Skip to content

Commit

Permalink
Merge pull request #13 from google/add-new-items
Browse files Browse the repository at this point in the history
Add new DFIQ YAML files and update copyright header in existing ones.
  • Loading branch information
obsidianforensics authored Feb 6, 2024
2 parents e72d352 + bb42a5a commit b74c8a7
Show file tree
Hide file tree
Showing 142 changed files with 714 additions and 153 deletions.
8 changes: 4 additions & 4 deletions data/approaches/Q1001.10.yaml
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
# Copyright 2023 Google LLC
# Copyright 2024 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
Expand Down Expand Up @@ -38,7 +38,7 @@ description:
- "[Web Browsers on ForensicArtifacts](https://github.com/ForensicArtifacts/artifacts/blob/main/data/webbrowser.yaml)"
view:
data:
- type: artifact
- type: ForensicArtifact
value: BrowserHistory
- type: description
value: Collect local browser history artifacts. These are often in the
Expand All @@ -56,7 +56,7 @@ view:
- Browsers installed in non-standard paths
- Downloads made during Incognito sessions
processors:
- name: plaso
- name: Plaso
options:
- type: parsers
value: webhist
Expand All @@ -71,7 +71,7 @@ view:
- description: *filter-desc
type: pandas
value: query('data_type in ("chrome:history:file_downloaded", "safari:downloads:entry")')
- name: hindsight
- name: Hindsight
options:
- type: format
value: jsonl
Expand Down
6 changes: 3 additions & 3 deletions data/approaches/Q1001.11.yaml
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
# Copyright 2023 Google LLC
# Copyright 2024 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
Expand Down Expand Up @@ -43,7 +43,7 @@ description:
view:
data:
- type: artifact
- type: ForensicArtifact
value: SantaLogs
- type: description
value: Santa logs stored on the local disk; they may also be centralized off-system,
Expand All @@ -58,7 +58,7 @@ view:
- Downloads that occurred on macOS with Santa, but during a time period for which
there are no Santa logs (out of retention or Santa was disabled).
processors:
- name: plaso
- name: Plaso
options:
- type: parsers
value: santa
Expand Down
8 changes: 4 additions & 4 deletions data/approaches/Q1001.12.yaml
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
# Copyright 2023 Google LLC
# Copyright 2024 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
Expand Down Expand Up @@ -47,7 +47,7 @@ description:
- "[Change Journals](https://learn.microsoft.com/en-gb/windows/win32/fileio/change-journals)"
view:
data:
- type: artifact
- type: ForensicArtifact
value: NTFSUSNJournal
- type: description
value: The NTFS $UsnJnrl file system metadata file. This ForensicArtifact definition
Expand All @@ -63,7 +63,7 @@ view:
- Downloads that would be covered, but happened long enough ago that the USN Journal
records that would show it have been deleted.
processors:
- name: plaso
- name: Plaso
options:
- type: parsers
value: usnjrnl
Expand All @@ -77,5 +77,5 @@ view:
- description: Select and search for the `file_reference` value for an event of interest
from the previous query. There should be one with the same timestamp as your
previous event and its `filename` value is the download's final name.
type: opensearch-query-variable
type: opensearch-query
value: data_type:"fs:ntfs:usn_change" {file_reference value} "USN_REASON_RENAME_NEW_NAME"
49 changes: 49 additions & 0 deletions data/approaches/Q1018.10.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,49 @@
# Copyright 2024 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# https://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.

