Last active
October 29, 2021 13:13
Revisions
-
oukeu revised this gist
Sep 2, 2021 . 1 changed file with 1 addition and 1 deletion.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -9,7 +9,7 @@ $Your_Sysmon_Logic_Here$ EventCode=10 | stats count by GrantedAccess ```Convert from Hex to Binary``` | eval binaryMask=lower(GrantedAcces) | eval binaryMask=ltrim(binaryMask, "0x") | eval binaryMask=replace(binaryMask,"0","0000") | eval binaryMask=replace(binaryMask,"1","0001") | eval binaryMask=replace(binaryMask,"2","0010") | eval binaryMask=replace(binaryMask,"3","0011") | eval binaryMask=replace(binaryMask,"4","0100") | eval binaryMask=replace(binaryMask,"5","0101") | eval binaryMask=replace(binaryMask,"6","0110") | eval binaryMask=replace(binaryMask,"7","0111") -
Sep 1, 2021 . 1 changed file with 30 additions and 30 deletions.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -21,36 +21,36 @@ $Your_Sysmon_Logic_Here$ EventCode=10 ```Set temp var 'perms' to permission name on mask match returning true, null on false. Concat temp 'perms' to Permissions field``` ```Note: _ is the equivalent to '.' in regex. Note 2: It is probably better to just have Permissions be a mv and individually set each member, but this works.``` | eval perms=if(like(binaryMask, "1_______________________________"), "GENERIC_READ", "") | eval Permissions = perms. "," | eval perms=if(like(binaryMask, "_1______________________________"), "GENERIC_WRITE", "") | eval Permissions = Permissions. "" .perms. "," | eval perms=if(like(binaryMask, "__1_____________________________"), "GENERIC_EXECUTE", "") | eval Permissions = Permissions. "" .perms. "," | eval perms=if(like(binaryMask, "___1____________________________"), "GENERIC_ALL", "") | eval Permissions = Permissions. "" .perms. "," | eval perms=if(like(binaryMask, "_______1________________________"), "ACCESS_SYSTEM_SECURITY", "") | eval Permissions = Permissions. "" .perms. "," | eval perms=if(like(binaryMask, "___________1____________________"), "SYNCHRONIZE", "") | eval Permissions = Permissions. "" .perms. "," | eval perms=if(like(binaryMask, "____________1___________________"), "WRITE_OWNER", "") | eval Permissions = Permissions. "" .perms. "," | eval perms=if(like(binaryMask, "_____________1__________________"), "WRITE_DAC", "") | eval Permissions = Permissions. "" .perms. "," | eval perms=if(like(binaryMask, "______________1_________________"), "READ_CONTROL", "") | eval Permissions = Permissions. "" .perms. "," | eval perms=if(like(binaryMask, "_______________1________________"), "DELETE", "") | eval Permissions = Permissions. "" .perms. "," | eval perms=if(like(binaryMask, "___________11111________________"), "STANDARD_RIGHTS_ALL", "") | eval Permissions = Permissions. "" .perms. "," | eval perms=if(like(binaryMask, "______________1_________________"), "STANDARD_RIGHTS_EXECUTE", "") | eval Permissions = Permissions. "" .perms. "," | eval perms=if(like(binaryMask, "______________1_________________"), "STANDARD_RIGHTS_READ", "") | eval Permissions = Permissions. "" .perms. "," | eval perms=if(like(binaryMask, "____________1111________________"), "STANDARD_RIGHTS_REQUIRED", "") | eval Permissions = Permissions. "" .perms. "," | eval perms=if(like(binaryMask, "______________1_________________"), "STANDARD_RIGHTS_WRITE", "") | eval Permissions = Permissions. "" .perms. "," | eval perms=if(like(binaryMask, "___________________1____________"), "PROCESS_QUERY_LIMITED_INFORMATION", "") | eval Permissions = Permissions. "" .perms. "," | eval perms=if(like(binaryMask, "____________________1___________"), "PROCESS_SUSPEND_RESUME", "") | eval Permissions = Permissions. "" .perms. "," | eval perms=if(like(binaryMask, "_____________________1__________"), "PROCESS_QUERY_INFORMATION", "") | eval Permissions = Permissions. "" .perms. "," | eval perms=if(like(binaryMask, "______________________1_________"), "PROCESS_SET_INFORMATION", "") | eval Permissions = Permissions. "" .perms. "," | eval perms=if(like(binaryMask, "_______________________1________"), "PROCESS_SET_QUOTA", "") | eval Permissions = Permissions. "" .perms. "," | eval