser.parse<std::wstring>(L"UtcTime");
uint32_t ProcessId = parser.parse<uint32_t>(L"ProcessId");
std::wstring Image = parser.parse<std::wstring>(L"Image");
std::wstring ImageLoaded = parser.parse<std::wstring>(L"ImageLoaded");
std::wstring FileVersion = parser.parse<std::wstring>(L"FileVersion");
std::wstring Description = parser.parse<std::wstring>(L"Description");
std::wstring Product = parser.parse<std::wstring>(L"Product");
std::wstring Company = parser.parse<std::wstring>(L"Company");
std::wstring OriginalFileName = parser.parse<std::wstring>(L"OriginalFileName");
std::wstring Hashes = parser.parse<std::wstring>(L"Hashes");
std::wstring Signed = parser.parse<std::wstring>(L"Signed");
std::wstring Signature = parser.parse<std::wstring>(L"Signature");
std::wstring SignatureStatus = parser.parse<std::wstring>(L"SignatureStatus");
std::wcout << "RuleName: " << RuleName << std::endl;
std::wcout << "UtcTime: " << UtcTime << std::endl;
std::wcout << "ProcessId: " << ProcessId << std::endl;
std::wcout << "Image: " << Image << std::endl;
std::wcout << "ImageLoaded: " << ImageLoaded << std::endl;
std::wcout << "FileVersion: " << FileVersion << std::endl;
std::wcout << "Description: " << Description << std::endl;
std::wcout << "Product: " << Product << std::endl;
std::wcout << "Company: " << Company << std::endl;
std::wcout << "OriginalFileName: " << OriginalFileName << std::endl;
std::wcout << "Hashes: " << Hashes << std::endl;
std::wcout << "Signed: " << Signed << std::endl;
std::wcout << "Signature: " << Signature << std::endl;
std::wcout << "SignatureStatus: " << SignatureStatus << std::endl;
UUID ProcessGuid;
PCWSTR ProcessGuidStr = L"ProcessGuid";
if (sysmon_parse_guid(parser, ProcessGuidStr, &ProcessGuid)) {
std::string guid_str = guid_to_string(&ProcessGuid);
std::cout << "ProcessGuid: " << guid_str << std::endl;
}
}
break;
case SysmonCreateRemoteThreaddetected:
{
// <template tid = "CreateRemoteThreaddetected(rule:CreateRemoteThread)Args_V2">
// <data name = "RuleName" inType = "win:UnicodeString" / >
// <data name = "UtcTime" inType = "win:UnicodeString" / >
// <data name = "SourceProcessGuid" inType = "win:GUID" / >
// <data name = "SourceProcessId" inType = "win:UInt32" / >
// <data name = "SourceImage" inType = "win:UnicodeString" / >
// <data name = "TargetProcessGuid" inType = "win:GUID" / >
// <data name = "TargetProcessId" inType = "win:UInt32" / >
// <data name = "TargetImage" inType = "win:UnicodeString" / >
// <data name = "NewThreadId" inType = "win:UInt32" / >
// <data name = "StartAddress" inType = "win:UnicodeString" / >
// <data name = "StartModule" inType = "win:UnicodeString" / >
// <data name = "StartFunction" inType = "win:UnicodeString" / >
krabs::parser parser(schema);
std::wstring RuleName = parser.parse<std::wstring>(L"RuleName");
std::wstring UtcTime = parser.parse<std::wstring>(L"UtcTime");
uint32_t SourceProcessId = parser.parse<uint32_t>(L"SourceProcessId");
std::wstring SourceImage = parser.parse<std::wstring>(L"SourceImage");
uint32_t TargetProcessId = parser.parse<uint32_t>(L"TargetProcessId");
std::wstring TargetImage = parser.parse<std::wstring>(L"TargetImage");
uint32_t NewThreadId = parser.parse<uint32_t>(L"NewThreadId");
std::wstring StartAddress = parser.parse<std::wstring>(L"StartAddress");
std::wstring StartModule = parser.parse<std::wstring>(L"StartModule");
std::wstring StartFunction = parser.parse<std::wstring>(L"StartFunction");
std::wcout << "RuleName: " << RuleName << std::endl;
std::wcout << "UtcTime: " << UtcTime << std::endl;
std::wcout << "SourceProcessId: " << SourceProcessId << std::endl;
