Last active
October 29, 2021 13:13
-
-
Save oukeu/db5b9d62c00f43f1af24e8824bdcd36f to your computer and use it in GitHub Desktop.
Enumerate the human readable permission listed in Sysmon EID 10s.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
``` | |
Author: @0x1FFFFF | |
Date: 1 September, 2021 | |
Goal: Enumerate the human readable permission listed in Sysmon EID 10s. | |
Note: This type of logic is too heavy to run inline in a search. Use this to generate results and add to a lookup table. | |
``` | |
$Your_Sysmon_Logic_Here$ EventCode=10 | |
| stats count by GrantedAccess | |
```Convert from Hex to Binary``` | |
| eval binaryMask=lower(GrantedAcces) | |
| eval binaryMask=ltrim(binaryMask, "0x") | |
| eval binaryMask=replace(binaryMask,"0","0000") | eval binaryMask=replace(binaryMask,"1","0001") | eval binaryMask=replace(binaryMask,"2","0010") | eval binaryMask=replace(binaryMask,"3","0011") | |
| eval binaryMask=replace(binaryMask,"4","0100") | eval binaryMask=replace(binaryMask,"5","0101") | eval binaryMask=replace(binaryMask,"6","0110") | eval binaryMask=replace(binaryMask,"7","0111") | |
| eval binaryMask=replace(binaryMask,"8","1000") | eval binaryMask=replace(binaryMask,"9","1001") | eval binaryMask=replace(binaryMask,"a","1010") | eval binaryMask=replace(binaryMask,"b","1011") | |
| eval binaryMask=replace(binaryMask,"c","1100") | eval binaryMask=replace(binaryMask,"d","1101") | eval binaryMask=replace(binaryMask,"e","1110") | eval binaryMask=replace(binaryMask,"f","1111") | |
```Shift values right and output the full mask (i.e. 0x1 > 0001 > 00000000000000000000000000000001)``` | |
| eval fullMask = "00000000000000000000000000000000" | eval maskLen = 32 - len(binaryMask) | eval binaryMask = substr(fullMask, 1, maskLen) + binaryMask | |
```Set temp var 'perms' to permission name on mask match returning true, null on false. Concat temp 'perms' to Permissions field``` | |
```Note: _ is the equivalent to '.' in regex. Note 2: It is probably better to just have Permissions be a mv and individually set each member, but this works.``` | |
| eval perms=if(like(binaryMask, "1_______________________________"), "GENERIC_READ", "") | eval Permissions = perms. "," | |
| eval perms=if(like(binaryMask, "_1______________________________"), "GENERIC_WRITE", "") | eval Permissions = Permissions. "" .perms. "," | |
| eval perms=if(like(binaryMask, "__1_____________________________"), "GENERIC_EXECUTE", "") | eval Permissions = Permissions. "" .perms. "," | |
| eval perms=if(like(binaryMask, "___1____________________________"), "GENERIC_ALL", "") | eval Permissions = Permissions. "" .perms. "," | |
| eval perms=if(like(binaryMask, "_______1________________________"), "ACCESS_SYSTEM_SECURITY", "") | eval Permissions = Permissions. "" .perms. "," | |
| eval perms=if(like(binaryMask, "___________1____________________"), "SYNCHRONIZE", "") | eval Permissions = Permissions. "" .perms. "," | |
| eval perms=if(like(binaryMask, "____________1___________________"), "WRITE_OWNER", "") | eval Permissions = Permissions. "" .perms. "," | |
| eval perms=if(like(binaryMask, "_____________1__________________"), "WRITE_DAC", "") | eval Permissions = Permissions. "" .perms. "," | |
| eval perms=if(like(binaryMask, "______________1_________________"), "READ_CONTROL", "") | eval Permissions = Permissions. "" .perms. "," | |
| eval perms=if(like(binaryMask, "_______________1________________"), "DELETE", "") | eval Permissions = Permissions. "" .perms. "," | |
| eval perms=if(like(binaryMask, "___________11111________________"), "STANDARD_RIGHTS_ALL", "") | eval Permissions = Permissions. "" .perms. "," | |