perms=if(like(binaryMask, "________________________1_______"), "PROCESS_CREATE_PROCESS", "") | eval Permissions = Permissions. "" .perms. "," | eval perms=if(like(binaryMask, "_________________________1______"), "PROCESS_DUP_HANDLE", "") | eval Permissions = Permissions. "" .perms. "," | eval perms=if(like(binaryMask, "__________________________1_____"), "PROCESS_VM_WRITE", "") | eval Permissions = Permissions. "" .perms. "," | eval perms=if(like(binaryMask, "___________________________1____"), "PROCESS_VM_READ", "") | eval Permissions = Permissions. "" .perms. "," | eval perms=if(like(binaryMask, "____________________________1___"), "PROCESS_VM_OPERATION", "") | eval Permissions = Permissions. "" .perms. "," | eval perms=if(like(binaryMask, "_____________________________1__"), "PROCESS_SET_SESSIONID", "") | eval Permissions = Permissions. "" .perms. "," | eval perms=if(like(binaryMask, "______________________________1_"), "PROCESS_CREATE_THREAD", "") | eval Permissions = Permissions. "" .perms. "," | eval perms=if(like(binaryMask, "_______________________________1"), "PROCESS_TERMINATE", "") | eval Permissions = Permissions. "" .perms. "," | eval perms=if(like(binaryMask, "___________11111____111111111111"), "PROCESS_ALL_ACCESS_OLD", "") | eval Permissions = Permissions. "" .perms. "," | eval perms=if(like(binaryMask, "___________111111111111111111111"), "PROCESS_ALL_ACCESS_NEW", "") | eval Permissions = Permissions. "" .perms ```Do some multivalue hackery to clean up the Permissions string and remove null values by separating them and expanding them into individual events``` | eval Permissions = split(Permissions, ",") -
Sep 1, 2021 .There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -0,0 +1,64 @@ ``` Author: @0x1FFFFF Date: 1 September, 2021 Goal: Enumerate the human readable permission listed in Sysmon EID 10s. Note: This type of logic is too heavy to run inline in a search. Use this to generate results and add to a lookup table. ``` $Your_Sysmon_Logic_Here$ EventCode=10 | stats count by GrantedAccess ```Convert from Hex to Binary``` | eval binaryMask = GrantedAccess | eval binaryMask=ltrim(binaryMask, "0x") | eval binaryMask=replace(binaryMask,"0","0000") | eval binaryMask=replace(binaryMask,"1","0001") | eval binaryMask=replace(binaryMask,"2","0010") | eval binaryMask=replace(binaryMask,"3","0011") | eval binaryMask=replace(binaryMask,"4","0100") | eval binaryMask=replace(binaryMask,"5","0101") | eval binaryMask=replace(binaryMask,"6","0110") | eval binaryMask=replace(binaryMask,"7","0111") | eval binaryMask=replace(binaryMask,"8","1000") | eval binaryMask=replace(binaryMask,"9","1001") | eval binaryMask=replace(binaryMask,"a","1010") | eval binaryMask=replace(binaryMask,"b","1011") | eval binaryMask=replace(binaryMask,"c","1100") | eval binaryMask=replace(binaryMask,"d","1101") | eval binaryMask=replace(binaryMask,"e","1110") | eval binaryMask=replace(binaryMask,"f","1111") ```Shift values right and output the full mask (i.e. 0x1 > 0001 > 00000000000000000000000000000001)``` | eval fullMask = "00000000000000000000000000000000" | eval maskLen = 32 - len(binaryMask) | eval binaryMask = substr(fullMask, 1, maskLen) + binaryMask ```Set temp var 'perms' to permission name on mask match returning true, null on false. Concat temp 'perms' to Permissions field``` ```Note: _ is the equivalent to '.' in regex. Note 2: It is probably better to just have Permissions be a mv and individually set each member, but this works.``` | eval perms=if(like(binaryMask, "1_______________________________"), "GENERIC_READ", "") | eval Permissions = perms. "," | eval perms=if(like(binaryMask, "_1______________________________"), "GENERIC_WRITE", "") | eval Permissions = Permissions. "" .perms. "," | eval perms=if(like(binaryMask, "__1_____________________________"), "GENERIC_EXECUTE", "") | eval Permissions = Permissions. "" .perms. "," | eval perms=if(like(binaryMask, "___1____________________________"), "GENERIC_ALL", "") | eval Permissions = Permissions. "" .perms. "," | eval perms=if(like(binaryMask, "_______1________________________"), "ACCESS_SYSTEM_SECURITY", "") | eval Permissions = Permissions. "" .perms. "," | eval