std::wcout << "SourceImage: " << SourceImage << std::endl;
std::wcout << "TargetProcessId: " << TargetProcessId << std::endl;
std::wcout << "TargetImage: " << TargetImage << std::endl;
std::wcout << "NewThreadId: " << NewThreadId << std::endl;
std::wcout << "StartAddress: " << StartAddress << std::endl;
std::wcout << "StartModule: " << StartModule << std::endl;
std::wcout << "StartFunction: " << StartFunction << std::endl;
UUID SourceProcessGuid;
PCWSTR SourceProcessGuidStr = L"SourceProcessGuid";
if (sysmon_parse_guid(parser, SourceProcessGuidStr, &SourceProcessGuid)) {
std::string guid_str = guid_to_string(&SourceProcessGuid);
std::cout << "SourceProcessGuid: " << guid_str << std::endl;
}
UUID TargetProcessGuid;
PCWSTR TargetProcessGuidStr = L"TargetProcessGuid";
if (sysmon_parse_guid(parser, TargetProcessGuidStr, &TargetProcessGuid)) {
std::string guid_str = guid_to_string(&TargetProcessGuid);
std::cout << "TargetProcessGuid: " << guid_str << std::endl;
}
}
break;
case SysmonRawAccessReaddetected:
{
// <template tid = "RawAccessReaddetected(rule:RawAccessRead)Args_V2">
// <data name = "RuleName" inType = "win:UnicodeString" / >
// <data name = "UtcTime" inType = "win:UnicodeString" / >
// <data name = "ProcessGuid" inType = "win:GUID" / >
// <data name = "ProcessId" inType = "win:UInt32" / >
// <data name = "Image" inType = "win:UnicodeString" / >
// <data name = "Device" inType = "win:UnicodeString" / >
krabs::parser parser(schema);
std::wstring RuleName = parser.parse<std::wstring>(L"RuleName");
std::wstring UtcTime = parser.parse<std::wstring>(L"UtcTime");
uint32_t ProcessId = parser.parse<uint32_t>(L"ProcessId");
std::wstring Image = parser.parse<std::wstring>(L"Image");
std::wstring Device = parser.parse<std::wstring>(L"Device");
std::wcout << "RuleName: " << RuleName << std::endl;
std::wcout << "UtcTime: " << UtcTime << std::endl;
std::wcout << "ProcessId: " << ProcessId << std::endl;
std::wcout << "Image: " << Image << std::endl;
std::wcout << "Device: " << Device << std::endl;
UUID ProcessGuid;
PCWSTR ProcessGuidStr = L"ProcessGuid";
if (sysmon_parse_guid(parser, ProcessGuidStr, &ProcessGuid)) {
std::string guid_str = guid_to_string(&ProcessGuid);
std::cout << "ProcessGuid: " << guid_str << std::endl;
}
}
break;
case SysmonProcessaccessed:
{
// <template tid = "Processaccessed(rule:ProcessAccess)Args_V3">
// <data name = "RuleName" inType = "win:UnicodeString" / >
// <data name = "UtcTime" inType = "win:UnicodeString" / >
// <data name = "SourceProcessGUID" inType = "win:GUID" / >
// <data name = "SourceProcessId" inType = "win:UInt32" / >
// <data name = "SourceThreadId" inType = "win:UInt32" / >
// <data name = "SourceImage" inType = "win:UnicodeString" / >
// <data name = "TargetProcessGUID" inType = "win:GUID" / >
// <data name = "TargetProcessId" inType = "win:UInt32" / >
// <data name = "TargetImage" inType = "win:UnicodeString" / >
// <data name = "GrantedAccess" inType = "win:HexInt32" / >
// <data name = "CallTrace" inType = "win:UnicodeString" / >
krabs::parser parser(schema);
std::wstring RuleName = parser.parse<std::wstring>(L"RuleName");
std::wstring UtcTime = parser.parse<std::wstring>(L"UtcTime");
uint32_t SourceProcessId = parser.parse<uint32_t>(L"SourceProcessId");
uint32_t SourceThreadId = parser.parse<uint32_t>(L"SourceThreadId");
std::wstring SourceImage = parser.parse<std::wstring>(L"SourceImage");
uint32_t TargetProcessId = parser.parse<uint32_t>(L"TargetProcessId");
std::wstring TargetImage = parser.parse<std::wstring>(L"TargetImage");
int32_t GrantedAccess = parser.parse<int32_t>(L"GrantedAccess");
std::wstring CallTrace = parser.parse<std::wstring>(L"CallTrace");