---
display_name: Use Crowdstrike "Bulk Domains" to link source processes to DNS queries
type: approach
id: Q1018.10
dfiq_version: 1.0.0
tags:
- CrowdStrike
- DNS
description:
summary: CrowdStrike records the source process ID (ContextProcessId) for DNSRequest event.
details: >
Crowdstrike is a detection platform, not a logging platform, so not all DNS requests are logged.
Content Filter needs to be enabled to capture DNS request queries.
references:
- https://www.crowdstrike.com/blog/hunt-threat-activity-falcon-host-endpoint-protection/bulk-domain-search-results/
view:
data:
- type: CrowdStrike
value: DnsRequest
notes:
covered:
- Mac, Linux, and Windows hosts with a CrowdStrike Falcon agent
not_covered:
- Hosts with the Falcon agent, but where the Content Filter is not enabled
processors:
- name: Crowdstrike Investigate (UI)
analysis:
- name: Manual
steps:
- description: UI steps in Investigate Bulk domains
type: GUI
value: >
In the second table, `Process that looked up specified Domain(s)` the columns
`PID`, `Process ID`, and `File Name` give the source process information for the
DNS query.
46 changes: 46 additions & 0 deletions data/approaches/Q1018.11.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,46 @@
# Copyright 2024 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# https://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.

---
display_name: Use Crowdstrike event search to link source processes to DNS queries
type: approach
id: Q1018.11
dfiq_version: 1.0.0
tags:
- CrowdStrike
- DNS
description:
summary: CrowdStrike records the source process ID (ContextProcessId) for DNSRequest event.
details: >
Crowdstrike is a detection platform, not a logging platform, so not all DNS requests are logged.
Content Filter needs to be enabled to capture DNS request queries.
references:
- https://www.crowdstrike.com/blog/hunt-threat-activity-falcon-host-endpoint-protection/bulk-domain-search-results/
view:
data:
- type: CrowdStrike
value: DnsRequest
notes:
covered:
- Mac, Linux, and Windows hosts with a CrowdStrike Falcon agent
not_covered:
- Hosts with the Falcon agent, but where the Content Filter is not enabled
processors:
- name: Splunk
analysis:
- name: Splunk-Query
steps:
- description: Query joining DNS Request events and executions gives the source for each DNS query
type: splunk-query
value: ComputerName="{hostname}" event_simpleName=ProcessRollup* | rename TargetProcessId_decimal as ContextProcessId_decimal | join ContextProcessId_decimal [search ComputerName="{hostname}" event_simpleName=DnsRequest | fields ContextProcessId_decimal, DomainName] | table _time, DomainName, ImageFileName
73 changes: 73 additions & 0 deletions data/approaches/Q1018.12.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,73 @@
# Copyright 2024 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# https://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.

---
display_name: Use Sysmon (Event ID 22) to link source processes to DNS queries
type: approach
id: Q1018.12
dfiq_version: 1.0.0
tags:
- Sysmon
- DNS
- Windows
description:
summary: Sysmon Event ID 22 DnsQuery stores source process ID
details: >
DNS Query, event ID 22, records a DNS query being issued by a specific host and the originating process.
references:
- https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=90022
view:
data:
- type: ForensicArtifact
value: WindowsXMLEventLogSysmon
notes:
covered:
- Windows
not_covered:
- Windows hosts without Sysmon installed
processors:
- name: Splunk
analysis:
- name: Splunk-Query
steps:
- description: Query for Sysmon Event ID 22 and extracting the parent process ID and path.
type: splunk-query
value: source="xmlwineventlog:microsoft-windows-sysmon/operational" EventCode=22 | table _time, host, process_id, process_path
- name: Plaso
analysis:
- name: OpenSearch
steps:
- description: Query for Sysmon Event ID 22 events
type: opensearch-query
value: data_type:"windows:evtx:record" source_name:"Microsoft-Windows-Sysmon" event_identifier:22
- description: Determine the source process in relevant event(s)
type: manual
value: >
Plaso (as of v20230717) doesn't parse the `xml_string` into attributes. Examine the
`xml_string`; the value after `<Data Name="Image">` is the process that made the
DNS query.
- name: Python Notebook
steps:
- description: Query for Sysmon Event ID 22 events
type: pandas
value: df.query('data_type == "windows:evtx:record" and source_name == "Microsoft-Windows-Sysmon" and event_identifier == 22')
- description: Extract `Image` attribute
type: pandas
value: df['process'] = df['xml_string'].str.extract(r'<Data Name="Image">(.*?)</Data>')
- description: Extract `QueryName` attribute
type: pandas
value: df['query'] = df['xml_string'].str.extract(r'<Data Name="QueryName">(.*?)</Data>')
- description: Filter down to DNS query of interest
type: pandas
value: df[df.query.str.contains('<domain>')]
47 changes: 47 additions & 0 deletions data/approaches/Q1019.10.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,47 @@
# Copyright 2024 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# https://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.

---
display_name: Collect process executions in Crowdstrike event search
type: approach
id: Q1019.10
dfiq_version: 1.0.0
tags:
- CrowdStrike
- Process Execution
description:
summary: CrowdStrike records process executions in ProcessRollup event.
details: >
CrowdStrike is a detection platform, not a logging platform, so not all ProcessRollup events might be logged.
references:
- https://www.crowdstrike.com/blog/understanding-indicators-attack-ioas-power-event-stream-processing-crowdstrike-falcon/
view:
data:
- type: CrowdStrike
value: ProcessRollup
notes:
covered:
- Mac, Linux and Windows systems with the Falcon Agent
- Chrome, Firefox, Safari, and Edge web browsers
not_covered:
- Other browsers (including Chromium)
- One of those four browsers, but have had their process name changed
processors:
- name: Splunk
analysis:
- name: Splunk-Query
steps:
- description: Query filtering the known browsers in execution event logs.
type: splunk-query
value: ComputerName="{hostname}" event_simpleName=ProcessRollup* ImageFileName IN ("*chrome*", "*firefox*", "*safari*", "*edge*") | table _time, CommandLine, ImageFileName
8 changes: 4 additions & 4 deletions data/approaches/Q1020.10.yaml
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
# Copyright 2023 Google LLC
# Copyright 2024 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
Expand Down Expand Up @@ -40,7 +40,7 @@ description:
- "[Web Browsers on ForensicArtifacts](https://github.com/ForensicArtifacts/artifacts/blob/main/data/webbrowser.yaml)"
view:
data:
- type: artifact
- type: ForensicArtifact
value: BrowserHistory
- type: description
value: Collect local browser history artifacts. These are often in the
Expand All @@ -59,7 +59,7 @@ view:
- Browsers installed in non-standard paths
- Visits made in Incognito/Private sessions
processors:
- name: plaso
- name: Plaso
options:
- type: parsers
value: webhist
Expand All @@ -74,7 +74,7 @@ view:
- description: *filter-desc
type: pandas
value: query('data_type in ("chrome:history:page_visited", "firefox:places:page_visited", "safari:history:visit_sqlite")')
- name: hindsight
- name: Hindsight
options:
- type: format
value: jsonl
Expand Down
50 changes: 50 additions & 0 deletions data/approaches/Q1024.10.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,50 @@
# Copyright 2024 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# https://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.

---
display_name: Search CrowdStrike logs for Incognito Chrome processes
type: approach
id: Q1024.10
dfiq_version: 1.0.0
tags:
- CrowdStrike
- Process Execution
- Web Browser
description:
summary: CrowdStrike records the source process ID (ContextProcessId) for ProcessRollup events.
details: >
Crowdstrike is a detection platform, not a logging platform, so not all executions are logged.
We cannot always connect a running browser process with observed DNS requests. When we do see
DNS requests coming from a browser process, yet we don't see browsing history, there are
several possible explanations, including browser extensions or private browsing.
references:
- https://www.crowdstrike.com/blog/tech-center/hunt-threat-activity-falcon-endpoint-protection/
view:
data:
- type: CrowdStrike
value: ProcessRollup
notes:
covered:
- Chrome on Mac, Linux, and Windows hosts with a CrowdStrike Falcon agent
not_covered:
- Chrome instances with a renamed process
- Other Chromium-based browsers
processors:
- name: Splunk
analysis:
- name: Splunk-Query
steps:
- description: Query searching for browser processes executed in private mode
type: splunk-query
value: ComputerName="{hostname}" event_simpleName=ProcessRollup* CommandLine IN ("*chrome*") CommandLine IN (*disable-databases*) | table _time, DomainName, CommandLine
Loading

0 comments on commit b74c8a7

Please sign in to comment.