| eval perms=if(like(binaryMask, "______________1_________________"), "STANDARD_RIGHTS_EXECUTE", "") | eval Permissions = Permissions. "" .perms. "," | |
| eval perms=if(like(binaryMask, "______________1_________________"), "STANDARD_RIGHTS_READ", "") | eval Permissions = Permissions. "" .perms. "," | |
| eval perms=if(like(binaryMask, "____________1111________________"), "STANDARD_RIGHTS_REQUIRED", "") | eval Permissions = Permissions. "" .perms. "," | |
| eval perms=if(like(binaryMask, "______________1_________________"), "STANDARD_RIGHTS_WRITE", "") | eval Permissions = Permissions. "" .perms. "," | |
| eval perms=if(like(binaryMask, "___________________1____________"), "PROCESS_QUERY_LIMITED_INFORMATION", "") | eval Permissions = Permissions. "" .perms. "," | |
| eval perms=if(like(binaryMask, "____________________1___________"), "PROCESS_SUSPEND_RESUME", "") | eval Permissions = Permissions. "" .perms. "," | |
| eval perms=if(like(binaryMask, "_____________________1__________"), "PROCESS_QUERY_INFORMATION", "") | eval Permissions = Permissions. "" .perms. "," | |
| eval perms=if(like(binaryMask, "______________________1_________"), "PROCESS_SET_INFORMATION", "") | eval Permissions = Permissions. "" .perms. "," | |
| eval perms=if(like(binaryMask, "_______________________1________"), "PROCESS_SET_QUOTA", "") | eval Permissions = Permissions. "" .perms. "," | |
| eval perms=if(like(binaryMask, "________________________1_______"), "PROCESS_CREATE_PROCESS", "") | eval Permissions = Permissions. "" .perms. "," | |
| eval perms=if(like(binaryMask, "_________________________1______"), "PROCESS_DUP_HANDLE", "") | eval Permissions = Permissions. "" .perms. "," | |
| eval perms=if(like(binaryMask, "__________________________1_____"), "PROCESS_VM_WRITE", "") | eval Permissions = Permissions. "" .perms. "," | |
| eval perms=if(like(binaryMask, "___________________________1____"), "PROCESS_VM_READ", "") | eval Permissions = Permissions. "" .perms. "," | |
| eval perms=if(like(binaryMask, "____________________________1___"), "PROCESS_VM_OPERATION", "") | eval Permissions = Permissions. "" .perms. "," | |
| eval perms=if(like(binaryMask, "_____________________________1__"), "PROCESS_SET_SESSIONID", "") | eval Permissions = Permissions. "" .perms. "," | |
| eval perms=if(like(binaryMask, "______________________________1_"), "PROCESS_CREATE_THREAD", "") | eval Permissions = Permissions. "" .perms. "," | |
| eval perms=if(like(binaryMask, "_______________________________1"), "PROCESS_TERMINATE", "") | eval Permissions = Permissions. "" .perms. "," | |
| eval perms=if(like(binaryMask, "___________11111____111111111111"), "PROCESS_ALL_ACCESS_OLD", "") | eval Permissions = Permissions. "" .perms. "," | |
| eval perms=if(like(binaryMask, "___________111111111111111111111"), "PROCESS_ALL_ACCESS_NEW", "") | eval Permissions = Permissions. "" .perms | |
```Do some multivalue hackery to clean up the Permissions string and remove null values by separating them and expanding them into individual events``` | |
| eval Permissions = split(Permissions, ",") | |
| mvexpand Permissions | |
| search Permissions!="" | |
```Re-combine the seperate events and display. This part isn't really needed, since you could store the results in a lookup with mv support, but it looks cleaner``` | |
| stats values(Permissions) as Permissions by GrantedAccess | |
| mvcombine Permissions | |
| table GrantedAccess Permissions | |
| sort GrantedAccess |
Updated L12 to include lower() making sure the later evals (which are case sensitive) work without issue. Thanks to Austin @YouDownWithTTPs for bringing up the issue.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Shoutz to https://gist.github.com/Rhomboid/0cf96d7c82991af44fda which was super helpful