std::wcout << "RuleName: " << RuleName << std::endl;
std::wcout << "UtcTime: " << UtcTime << std::endl;
std::wcout << "SourceProcessId: " << SourceProcessId << std::endl;
std::wcout << "SourceThreadId: " << SourceThreadId << std::endl;
std::wcout << "SourceImage: " << SourceImage << std::endl;
std::wcout << "TargetProcessId: " << TargetProcessId << std::endl;
std::wcout << "TargetImage: " << TargetImage << std::endl;
std::wcout << "GrantedAccess: " << GrantedAccess << std::endl;
std::wcout << "CallTrace: " << CallTrace << std::endl;
UUID SourceProcessGuid;
PCWSTR SourceProcessGuidStr = L"SourceProcessGuid";
if (sysmon_parse_guid(parser, SourceProcessGuidStr, &SourceProcessGuid)) {
std::string guid_str = guid_to_string(&SourceProcessGuid);
std::cout << "SourceProcessGuid: " << guid_str << std::endl;
}
UUID TargetProcessGuid;
PCWSTR TargetProcessGuidStr = L"TargetProcessGuid";
if (sysmon_parse_guid(parser, TargetProcessGuidStr, &TargetProcessGuid)) {
std::string guid_str = guid_to_string(&TargetProcessGuid);
std::cout << "TargetProcessGuid: " << guid_str << std::endl;
}
}
break;
case SysmonFilecreated:
{
// <template tid = "Filecreated(rule:FileCreate)Args_V2">
// <data name = "RuleName" inType = "win:UnicodeString" / >
// <data name = "UtcTime" inType = "win:UnicodeString" / >
// <data name = "ProcessGuid" inType = "win:GUID" / >
// <data name = "ProcessId" inType = "win:UInt32" / >
// <data name = "Image" inType = "win:UnicodeString" / >
// <data name = "TargetFilename" inType = "win:UnicodeString" / >
// <data name = "CreationUtcTime" inType = "win:UnicodeString" / >
krabs::parser parser(schema);
std::wstring RuleName = parser.parse<std::wstring>(L"RuleName");
std::wstring UtcTime = parser.parse<std::wstring>(L"UtcTime");
uint32_t ProcessId = parser.parse<uint32_t>(L"ProcessId");
std::wstring Image = parser.parse<std::wstring>(L"Image");
std::wstring TargetFilename = parser.parse<std::wstring>(L"TargetFilename");
std::wstring CreationUtcTime = parser.parse<std::wstring>(L"CreationUtcTime");
std::wcout << "RuleName: " << RuleName << std::endl;
std::wcout << "UtcTime: " << UtcTime << std::endl;
std::wcout << "ProcessId: " << ProcessId << std::endl;
std::wcout << "Image: " << Image << std::endl;
std::wcout << "TargetFilename: " << TargetFilename << std::endl;
std::wcout << "CreationUtcTime: " << CreationUtcTime << std::endl;
UUID ProcessGuid;
PCWSTR ProcessGuidStr = L"ProcessGuid";
if (sysmon_parse_guid(parser, ProcessGuidStr, &ProcessGuid)) {
std::string guid_str = guid_to_string(&ProcessGuid);
std::cout << "ProcessGuid: " << guid_str << std::endl;
}
std::wcout << L"***************************************" << std::endl;
}
break;
case SysmonRegistryobjectaddedordeleted:
{
// <template tid = "Registryobjectaddedordeleted(rule:RegistryEvent)Args_V2">
// <data name = "RuleName" inType = "win:UnicodeString" / >
// <data name = "EventType" inType = "win:UnicodeString" / >
// <data name = "UtcTime" inType = "win:UnicodeString" / >
// <data name = "ProcessGuid" inType = "win:GUID" / >
// <data name = "ProcessId" inType = "win:UInt32" / >
// <data name = "Image" inType = "win:UnicodeString" / >
// <data name = "TargetObject" inType = "win:UnicodeString" / >
krabs::parser parser(schema);
std::wstring RuleName = parser.parse<std::wstring>(L"RuleName");
std::wstring EventType = parser.parse<std::wstring>(L"EventType");
std::wstring UtcTime = parser.parse<std::wstring>(L"UtcTime");
uint32_t ProcessId = parser.parse<uint32_t>(L"ProcessId");
std::wstring Image = parser.parse<std::wstring>(L"Image");
std::wcout << "RuleName: " << RuleName << std::endl;