perms=if(like(binaryMask, "___________1____________________"), "SYNCHRONIZE", "") | eval Permissions = Permissions. "" .perms. "," | eval perms=if(like(binaryMask, "____________1___________________"), "WRITE_OWNER", "") | eval Permissions = Permissions. "" .perms. "," | eval perms=if(like(binaryMask, "_____________1__________________"), "WRITE_DAC", "") | eval Permissions = Permissions. "" .perms. "," | eval perms=if(like(binaryMask, "______________1_________________"), "READ_CONTROL", "") | eval Permissions = Permissions. "" .perms. "," | eval perms=if(like(binaryMask, "_______________1________________"), "DELETE", "") | eval Permissions = Permissions. "" .perms. "," | eval perms=if(like(binaryMask, "___________11111________________"), "STANDARD_RIGHTS_ALL", "") | eval Permissions = Permissions. "" .perms. "," | eval perms=if(like(binaryMask, "______________1_________________"), "STANDARD_RIGHTS_EXECUTE", "") | eval Permissions = Permissions. "" .perms. "," | eval perms=if(like(binaryMask, "______________1_________________"), "STANDARD_RIGHTS_READ", "") | eval Permissions = Permissions. "" .perms. "," | eval perms=if(like(binaryMask, "____________1111________________"), "STANDARD_RIGHTS_REQUIRED", "") | eval Permissions = Permissions. "" .perms. "," | eval perms=if(like(binaryMask, "______________1_________________"), "STANDARD_RIGHTS_WRITE", "") | eval Permissions = Permissions. "" .perms. "," | eval perms=if(like(binaryMask, "___________________1____________"), "PROCESS_QUERY_LIMITED_INFORMATION", "") | eval Permissions = Permissions. "" .perms. "," | eval perms=if(like(binaryMask, "____________________1___________"), "PROCESS_SUSPEND_RESUME", "") | eval Permissions = Permissions. "" .perms. "," | eval perms=if(like(binaryMask, "_____________________1__________"), "PROCESS_QUERY_INFORMATION", "") | eval Permissions = Permissions. "" .perms. "," | eval perms=if(like(binaryMask, "______________________1_________"), "PROCESS_SET_INFORMATION", "") | eval Permissions = Permissions. "" .perms. "," | eval perms=if(like(binaryMask, "_______________________1________"), "PROCESS_SET_QUOTA", "") | eval Permissions = Permissions. "" .perms. "," | eval perms=if(like(binaryMask, "________________________1_______"), "PROCESS_CREATE_PROCESS", "") | eval Permissions = Permissions. "" .perms. "," | eval perms=if(like(binaryMask, "_________________________1______"), "PROCESS_DUP_HANDLE", "") | eval Permissions = Permissions. "" .perms. "," | eval perms=if(like(binaryMask, "__________________________1_____"), "PROCESS_VM_WRITE", "") | eval Permissions = Permissions. "" .perms. "," | eval perms=if(like(binaryMask, "___________________________1____"), "PROCESS_VM_READ", "") | eval Permissions = Permissions. "" .perms. "," | eval perms=if(like(binaryMask, "____________________________1___"), "PROCESS_VM_OPERATION", "") | eval Permissions = Permissions. "" .perms. "," | eval perms=if(like(binaryMask, "_____________________________1__"), "PROCESS_SET_SESSIONID", "") | eval Permissions = Permissions. "" .perms. "," | eval perms=if(like(binaryMask, "______________________________1_"), "PROCESS_CREATE_THREAD", "") | eval Permissions = Permissions. "" .perms. "," | eval perms=if(like(binaryMask, "_______________________________1"), "PROCESS_TERMINATE", "") | eval Permissions = Permissions. "" .perms. "," | eval perms=if(like(binaryMask, "___________11111____111111111111"), "PROCESS_ALL_ACCESS_OLD", "") | eval Permissions = Permissions. "" .perms. "," | eval perms=if(like(binaryMask, "___________111111111111111111111"), "PROCESS_ALL_ACCESS_NEW", "") | eval Permissions = Permissions. "" .perms ```Do some multivalue hackery to clean up the Permissions string and remove null values by separating them and expanding them into individual events``` | eval Permissions = split(Permissions, ",") | mvexpand Permissions | search Permissions!="" ```Re-combine the seperate events and display. This part isn't really needed, since you could store the results in a lookup with mv support, but it looks cleaner``` | stats values(Permissions) as Permissions by GrantedAccess | mvcombine Permissions | table GrantedAccess Permissions | sort GrantedAccess