std::wcout << "EventType: " << EventType << std::endl;
std::wcout << "UtcTime: " << UtcTime << std::endl;
std::wcout << "ProcessId: " << ProcessId << std::endl;
std::wcout << "Image: " << Image << std::endl;
UUID ProcessGuid;
PCWSTR ProcessGuidStr = L"ProcessGuid";
if (sysmon_parse_guid(parser, ProcessGuidStr, &ProcessGuid)) {
std::string guid_str = guid_to_string(&ProcessGuid);
std::cout << "ProcessGuid: " << guid_str << std::endl;
}
std::wcout << L"***************************************" << std::endl;
}
break;
case SysmonRegistryvalueset:
{
// <template tid = "Registryvalueset(rule:RegistryEvent)Args_V2">
// <data name = "RuleName" inType = "win:UnicodeString" / >
// <data name = "EventType" inType = "win:UnicodeString" / >
// <data name = "UtcTime" inType = "win:UnicodeString" / >
// <data name = "ProcessGuid" inType = "win:GUID" / >
// <data name = "ProcessId" inType = "win:UInt32" / >
// <data name = "Image" inType = "win:UnicodeString" / >
// <data name = "TargetObject" inType = "win:UnicodeString" / >
// <data name = "Details" inType = "win:UnicodeString" / >
krabs::parser parser(schema);
std::wstring RuleName = parser.parse<std::wstring>(L"RuleName");
std::wstring EventType = parser.parse<std::wstring>(L"EventType");
std::wstring UtcTime = parser.parse<std::wstring>(L"UtcTime");
uint32_t ProcessId = parser.parse<uint32_t>(L"ProcessId");
std::wstring Image = parser.parse<std::wstring>(L"Image");
std::wstring TargetObject = parser.parse<std::wstring>(L"TargetObject");
std::wstring Details = parser.parse<std::wstring>(L"Details");
std::wcout << "RuleName: " << RuleName << std::endl;
std::wcout << "EventType: " << EventType << std::endl;
std::wcout << "UtcTime: " << UtcTime << std::endl;
std::wcout << "ProcessId: " << ProcessId << std::endl;
std::wcout << "Image: " << Image << std::endl;
std::wcout << "TargetObject: " << TargetObject << std::endl;
std::wcout << "Details: " << Details << std::endl;
UUID ProcessGuid;
PCWSTR ProcessGuidStr = L"ProcessGuid";
if (sysmon_parse_guid(parser, ProcessGuidStr, &ProcessGuid)) {
std::string guid_str = guid_to_string(&ProcessGuid);
std::cout << "ProcessGuid: " << guid_str << std::endl;
}
std::wcout << L"***************************************" << std::endl;
}
break;
case SysmonRegistryobjectrenamed:
{
// <template tid = "Registryobjectrenamed(rule:RegistryEvent)Args_V2">
// <data name = "RuleName" inType = "win:UnicodeString" / >
// <data name = "EventType" inType = "win:UnicodeString" / >
// <data name = "UtcTime" inType = "win:UnicodeString" / >
// <data name = "ProcessGuid" inType = "win:GUID" / >
// <data name = "ProcessId" inType = "win:UInt32" / >
// <data name = "Image" inType = "win:UnicodeString" / >
// <data name = "TargetObject" inType = "win:UnicodeString" / >
// <data name = "NewName" inType = "win:UnicodeString" / >
krabs::parser parser(schema);
std::wstring RuleName = parser.parse<std::wstring>(L"RuleName");
std::wstring EventType = parser.parse<std::wstring>(L"EventType");
std::wstring UtcTime = parser.parse<std::wstring>(L"UtcTime");
uint32_t ProcessId = parser.parse<uint32_t>(L"ProcessId");
std::wstring Image = parser.parse<std::wstring>(L"Image");
std::wstring TargetObject = parser.parse<std::wstring>(L"TargetObject");
std::wstring NewName = parser.parse<std::wstring>(L"NewName");
std::wcout << "RuleName: " << RuleName << std::endl;
std::wcout << "EventType: " << EventType << std::endl;
std::wcout << "UtcTime: " << UtcTime << std::endl;
std::wcout << "ProcessId: " << ProcessId << std::endl;
std::wcout << "Image: " << Image << std::endl;
std::wcout << "TargetObject: " << TargetObject << std::endl;
std::wcout << "NewName: " << NewName << std::endl;
UUID ProcessGuid;
PCWSTR ProcessGuidStr = L"ProcessGuid";
if (sysmon_parse_guid(parser, ProcessGuidStr, &ProcessGuid)) {
std::string guid_str = guid_to_string(&ProcessGuid);
std::cout << "ProcessGuid: " << guid_str << std::endl;
}
std::wcout << L"***************************************" << std::endl;
}
break;
case SysmonFilestreamcreated:
{
// <template tid = "Filestreamcreated(rule:FileCreateStreamHash)Args_V2">
// <data name = "RuleName" inType = "win:UnicodeString" / >
// <data name = "UtcTime" inType = "win:UnicodeString" / >
// <data name = "ProcessGuid" inType = "win:GUID" / >
// <data name = "ProcessId" inType = "win:UInt32" / >
// <data name = "Image" inType = "win:UnicodeString" / >
// <data name = "TargetFilename" inType = "win:UnicodeString" / >
// <data name = "CreationUtcTime" inType = "win:UnicodeString" / >
// <data name = "Hash" inType = "win:UnicodeString" / >
// <data name = "Contents" inType = "win:UnicodeString" / >
krabs::parser parser(schema);
std::wstring RuleName = parser.parse<std::wstring>(L"RuleName");
std::wstring EventType = parser.parse<std::wstring>(L"EventType");
std::wstring UtcTime = parser.parse<std::wstring>(L"UtcTime");
uint32_t ProcessId = parser.parse<uint32_t>(L"ProcessId");
std::wstring Image = parser.parse<std::wstring>(L"Image");
std::wstring TargetFileName = parser.parse<std::wstring>(L"TargetFileName");
std::wstring CreationUtcTime = parser.parse<std::wstring>(L"CreationUtcTime");
std::wstring Hash = parser.parse<std::wstring>(L"Hash");
std::wstring Contents = parser.parse<std::wstring>(L"Contents");
std::wcout << "RuleName: " << RuleName << std::endl;
std::wcout << "UtcTime: " << UtcTime << std::endl;
std::wcout << "ProcessId: " << ProcessId << std::endl;
std::wcout << "Image: " << Image << std::endl;
std::wcout << "TargetFileName: " << TargetFileName << std::endl;
std::wcout << "CreationUtcTime: " << CreationUtcTime << std::endl;
std::wcout << "Hash: " << Hash << std::endl;
std::wcout << "Contents: " << Contents << std::endl;
UUID ProcessGuid;
PCWSTR ProcessGuidStr = L"ProcessGuid";
if (sysmon_parse_guid(parser, ProcessGuidStr, &ProcessGuid)) {
std::string guid_str = guid_to_string(&ProcessGuid);
std::cout << "ProcessGuid: " << guid_str << std::endl;
}
std::wcout << L"***************************************" << std::endl;
}
break;
case SysmonPipeCreated:
case SysmonPipeConnected:
{
// <template tid = "PipeCreated(rule:PipeEvent)Args_V1">
// <data name = "RuleName" inType = "win:UnicodeString" / >
// <data name = "EventType" inType = "win:UnicodeString" / >
// <data name = "UtcTime" inType = "win:UnicodeString" / >
// <data name = "ProcessGuid" inType = "win:GUID" / >
// <data name = "ProcessId" inType = "win:UInt32" / >
// <data name = "PipeName" inType = "win:UnicodeString" / >
// <data name = "Image" inType = "win:UnicodeString" / >
krabs::parser parser(schema);
std::wstring RuleName = parser.parse<std::wstring>(L"RuleName");
std::wstring EventType = parser.parse<std::wstring>(L"EventType");
std::wstring UtcTime = parser.parse<std::wstring>(L"UtcTime");
uint32_t ProcessId = parser.parse<uint32_t>(L"ProcessId");
std::wstring PipeName = parser.parse<std::wstring>(L"PipeName");
std::wstring Image = parser.parse<std::wstring>(L"Image");
std::wcout << "RuleName: " << RuleName << std::endl;
std::wcout << "EventType: " << EventType << std::endl;
std::wcout << "UtcTime: " << UtcTime << std::endl;
std::wcout << "ProcessId: " << ProcessId << std::endl;
std::wcout << "PipeName: " << PipeName << std::endl;
std::wcout << "Image: " << Image << std::endl;
UUID ProcessGuid;
PCWSTR ProcessGuidStr = L"ProcessGuid";
if (sysmon_parse_guid(parser, ProcessGuidStr, &ProcessGuid)) {
std::string guid_str = guid_to_string(&ProcessGuid);
std::cout << "ProcessGuid: " << guid_str << std::endl;
}
}
break;
case SysmonDnsquery:
{
// <template tid = "Dnsquery(rule:DnsQuery)Args_V5">
// <data name = "RuleName" inType = "win:UnicodeString" / >
// <data name = "UtcTime" inType = "win:UnicodeString" / >
// <data name = "ProcessGuid" inType = "win:GUID" / >
// <data name = "ProcessId" inType = "win:UInt32" / >
// <data name = "QueryName" inType = "win:UnicodeString" / >
// <data name = "QueryStatus" inType = "win:UnicodeString" / >
// <data name = "QueryResults" inType = "win:UnicodeString" / >
// <data name = "Image" inType = "win:UnicodeString" / >
krabs::parser parser(schema);
std::wstring RuleName = parser.parse<std::wstring>(L"RuleName");
std::wstring UtcTime = parser.parse<std::wstring>(L"UtcTime");
uint32_t ProcessId = parser.parse<uint32_t>(L"ProcessId");
std::wstring QueryName = parser.parse<std::wstring>(L"QueryName");
std::wstring QueryStatus = parser.parse<std::wstring>(L"QueryStatus");
std::wstring QueryResults = parser.parse<std::wstring>(L"QueryResults");
std::wstring Image = parser.parse<std::wstring>(L"Image");
std::wcout << "RuleName: " << RuleName << std::endl;
std::wcout << "UtcTime: " << UtcTime << std::endl;
std::wcout << "ProcessId: " << ProcessId << std::endl;
std::wcout << "QueryName: " << QueryName << std::endl;
std::wcout << "QueryStatus: " << QueryStatus << std::endl;
std::wcout << "QueryResults: " << QueryResults << std::endl;
std::wcout << "Image: " << Image << std::endl;
UUID ProcessGuid;
PCWSTR ProcessGuidStr = L"ProcessGuid";
if (sysmon_parse_guid(parser, ProcessGuidStr, &ProcessGuid)) {
std::string guid_str = guid_to_string(&ProcessGuid);
std::cout << "ProcessGuid: " << guid_str << std::endl;
}
std::wcout << L"***************************************" << std::endl;
}
break;
case SysmonFileDelete:
{
// <template tid = "FileDelete(rule:FileDelete)Args_V5">
// <data name = "RuleName" inType = "win:UnicodeString" / >
// <data name = "UtcTime" inType = "win:UnicodeString" / >
// <data name = "ProcessGuid" inType = "win:GUID" / >
// <data name = "ProcessId" inType = "win:UInt32" / >
// <data name = "User" inType = "win:UnicodeString" / >
// <data name = "Image" inType = "win:UnicodeString" / >
// <data name = "TargetFilename" inType = "win:UnicodeString" / >
// <data name = "Hashes" inType = "win:UnicodeString" / >
// <data name = "IsExecutable" inType = "win:Boolean" / >
// <data name = "Archived" inType = "win:UnicodeString" / >/
krabs::parser parser(schema);
std::wstring RuleName = parser.parse<std::wstring>(L"RuleName");
std::wstring UtcTime = parser.parse<std::wstring>(L"UtcTime");
uint32_t ProcessId = parser.parse<uint32_t>(L"ProcessId");
std::wstring User = parser.parse<std::wstring>(L"User");
std::wstring Image = parser.parse<std::wstring>(L"Image");
std::wstring TargetFilename = parser.parse<std::wstring>(L"TargetFilename");
std::wstring Hashes = parser.parse<std::wstring>(L"Hashes");
bool IsExecutable = parser.parse<bool>(L"IsExecutable");
std::wstring Archived = parser.parse<std::wstring>(L"Archived");
std::wcout << "RuleName: " << RuleName << std::endl;
std::wcout << "UtcTime: " << UtcTime << std::endl;
std::wcout << "ProcessId: " << ProcessId << std::endl;
std::wcout << "User: " << User << std::endl;
std::wcout << "Image: " << Image << std::endl;
std::wcout << "TargetFilename: " << TargetFilename << std::endl;
std::wcout << "Hashes: " << Hashes << std::endl;
std::wcout << "IsExecutable: " << IsExecutable << std::endl;
std::wcout << "Archived: " << Archived << std::endl;
UUID ProcessGuid;
PCWSTR ProcessGuidStr = L"ProcessGuid";
if (sysmon_parse_guid(parser, ProcessGuidStr, &ProcessGuid)) {
std::string guid_str = guid_to_string(&ProcessGuid);
std::cout << "ProcessGuid: " << guid_str << std::endl;
}
std::wcout << L"***************************************" << std::endl;
}
break;
case SysmonClipboardchanged:
{
// <template tid = "Clipboardchanged(rule:ClipboardChange)Args_V5">
// <data name = "RuleName" inType = "win:UnicodeString" / >
// <data name = "UtcTime" inType = "win:UnicodeString" / >
// <data name = "ProcessGuid" inType = "win:GUID" / >
// <data name = "ProcessId" inType = "win:UInt32" / >
// <data name = "Image" inType = "win:UnicodeString" / >
// <data name = "Session" inType = "win:UInt32" / >
// <data name = "ClientInfo" inType = "win:UnicodeString" / >
// <data name = "Hashes" inType = "win:UnicodeString" / >
// <data name = "Archived" inType = "win:UnicodeString" / >
krabs::parser parser(schema);
std::wstring RuleName = parser.parse<std::wstring>(L"RuleName");
std::wstring UtcTime = parser.parse<std::wstring>(L"UtcTime");
uint32_t ProcessId = parser.parse<uint32_t>(L"ProcessId");
std::wstring Image = parser.parse<std::wstring>(L"Image");
uint32_t Session = parser.parse<uint32_t>(L"Session");
std::wstring ClientInfo = parser.parse<std::wstring>(L"ClientInfo");
std::wstring Hashes = parser.parse<std::wstring>(L"Hashes");
std::wstring Archived = parser.parse<std::wstring>(L"Archived");
std::wcout << "RuleName: " << RuleName << std::endl;
std::wcout << "UtcTime: " << UtcTime << std::endl;
std::wcout << "ProcessId: " << ProcessId << std::endl;
std::wcout << "Image: " << Image << std::endl;
std::wcout << "Session: " << Session << std::endl;
std::wcout << "ClientInfo: " << ClientInfo << std::endl;
std::wcout << "Hashes: " << Hashes << std::endl;
std::wcout << "Archived: " << Archived << std::endl;
UUID ProcessGuid;
PCWSTR ProcessGuidStr = L"ProcessGuid";
if (sysmon_parse_guid(parser, ProcessGuidStr, &ProcessGuid)) {
std::string guid_str = guid_to_string(&ProcessGuid);
std::cout << "ProcessGuid: " << guid_str << std::endl;
}
std::wcout << L"***************************************" << std::endl;
}
break;
case SysmonProcessTampering:
{
// <template tid = "ProcessTampering(rule:ProcessTampering)Args_V5">
// <data name = "RuleName" inType = "win:UnicodeString" / >
// <data name = "UtcTime" inType = "win:UnicodeString" / >
// <data name = "ProcessGuid" inType = "win:GUID" / >
// <data name = "ProcessId" inType = "win:UInt32" / >
// <data name = "Image" inType = "win:UnicodeString" / >
// <data name = "Type" inType = "win:UnicodeString" / >
krabs::parser parser(schema);
std::wstring RuleName = parser.parse<std::wstring>(L"RuleName");
std::wstring UtcTime = parser.parse<std::wstring>(L"UtcTime");
uint32_t ProcessId = parser.parse<uint32_t>(L"ProcessId");
std::wstring Image = parser.parse<std::wstring>(L"Image");
std::wstring Type = parser.parse<std::wstring>(L"Type");
std::wcout << "RuleName: " << RuleName << std::endl;
std::wcout << "UtcTime: " << UtcTime << std::endl;
std::wcout << "ProcessId: " << ProcessId << std::endl;
std::wcout << "Image: " << Image << std::endl;
std::wcout << "Type: " << Type << std::endl;
UUID ProcessGuid;
PCWSTR ProcessGuidStr = L"ProcessGuid";
if (sysmon_parse_guid(parser, ProcessGuidStr, &ProcessGuid)) {
std::string guid_str = guid_to_string(&ProcessGuid);
std::cout << "ProcessGuid: " << guid_str << std::endl;
}
std::wcout << L"***************************************" << std::endl;
}
break;
// NOP
default:
break;
}
});
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment