diff --git a/pkg/event/param_windows.go b/pkg/event/param_windows.go index 0130265b8..1054260b7 100644 --- a/pkg/event/param_windows.go +++ b/pkg/event/param_windows.go @@ -82,7 +82,7 @@ func (p Param) String() string { if err != nil { return "" } - if p.Name == params.ProcessIntegrityLevel { + if p.Name == params.ProcessTokenIntegrityLevel { return sys.RidToString(sid) } return sid.String() @@ -312,7 +312,7 @@ func (e *Event) produceParams(evt *etw.EventRecord) { e.AppendParam(params.ProcessFlags, params.Flags, flags, WithFlags(PsCreationFlags)) e.AppendParam(params.ProcessTokenElevationType, params.Enum, tokenElevationType, WithEnum(PsTokenElevationTypes)) e.AppendParam(params.ProcessTokenIsElevated, params.Bool, tokenIsElevated > 0) - e.AppendParam(params.ProcessIntegrityLevel, params.SID, tokenMandatoryLabel) + e.AppendParam(params.ProcessTokenIntegrityLevel, params.SID, tokenMandatoryLabel) e.AppendParam(params.Exe, params.DOSPath, exe) case OpenProcess: processID := evt.ReadUint32(0) diff --git a/pkg/event/params/params_windows.go b/pkg/event/params/params_windows.go index 1a860094d..716719496 100644 --- a/pkg/event/params/params_windows.go +++ b/pkg/event/params/params_windows.go @@ -58,8 +58,8 @@ const ( ExitStatus = "exit_status" // StartTime field denotes the process start time. StartTime = "start_time" - // ProcessIntegrityLevel field denotes the process integrity level. - ProcessIntegrityLevel = "integrity_level" + // ProcessTokenIntegrityLevel field denotes the process integrity level. + ProcessTokenIntegrityLevel = "token_integrity_level" // ProcessTokenElevationType field designates the process token elevation type. ProcessTokenElevationType = "token_elevation_type" // ProcessTokenIsElevated field designates if the process token is elevated. diff --git a/pkg/filter/accessor_windows.go b/pkg/filter/accessor_windows.go index d2ea35fd6..aa18c401d 100644 --- a/pkg/filter/accessor_windows.go +++ b/pkg/filter/accessor_windows.go @@ -430,11 +430,64 @@ func (ps *psAccessor) Get(f Field, e *event.Event) (params.Value, error) { return nil, ErrPsNil } return ps.IsProtected, nil + case fields.PsChildTokenIntegrityLevel: + if e.Category != event.Process { + return nil, nil + } + return e.GetParamAsString(params.ProcessTokenIntegrityLevel), nil + case fields.PsChildTokenIsElevated: + if e.Category != event.Process { + return nil, nil + } + return e.Params.GetBool(params.ProcessTokenIsElevated) + case fields.PsChildTokenElevationType: + if e.Category != event.Process { + return nil, nil + } + return e.GetParamAsString(params.ProcessTokenElevationType), nil + case fields.PsTokenIntegrityLevel: + ps := e.PS + if ps == nil { + return nil, ErrPsNil + } + return ps.TokenIntegrityLevel, nil + case fields.PsTokenElevationType: + ps := e.PS + if ps == nil { + return nil, ErrPsNil + } + return ps.TokenElevationType, nil + case fields.PsTokenIsElevated: + ps := e.PS + if ps == nil { + return nil, ErrPsNil + } + return ps.IsTokenElevated, nil + case fields.PsParentTokenIntegrityLevel: + ps := getParentPs(e) + if ps == nil { + return nil, ErrPsNil + } + return ps.TokenIntegrityLevel, nil + case fields.PsParentTokenElevationType: + ps := getParentPs(e) + if ps == nil { + return nil, ErrPsNil + } + return ps.TokenElevationType, nil + case fields.PsParentTokenIsElevated: + ps := getParentPs(e) + if ps == nil { + return nil, ErrPsNil + } + return ps.IsTokenElevated, nil case fields.PsAncestors: if e.PS != nil { ancestors := make([]*pstypes.PS, 0) walk := func(proc *pstypes.PS) { - ancestors = append(ancestors, proc) + if proc != nil { + ancestors = append(ancestors, proc) + } } pstypes.Walk(walk, e.PS) @@ -474,7 +527,9 @@ func (ps *psAccessor) Get(f Field, e *event.Event) (params.Value, error) { ancestors := make([]string, 0) walk := func(proc *pstypes.PS) { - ancestors = append(ancestors, proc.Name) + if proc != nil { + ancestors = append(ancestors, proc.Name) + } } pstypes.Walk(walk, e.PS) diff --git a/pkg/filter/fields/fields_windows.go b/pkg/filter/fields/fields_windows.go index 84904fe02..26517e88f 100644 --- a/pkg/filter/fields/fields_windows.go +++ b/pkg/filter/fields/fields_windows.go @@ -165,6 +165,24 @@ const ( PsChildIsPackagedField Field = "ps.child.is_packaged" // PsChildIsProtectedField represents the field that indicates if the process is to be run as a protected process PsChildIsProtectedField Field = "ps.child.is_protected" + // PsTokenIntegrityLevel represents the field that indicates the current process integrity level + PsTokenIntegrityLevel = "ps.token.integrity_level" + // PsTokenIsElevated represents the field that indicates if the current process token is elevated + PsTokenIsElevated = "ps.token.is_elevated" + // PsTokenElevationType represents the field that indicates if the current process token elevation type + PsTokenElevationType = "ps.token.elevation_type" + // PsChildTokenIntegrityLevel represents the field that indicates the created/child process integrity level + PsChildTokenIntegrityLevel = "ps.child.token.integrity_level" + // PsChildTokenIsElevated represents the field that indicates if the created/child process token is elevated + PsChildTokenIsElevated = "ps.child.token.is_elevated" + // PsChildTokenElevationType represents the field that indicates if the created/child process token elevation type + PsChildTokenElevationType = "ps.child.token.elevation_type" + // PsParentTokenIntegrityLevel represents the field that indicates the parent process integrity level + PsParentTokenIntegrityLevel = "ps.parent.token.integrity_level" + // PsParentTokenIsElevated represents the field that indicates if the parent process token is elevated + PsParentTokenIsElevated = "ps.parent.token.is_elevated" + // PsTokenElevationType represents the field that indicates if the parent process token elevation type + PsParentTokenElevationType = "ps.parent.token.elevation_type" // ThreadBasePrio is the base thread priority ThreadBasePrio Field = "thread.prio" @@ -643,15 +661,18 @@ const ( EntropySegment Segment = "entropy" MD5Segment Segment = "md5" - PIDSegment Segment = "pid" - CmdlineSegment Segment = "cmdline" - ExeSegment Segment = "exe" - ArgsSegment Segment = "args" - CwdSegment Segment = "cwd" - SIDSegment Segment = "sid" - SessionIDSegment Segment = "sessionid" - UsernameSegment Segment = "username" - DomainSegment Segment = "domain" + PIDSegment Segment = "pid" + CmdlineSegment Segment = "cmdline" + ExeSegment Segment = "exe" + ArgsSegment Segment = "args" + CwdSegment Segment = "cwd" + SIDSegment Segment = "sid" + SessionIDSegment Segment = "sessionid" + UsernameSegment Segment = "username" + DomainSegment Segment = "domain" + TokenIntegrityLevelSegment Segment = "token.integrity_level" + TokenIsElevatedSegment Segment = "token.is_elevated" + TokenElevationTypeSegment Segment = "token.elevation_type" TidSegment Segment = "tid" StartAddressSegment Segment = "start_address" @@ -692,6 +713,9 @@ var segments = map[Segment]bool{ SessionIDSegment: true, UsernameSegment: true, DomainSegment: true, + TokenIntegrityLevelSegment: true, + TokenIsElevatedSegment: true, + TokenElevationTypeSegment: true, TidSegment: true, StartAddressSegment: true, UserStackBaseSegment: true, @@ -713,7 +737,7 @@ var segments = map[Segment]bool{ } var allowedSegments = map[Field][]Segment{ - PsAncestors: {NameSegment, PIDSegment, CmdlineSegment, ExeSegment, ArgsSegment, CwdSegment, SIDSegment, SessionIDSegment, UsernameSegment, DomainSegment}, + PsAncestors: {NameSegment, PIDSegment, CmdlineSegment, ExeSegment, ArgsSegment, CwdSegment, SIDSegment, SessionIDSegment, UsernameSegment, DomainSegment, TokenIntegrityLevelSegment, TokenIsElevatedSegment, TokenElevationTypeSegment}, PsThreads: {TidSegment, StartAddressSegment, UserStackBaseSegment, UserStackLimitSegment, KernelStackBaseSegment, KernelStackLimitSegment}, PsModules: {PathSegment, NameSegment, AddressSegment, SizeSegment, ChecksumSegment}, PsMmaps: {AddressSegment, TypeSegment, AddressSegment, SizeSegment, ProtectionSegment, PathSegment}, @@ -846,73 +870,82 @@ var fields = map[Field]FieldInfo{ return true }}}, - PsPid: {PsPid, "process identifier", params.PID, []string{"ps.pid = 1024"}, nil, nil}, - PsPpid: {PsPpid, "parent process identifier", params.PID, []string{"ps.ppid = 45"}, nil, nil}, - PsName: {PsName, "process image name including the file extension", params.UnicodeString, []string{"ps.name contains 'firefox'"}, nil, nil}, - PsComm: {PsComm, "process command line", params.UnicodeString, []string{"ps.comm contains 'java'"}, &Deprecation{Since: "1.10.0", Fields: []Field{PsCmdline}}, nil}, - PsCmdline: {PsCmdline, "process command line", params.UnicodeString, []string{"ps.cmdline contains 'java'"}, nil, nil}, - PsExe: {PsExe, "full name of the process' executable", params.UnicodeString, []string{"ps.exe = 'C:\\Windows\\system32\\cmd.exe'"}, nil, nil}, - PsArgs: {PsArgs, "process command line arguments", params.Slice, []string{"ps.args in ('/cdir', '/-C')"}, nil, nil}, - PsCwd: {PsCwd, "process current working directory", params.UnicodeString, []string{"ps.cwd = 'C:\\Users\\Default'"}, nil, nil}, - PsSID: {PsSID, "security identifier under which this process is run", params.UnicodeString, []string{"ps.sid contains 'SYSTEM'"}, nil, nil}, - PsSessionID: {PsSessionID, "unique identifier for the current session", params.Int16, []string{"ps.sessionid = 1"}, nil, nil}, - PsDomain: {PsDomain, "process domain", params.UnicodeString, []string{"ps.domain contains 'SERVICE'"}, nil, nil}, - PsUsername: {PsUsername, "process username", params.UnicodeString, []string{"ps.username contains 'system'"}, nil, nil}, - PsEnvs: {PsEnvs, "process environment variables", params.Slice, []string{"ps.envs in ('SystemRoot:C:\\WINDOWS')", "ps.envs[windir] = 'C:\\WINDOWS'"}, nil, &Argument{Optional: true, ValidationFunc: func(arg string) bool { return true }}}, - PsHandleNames: {PsHandleNames, "allocated process handle names", params.Slice, []string{"ps.handles in ('\\BaseNamedObjects\\__ComCatalogCache__')"}, nil, nil}, - PsHandleTypes: {PsHandleTypes, "allocated process handle types", params.Slice, []string{"ps.handle.types in ('Key', 'Mutant', 'Section')"}, nil, nil}, - PsDTB: {PsDTB, "process directory table base address", params.Address, []string{"ps.dtb = '7ffe0000'"}, nil, nil}, - PsModuleNames: {PsModuleNames, "modules loaded by the process", params.Slice, []string{"ps.modules in ('crypt32.dll', 'xul.dll')"}, nil, nil}, - PsParentName: {PsParentName, "parent process image name including the file extension", params.UnicodeString, []string{"ps.parent.name contains 'cmd.exe'"}, nil, nil}, - PsParentPid: {PsParentPid, "parent process id", params.Uint32, []string{"ps.parent.pid = 4"}, nil, nil}, - PsParentComm: {PsParentComm, "parent process command line", params.UnicodeString, []string{"ps.parent.comm contains 'java'"}, &Deprecation{Since: "1.10.0", Fields: []Field{PsParentCmdline}}, nil}, - PsParentCmdline: {PsParentCmdline, "parent process command line", params.UnicodeString, []string{"ps.parent.cmdline contains 'java'"}, nil, nil}, - PsParentExe: {PsParentExe, "full name of the parent process' executable", params.UnicodeString, []string{"ps.parent.exe = 'C:\\Windows\\system32\\explorer.exe'"}, nil, nil}, - PsParentArgs: {PsParentArgs, "parent process command line arguments", params.Slice, []string{"ps.parent.args in ('/cdir', '/-C')"}, nil, nil}, - PsParentCwd: {PsParentCwd, "parent process current working directory", params.UnicodeString, []string{"ps.parent.cwd = 'C:\\Temp'"}, nil, nil}, - PsParentSID: {PsParentSID, "security identifier under which the parent process is run", params.UnicodeString, []string{"ps.parent.sid contains 'SYSTEM'"}, nil, nil}, - PsParentDomain: {PsParentDomain, "parent process domain", params.UnicodeString, []string{"ps.parent.domain contains 'SERVICE'"}, nil, nil}, - PsParentUsername: {PsParentUsername, "parent process username", params.UnicodeString, []string{"ps.parent.username contains 'system'"}, nil, nil}, - PsParentSessionID: {PsParentSessionID, "unique identifier for the current session of parent process", params.Int16, []string{"ps.parent.sessionid = 1"}, nil, nil}, - PsParentEnvs: {PsParentEnvs, "parent process environment variables", params.Slice, []string{"ps.parent.envs in ('MOZ_CRASHREPORTER_DATA_DIRECTORY')"}, nil, nil}, - PsParentHandles: {PsParentHandles, "allocated parent process handle names", params.Slice, []string{"ps.parent.handles in ('\\BaseNamedObjects\\__ComCatalogCache__')"}, nil, nil}, - PsParentHandleTypes: {PsParentHandleTypes, "allocated parent process handle types", params.Slice, []string{"ps.parent.handle.types in ('File', 'SymbolicLink')"}, nil, nil}, - PsParentDTB: {PsParentDTB, "parent process directory table base address", params.Address, []string{"ps.parent.dtb = '7ffe0000'"}, nil, nil}, - PsAccessMask: {PsAccessMask, "process desired access rights", params.AnsiString, []string{"ps.access.mask = '0x1400'"}, nil, nil}, - PsAccessMaskNames: {PsAccessMaskNames, "process desired access rights as a string list", params.Slice, []string{"ps.access.mask.names in ('SUSPEND_RESUME')"}, nil, nil}, - PsAccessStatus: {PsAccessStatus, "process access status", params.UnicodeString, []string{"ps.access.status = 'access is denied.'"}, nil, nil}, - PsSiblingPid: {PsSiblingPid, "created or terminated process identifier", params.PID, []string{"ps.sibling.pid = 320"}, &Deprecation{Since: "1.10.0", Fields: []Field{PsChildPid}}, nil}, - PsChildPid: {PsChildPid, "created or terminated process identifier", params.PID, []string{"ps.child.pid = 320"}, nil, nil}, - PsSiblingName: {PsSiblingName, "created or terminated process name", params.UnicodeString, []string{"ps.sibling.name = 'notepad.exe'"}, &Deprecation{Since: "1.10.0", Fields: []Field{PsChildName}}, nil}, - PsChildName: {PsChildName, "created or terminated process name", params.UnicodeString, []string{"ps.child.name = 'notepad.exe'"}, nil, nil}, - PsSiblingComm: {PsSiblingComm, "created or terminated process command line", params.UnicodeString, []string{"ps.sibling.comm contains '\\k \\v'"}, &Deprecation{Since: "1.10.0", Fields: []Field{PsChildCmdline}}, nil}, - PsChildCmdline: {PsChildCmdline, "created or terminated process command line", params.UnicodeString, []string{"ps.child.cmdline contains '\\k \\v'"}, nil, nil}, - PsSiblingArgs: {PsSiblingArgs, "created process command line arguments", params.Slice, []string{"ps.sibling.args in ('/cdir', '/-C')"}, &Deprecation{Since: "1.10.0", Fields: []Field{PsChildArgs}}, nil}, - PsChildArgs: {PsChildArgs, "created process command line arguments", params.Slice, []string{"ps.child.args in ('/cdir', '/-C')"}, nil, nil}, - PsSiblingExe: {PsSiblingExe, "created, terminated, or opened process id", params.UnicodeString, []string{"ps.sibling.exe contains '\\Windows\\cmd.exe'"}, &Deprecation{Since: "1.10.0", Fields: []Field{PsChildExe}}, nil}, - PsChildExe: {PsChildExe, "created, terminated, or opened process id", params.UnicodeString, []string{"ps.child.exe contains '\\Windows\\cmd.exe'"}, nil, nil}, - PsSiblingSID: {PsSiblingSID, "created or terminated process security identifier", params.UnicodeString, []string{"ps.sibling.sid contains 'SERVICE'"}, &Deprecation{Since: "1.10.0", Fields: []Field{PsChildSID}}, nil}, - PsChildSID: {PsChildSID, "created or terminated process security identifier", params.UnicodeString, []string{"ps.child.sid contains 'SERVICE'"}, nil, nil}, - PsSiblingSessionID: {PsSiblingSessionID, "created or terminated process session identifier", params.Int16, []string{"ps.sibling.sessionid == 1"}, &Deprecation{Since: "1.10.0", Fields: []Field{PsChildSessionID}}, nil}, - PsChildSessionID: {PsChildSessionID, "created or terminated process session identifier", params.Int16, []string{"ps.child.sessionid == 1"}, nil, nil}, - PsSiblingDomain: {PsSiblingDomain, "created or terminated process domain", params.UnicodeString, []string{"ps.sibling.domain contains 'SERVICE'"}, &Deprecation{Since: "1.10.0", Fields: []Field{PsChildDomain}}, nil}, - PsChildDomain: {PsChildDomain, "created or terminated process domain", params.UnicodeString, []string{"ps.child.domain contains 'SERVICE'"}, nil, nil}, - PsSiblingUsername: {PsSiblingUsername, "created or terminated process username", params.UnicodeString, []string{"ps.sibling.username contains 'system'"}, &Deprecation{Since: "1.10.0", Fields: []Field{PsChildUsername}}, nil}, - PsChildUsername: {PsChildUsername, "created or terminated process username", params.UnicodeString, []string{"ps.child.username contains 'system'"}, nil, nil}, - PsUUID: {PsUUID, "unique process identifier", params.Uint64, []string{"ps.uuid > 6000054355"}, nil, nil}, - PsParentUUID: {PsParentUUID, "unique parent process identifier", params.Uint64, []string{"ps.parent.uuid > 6000054355"}, nil, nil}, - PsChildUUID: {PsChildUUID, "unique child process identifier", params.Uint64, []string{"ps.child.uuid > 6000054355"}, nil, nil}, - PsChildPeFilename: {PsChildPeFilename, "original file name of the child process executable supplied at compile-time", params.UnicodeString, []string{"ps.child.pe.file.name = 'NOTEPAD.EXE'"}, nil, nil}, - PsChildIsWOW64Field: {PsChildIsWOW64Field, "indicates if the 32-bit child process is created in 64-bit Windows system", params.Bool, []string{"ps.child.is_wow64"}, nil, nil}, - PsChildIsPackagedField: {PsChildIsPackagedField, "indicates if the child process is packaged with the MSIX technology", params.Bool, []string{"ps.child.is_packaged"}, nil, nil}, - PsChildIsProtectedField: {PsChildIsProtectedField, "indicates if the child process is a protected process", params.Bool, []string{"ps.child.is_protected"}, nil, nil}, - PsIsWOW64Field: {PsIsWOW64Field, "indicates if the process generating the event is a 32-bit process created in 64-bit Windows system", params.Bool, []string{"ps.is_wow64"}, nil, nil}, - PsIsPackagedField: {PsIsPackagedField, "indicates if the process generating the event is packaged with the MSIX technology", params.Bool, []string{"ps.is_packaged"}, nil, nil}, - PsIsProtectedField: {PsIsProtectedField, "indicates if the process generating the event is a protected process", params.Bool, []string{"ps.is_protected"}, nil, nil}, - PsParentIsWOW64Field: {PsParentIsWOW64Field, "indicates if the parent process generating the event is a 32-bit process created in 64-bit Windows system", params.Bool, []string{"ps.parent.is_wow64"}, nil, nil}, - PsParentIsPackagedField: {PsParentIsPackagedField, "indicates if the parent process generating the event is packaged with the MSIX technology", params.Bool, []string{"ps.parent.is_packaged"}, nil, nil}, - PsParentIsProtectedField: {PsParentIsProtectedField, "indicates if the the parent process generating the event is a protected process", params.Bool, []string{"ps.parent.is_protected"}, nil, nil}, - PsAncestor: {PsAncestor, "the process ancestor name", params.UnicodeString, []string{"ps.ancestor[1] = 'svchost.exe'", "ps.ancestor in ('winword.exe')"}, nil, &Argument{Optional: true, Pattern: "[0-9]+", ValidationFunc: isNumber}}, + PsPid: {PsPid, "process identifier", params.PID, []string{"ps.pid = 1024"}, nil, nil}, + PsPpid: {PsPpid, "parent process identifier", params.PID, []string{"ps.ppid = 45"}, nil, nil}, + PsName: {PsName, "process image name including the file extension", params.UnicodeString, []string{"ps.name contains 'firefox'"}, nil, nil}, + PsComm: {PsComm, "process command line", params.UnicodeString, []string{"ps.comm contains 'java'"}, &Deprecation{Since: "1.10.0", Fields: []Field{PsCmdline}}, nil}, + PsCmdline: {PsCmdline, "process command line", params.UnicodeString, []string{"ps.cmdline contains 'java'"}, nil, nil}, + PsExe: {PsExe, "full name of the process' executable", params.UnicodeString, []string{"ps.exe = 'C:\\Windows\\system32\\cmd.exe'"}, nil, nil}, + PsArgs: {PsArgs, "process command line arguments", params.Slice, []string{"ps.args in ('/cdir', '/-C')"}, nil, nil}, + PsCwd: {PsCwd, "process current working directory", params.UnicodeString, []string{"ps.cwd = 'C:\\Users\\Default'"}, nil, nil}, + PsSID: {PsSID, "security identifier under which this process is run", params.UnicodeString, []string{"ps.sid contains 'SYSTEM'"}, nil, nil}, + PsSessionID: {PsSessionID, "unique identifier for the current session", params.Int16, []string{"ps.sessionid = 1"}, nil, nil}, + PsDomain: {PsDomain, "process domain", params.UnicodeString, []string{"ps.domain contains 'SERVICE'"}, nil, nil}, + PsUsername: {PsUsername, "process username", params.UnicodeString, []string{"ps.username contains 'system'"}, nil, nil}, + PsEnvs: {PsEnvs, "process environment variables", params.Slice, []string{"ps.envs in ('SystemRoot:C:\\WINDOWS')", "ps.envs[windir] = 'C:\\WINDOWS'"}, nil, &Argument{Optional: true, ValidationFunc: func(arg string) bool { return true }}}, + PsHandleNames: {PsHandleNames, "allocated process handle names", params.Slice, []string{"ps.handles in ('\\BaseNamedObjects\\__ComCatalogCache__')"}, nil, nil}, + PsHandleTypes: {PsHandleTypes, "allocated process handle types", params.Slice, []string{"ps.handle.types in ('Key', 'Mutant', 'Section')"}, nil, nil}, + PsDTB: {PsDTB, "process directory table base address", params.Address, []string{"ps.dtb = '7ffe0000'"}, nil, nil}, + PsModuleNames: {PsModuleNames, "modules loaded by the process", params.Slice, []string{"ps.modules in ('crypt32.dll', 'xul.dll')"}, nil, nil}, + PsParentName: {PsParentName, "parent process image name including the file extension", params.UnicodeString, []string{"ps.parent.name contains 'cmd.exe'"}, nil, nil}, + PsParentPid: {PsParentPid, "parent process id", params.Uint32, []string{"ps.parent.pid = 4"}, nil, nil}, + PsParentComm: {PsParentComm, "parent process command line", params.UnicodeString, []string{"ps.parent.comm contains 'java'"}, &Deprecation{Since: "1.10.0", Fields: []Field{PsParentCmdline}}, nil}, + PsParentCmdline: {PsParentCmdline, "parent process command line", params.UnicodeString, []string{"ps.parent.cmdline contains 'java'"}, nil, nil}, + PsParentExe: {PsParentExe, "full name of the parent process' executable", params.UnicodeString, []string{"ps.parent.exe = 'C:\\Windows\\system32\\explorer.exe'"}, nil, nil}, + PsParentArgs: {PsParentArgs, "parent process command line arguments", params.Slice, []string{"ps.parent.args in ('/cdir', '/-C')"}, nil, nil}, + PsParentCwd: {PsParentCwd, "parent process current working directory", params.UnicodeString, []string{"ps.parent.cwd = 'C:\\Temp'"}, nil, nil}, + PsParentSID: {PsParentSID, "security identifier under which the parent process is run", params.UnicodeString, []string{"ps.parent.sid contains 'SYSTEM'"}, nil, nil}, + PsParentDomain: {PsParentDomain, "parent process domain", params.UnicodeString, []string{"ps.parent.domain contains 'SERVICE'"}, nil, nil}, + PsParentUsername: {PsParentUsername, "parent process username", params.UnicodeString, []string{"ps.parent.username contains 'system'"}, nil, nil}, + PsParentSessionID: {PsParentSessionID, "unique identifier for the current session of parent process", params.Int16, []string{"ps.parent.sessionid = 1"}, nil, nil}, + PsParentEnvs: {PsParentEnvs, "parent process environment variables", params.Slice, []string{"ps.parent.envs in ('MOZ_CRASHREPORTER_DATA_DIRECTORY')"}, nil, nil}, + PsParentHandles: {PsParentHandles, "allocated parent process handle names", params.Slice, []string{"ps.parent.handles in ('\\BaseNamedObjects\\__ComCatalogCache__')"}, nil, nil}, + PsParentHandleTypes: {PsParentHandleTypes, "allocated parent process handle types", params.Slice, []string{"ps.parent.handle.types in ('File', 'SymbolicLink')"}, nil, nil}, + PsParentDTB: {PsParentDTB, "parent process directory table base address", params.Address, []string{"ps.parent.dtb = '7ffe0000'"}, nil, nil}, + PsAccessMask: {PsAccessMask, "process desired access rights", params.AnsiString, []string{"ps.access.mask = '0x1400'"}, nil, nil}, + PsAccessMaskNames: {PsAccessMaskNames, "process desired access rights as a string list", params.Slice, []string{"ps.access.mask.names in ('SUSPEND_RESUME')"}, nil, nil}, + PsAccessStatus: {PsAccessStatus, "process access status", params.UnicodeString, []string{"ps.access.status = 'access is denied.'"}, nil, nil}, + PsSiblingPid: {PsSiblingPid, "created or terminated process identifier", params.PID, []string{"ps.sibling.pid = 320"}, &Deprecation{Since: "1.10.0", Fields: []Field{PsChildPid}}, nil}, + PsChildPid: {PsChildPid, "created or terminated process identifier", params.PID, []string{"ps.child.pid = 320"}, nil, nil}, + PsSiblingName: {PsSiblingName, "created or terminated process name", params.UnicodeString, []string{"ps.sibling.name = 'notepad.exe'"}, &Deprecation{Since: "1.10.0", Fields: []Field{PsChildName}}, nil}, + PsChildName: {PsChildName, "created or terminated process name", params.UnicodeString, []string{"ps.child.name = 'notepad.exe'"}, nil, nil}, + PsSiblingComm: {PsSiblingComm, "created or terminated process command line", params.UnicodeString, []string{"ps.sibling.comm contains '\\k \\v'"}, &Deprecation{Since: "1.10.0", Fields: []Field{PsChildCmdline}}, nil}, + PsChildCmdline: {PsChildCmdline, "created or terminated process command line", params.UnicodeString, []string{"ps.child.cmdline contains '\\k \\v'"}, nil, nil}, + PsSiblingArgs: {PsSiblingArgs, "created process command line arguments", params.Slice, []string{"ps.sibling.args in ('/cdir', '/-C')"}, &Deprecation{Since: "1.10.0", Fields: []Field{PsChildArgs}}, nil}, + PsChildArgs: {PsChildArgs, "created process command line arguments", params.Slice, []string{"ps.child.args in ('/cdir', '/-C')"}, nil, nil}, + PsSiblingExe: {PsSiblingExe, "created, terminated, or opened process id", params.UnicodeString, []string{"ps.sibling.exe contains '\\Windows\\cmd.exe'"}, &Deprecation{Since: "1.10.0", Fields: []Field{PsChildExe}}, nil}, + PsChildExe: {PsChildExe, "created, terminated, or opened process id", params.UnicodeString, []string{"ps.child.exe contains '\\Windows\\cmd.exe'"}, nil, nil}, + PsSiblingSID: {PsSiblingSID, "created or terminated process security identifier", params.UnicodeString, []string{"ps.sibling.sid contains 'SERVICE'"}, &Deprecation{Since: "1.10.0", Fields: []Field{PsChildSID}}, nil}, + PsChildSID: {PsChildSID, "created or terminated process security identifier", params.UnicodeString, []string{"ps.child.sid contains 'SERVICE'"}, nil, nil}, + PsSiblingSessionID: {PsSiblingSessionID, "created or terminated process session identifier", params.Int16, []string{"ps.sibling.sessionid == 1"}, &Deprecation{Since: "1.10.0", Fields: []Field{PsChildSessionID}}, nil}, + PsChildSessionID: {PsChildSessionID, "created or terminated process session identifier", params.Int16, []string{"ps.child.sessionid == 1"}, nil, nil}, + PsSiblingDomain: {PsSiblingDomain, "created or terminated process domain", params.UnicodeString, []string{"ps.sibling.domain contains 'SERVICE'"}, &Deprecation{Since: "1.10.0", Fields: []Field{PsChildDomain}}, nil}, + PsChildDomain: {PsChildDomain, "created or terminated process domain", params.UnicodeString, []string{"ps.child.domain contains 'SERVICE'"}, nil, nil}, + PsSiblingUsername: {PsSiblingUsername, "created or terminated process username", params.UnicodeString, []string{"ps.sibling.username contains 'system'"}, &Deprecation{Since: "1.10.0", Fields: []Field{PsChildUsername}}, nil}, + PsChildUsername: {PsChildUsername, "created or terminated process username", params.UnicodeString, []string{"ps.child.username contains 'system'"}, nil, nil}, + PsUUID: {PsUUID, "unique process identifier", params.Uint64, []string{"ps.uuid > 6000054355"}, nil, nil}, + PsParentUUID: {PsParentUUID, "unique parent process identifier", params.Uint64, []string{"ps.parent.uuid > 6000054355"}, nil, nil}, + PsChildUUID: {PsChildUUID, "unique child process identifier", params.Uint64, []string{"ps.child.uuid > 6000054355"}, nil, nil}, + PsChildPeFilename: {PsChildPeFilename, "original file name of the child process executable supplied at compile-time", params.UnicodeString, []string{"ps.child.pe.file.name = 'NOTEPAD.EXE'"}, nil, nil}, + PsChildIsWOW64Field: {PsChildIsWOW64Field, "indicates if the 32-bit child process is created in 64-bit Windows system", params.Bool, []string{"ps.child.is_wow64"}, nil, nil}, + PsChildIsPackagedField: {PsChildIsPackagedField, "indicates if the child process is packaged with the MSIX technology", params.Bool, []string{"ps.child.is_packaged"}, nil, nil}, + PsChildIsProtectedField: {PsChildIsProtectedField, "indicates if the child process is a protected process", params.Bool, []string{"ps.child.is_protected"}, nil, nil}, + PsIsWOW64Field: {PsIsWOW64Field, "indicates if the process generating the event is a 32-bit process created in 64-bit Windows system", params.Bool, []string{"ps.is_wow64"}, nil, nil}, + PsIsPackagedField: {PsIsPackagedField, "indicates if the process generating the event is packaged with the MSIX technology", params.Bool, []string{"ps.is_packaged"}, nil, nil}, + PsIsProtectedField: {PsIsProtectedField, "indicates if the process generating the event is a protected process", params.Bool, []string{"ps.is_protected"}, nil, nil}, + PsParentIsWOW64Field: {PsParentIsWOW64Field, "indicates if the parent process generating the event is a 32-bit process created in 64-bit Windows system", params.Bool, []string{"ps.parent.is_wow64"}, nil, nil}, + PsParentIsPackagedField: {PsParentIsPackagedField, "indicates if the parent process generating the event is packaged with the MSIX technology", params.Bool, []string{"ps.parent.is_packaged"}, nil, nil}, + PsParentIsProtectedField: {PsParentIsProtectedField, "indicates if the the parent process generating the event is a protected process", params.Bool, []string{"ps.parent.is_protected"}, nil, nil}, + PsAncestor: {PsAncestor, "the process ancestor name", params.UnicodeString, []string{"ps.ancestor[1] = 'svchost.exe'", "ps.ancestor in ('winword.exe')"}, nil, &Argument{Optional: true, Pattern: "[0-9]+", ValidationFunc: isNumber}}, + PsTokenIntegrityLevel: {PsTokenIntegrityLevel, "process token integrity level", params.UnicodeString, []string{"ps.token.integrity_level = 'SYSTEM'"}, nil, nil}, + PsTokenIsElevated: {PsTokenIsElevated, "indicates if the process token is elevated", params.Bool, []string{"ps.token.is_elevated = true"}, nil, nil}, + PsTokenElevationType: {PsTokenElevationType, "process token elevation type", params.AnsiString, []string{"ps.token.elevation_type = 'LIMITED'"}, nil, nil}, + PsChildTokenIntegrityLevel: {PsChildTokenIntegrityLevel, "child process token integrity level", params.UnicodeString, []string{"ps.child.token.integrity_level = 'SYSTEM'"}, nil, nil}, + PsChildTokenIsElevated: {PsChildTokenIsElevated, "indicates if the child process token is elevated", params.Bool, []string{"ps.child.token.is_elevated = true"}, nil, nil}, + PsChildTokenElevationType: {PsChildTokenElevationType, "child process token elevation type", params.AnsiString, []string{"ps.child.token.elevation_type = 'LIMITED'"}, nil, nil}, + PsParentTokenIntegrityLevel: {PsParentTokenIntegrityLevel, "parent process token integrity level", params.UnicodeString, []string{"ps.parent.token.integrity_level = 'HIGH'"}, nil, nil}, + PsParentTokenIsElevated: {PsParentTokenIsElevated, "indicates if the parent process token is elevated", params.Bool, []string{"ps.parent.token.is_elevated = true"}, nil, nil}, + PsParentTokenElevationType: {PsParentTokenElevationType, "parent process token elevation type", params.AnsiString, []string{"ps.parent.token.elevation_type = 'LIMITED'"}, nil, nil}, ThreadBasePrio: {ThreadBasePrio, "scheduler priority of the thread", params.Int8, []string{"thread.prio = 5"}, nil, nil}, ThreadIOPrio: {ThreadIOPrio, "I/O priority hint for scheduling I/O operations", params.Int8, []string{"thread.io.prio = 4"}, nil, nil}, diff --git a/pkg/filter/filter_test.go b/pkg/filter/filter_test.go index 2b46669fc..c658da0f8 100644 --- a/pkg/filter/filter_test.go +++ b/pkg/filter/filter_test.go @@ -109,21 +109,6 @@ func TestStringFields(t *testing.T) { } func TestProcFilter(t *testing.T) { - pars := event.Params{ - params.Cmdline: {Name: params.Cmdline, Type: params.UnicodeString, Value: "C:\\Windows\\system32\\svchost-fake.exe -k RPCSS"}, - params.ProcessName: {Name: params.ProcessName, Type: params.AnsiString, Value: "svchost-fake.exe"}, - params.ProcessID: {Name: params.ProcessID, Type: params.PID, Value: uint32(1234)}, - params.ProcessParentID: {Name: params.ProcessParentID, Type: params.PID, Value: uint32(345)}, - params.UserSID: {Name: params.UserSID, Type: params.WbemSID, Value: []byte{224, 8, 226, 31, 15, 167, 255, 255, 0, 0, 0, 0, 15, 167, 255, 255, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0}}, - params.Username: {Name: params.Username, Type: params.UnicodeString, Value: "loki"}, - params.Domain: {Name: params.Domain, Type: params.UnicodeString, Value: "TITAN"}, - params.ProcessFlags: {Name: params.ProcessFlags, Type: params.Flags, Value: uint32(0x000000E)}, - } - - pars1 := event.Params{ - params.DesiredAccess: {Name: params.DesiredAccess, Type: params.Flags, Value: uint32(0x1400), Flags: event.PsAccessRightFlags}, - } - ps1 := &pstypes.PS{ Name: "wininit.exe", Username: "SYSTEM", @@ -138,17 +123,32 @@ func TestProcFilter(t *testing.T) { Name: "System", }, }, - IsWOW64: false, - IsProtected: true, - IsPackaged: false, + IsWOW64: false, + IsProtected: true, + IsPackaged: false, + TokenIntegrityLevel: "SYSTEM", + IsTokenElevated: false, + TokenElevationType: "DEFAULT", } evt := &event.Event{ Type: event.CreateProcess, Category: event.Process, - Params: pars, - Name: "CreateProcess", - PID: 1023, + Params: event.Params{ + params.Cmdline: {Name: params.Cmdline, Type: params.UnicodeString, Value: "C:\\Windows\\system32\\svchost-fake.exe -k RPCSS"}, + params.ProcessName: {Name: params.ProcessName, Type: params.AnsiString, Value: "svchost-fake.exe"}, + params.ProcessID: {Name: params.ProcessID, Type: params.PID, Value: uint32(1234)}, + params.ProcessParentID: {Name: params.ProcessParentID, Type: params.PID, Value: uint32(345)}, + params.UserSID: {Name: params.UserSID, Type: params.WbemSID, Value: []byte{224, 8, 226, 31, 15, 167, 255, 255, 0, 0, 0, 0, 15, 167, 255, 255, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0}}, + params.Username: {Name: params.Username, Type: params.UnicodeString, Value: "loki"}, + params.Domain: {Name: params.Domain, Type: params.UnicodeString, Value: "TITAN"}, + params.ProcessFlags: {Name: params.ProcessFlags, Type: params.Flags, Value: uint32(0x000000E)}, + params.ProcessTokenIntegrityLevel: {Name: params.ProcessTokenIntegrityLevel, Type: params.AnsiString, Value: "SYSTEM"}, + params.ProcessTokenIsElevated: {Name: params.ProcessTokenIsElevated, Type: params.Bool, Value: true}, + params.ProcessTokenElevationType: {Name: params.ProcessTokenElevationType, Type: params.AnsiString, Value: "FULL"}, + }, + Name: "CreateProcess", + PID: 1023, PS: &pstypes.PS{ Name: "svchost.exe", Cmdline: "C:\\Windows\\System32\\svchost.exe", @@ -171,9 +171,12 @@ func TestProcFilter(t *testing.T) { {Size: 34545, BaseAddress: va.Address(144229524944769), Protection: 4653056, File: "C:\\Windows\\System32\\ucrtbase.dll", Type: "IMAGE"}, //EXECUTE_READWRITE|READONLY {Size: 4096, BaseAddress: va.Address(145229445447666), Protection: 12845056, Type: "PAGEFILE"}, // READWRITE 12845056 }, - IsProtected: false, - IsPackaged: true, - IsWOW64: false, + IsProtected: false, + IsPackaged: true, + IsWOW64: false, + TokenIntegrityLevel: "SYSTEM", + IsTokenElevated: false, + TokenElevationType: "DEFAULT", }, } evt.Timestamp, _ = time.Parse(time.RFC3339, "2011-05-03T15:04:05.323Z") @@ -181,9 +184,11 @@ func TestProcFilter(t *testing.T) { evt1 := &event.Event{ Type: event.OpenProcess, Category: event.Process, - Params: pars1, - Name: "OpenProcess", - PID: 1023, + Params: event.Params{ + params.DesiredAccess: {Name: params.DesiredAccess, Type: params.Flags, Value: uint32(0x1400), Flags: event.PsAccessRightFlags}, + }, + Name: "OpenProcess", + PID: 1023, PS: &pstypes.PS{ Name: "svchost.exe", Parent: ps1, @@ -240,6 +245,16 @@ func TestProcFilter(t *testing.T) { {`ps.parent.is_wow64`, false}, {`ps.parent.is_packaged`, false}, {`ps.parent.is_protected`, true}, + {`ps.token.integrity_level = 'SYSTEM'`, true}, + {`ps.token.is_elevated = false`, true}, + {`ps.token.elevation_type = 'DEFAULT'`, true}, + {`ps.child.token.integrity_level = 'SYSTEM'`, true}, + {`ps.child.token.is_elevated = true`, true}, + {`ps.child.token.elevation_type = 'FULL'`, true}, + {`ps.parent.token.integrity_level = 'SYSTEM'`, true}, + {`ps.parent.token.is_elevated = false`, true}, + {`ps.parent.token.elevation_type = 'DEFAULT'`, true}, + {`evt.name = 'CreateProcess' and ps.name contains 'svchost'`, true}, {`ps.modules IN ('kernel32.dll')`, true}, @@ -262,6 +277,7 @@ func TestProcFilter(t *testing.T) { {`foreach(ps._ancestors, $proc, $proc.username = 'SYSTEM')`, true}, {`foreach(ps._ancestors, $proc, $proc.domain = 'NT AUTHORITY')`, true}, {`foreach(ps._ancestors, $proc, $proc.username = upper('system'))`, true}, + {`foreach(ps._ancestors, $proc, $proc.token.integrity_level = 'SYSTEM' and $proc.token.is_elevated = false and $proc.token.elevation_type = 'DEFAULT')`, true}, {`ps.args intersects ('-k', 'DcomLaunch')`, true}, {`ps.args intersects ('-w', 'DcomLaunch')`, false}, diff --git a/pkg/filter/ql/function.go b/pkg/filter/ql/function.go index e4c0c5982..fa213415e 100644 --- a/pkg/filter/ql/function.go +++ b/pkg/filter/ql/function.go @@ -487,6 +487,12 @@ func (f *Foreach) procMapValuer(segments []*BoundSegmentLiteral, proc *pstypes.P valuer[key] = proc.Username case fields.DomainSegment: valuer[key] = proc.Domain + case fields.TokenIntegrityLevelSegment: + valuer[key] = proc.TokenIntegrityLevel + case fields.TokenIsElevatedSegment: + valuer[key] = proc.IsTokenElevated + case fields.TokenElevationTypeSegment: + valuer[key] = proc.TokenElevationType } } return valuer diff --git a/pkg/ps/snapshotter_windows.go b/pkg/ps/snapshotter_windows.go index d95b475ef..68801b5ac 100644 --- a/pkg/ps/snapshotter_windows.go +++ b/pkg/ps/snapshotter_windows.go @@ -185,7 +185,7 @@ func (s *snapshotter) Write(e *event.Event) error { e.AppendParam(params.Exe, params.Path, ps.Exe) } - e.AppendParam(params.ProcessIntegrityLevel, params.AnsiString, ps.TokenIntegrityLevel) + e.AppendParam(params.ProcessTokenIntegrityLevel, params.AnsiString, ps.TokenIntegrityLevel) e.AppendParam(params.ProcessTokenElevationType, params.AnsiString, ps.TokenElevationType) e.AppendParam(params.ProcessTokenIsElevated, params.Bool, ps.IsTokenElevated) @@ -370,7 +370,7 @@ func (s *snapshotter) newProcState(pid, ppid uint32, e *event.Event) (*pstypes.P Ppid: ppid, Exe: e.GetParamAsString(params.Exe), Name: filepath.Base(e.GetParamAsString(params.Exe)), - TokenIntegrityLevel: e.GetParamAsString(params.ProcessIntegrityLevel), + TokenIntegrityLevel: e.GetParamAsString(params.ProcessTokenIntegrityLevel), TokenElevationType: e.GetParamAsString(params.ProcessTokenElevationType), IsTokenElevated: e.Params.TryGetBool(params.ProcessTokenIsElevated), Threads: make(map[uint32]pstypes.Thread), @@ -460,7 +460,7 @@ func (s *snapshotter) newProcState(pid, ppid uint32, e *event.Event) (*pstypes.P proc.TokenIntegrityLevel = sys.RidToString(tokenMandatoryLabel.Label.Sid) proc.IsTokenElevated = token.IsElevated() - e.AppendParam(params.ProcessIntegrityLevel, params.AnsiString, proc.TokenIntegrityLevel) + e.AppendParam(params.ProcessTokenIntegrityLevel, params.AnsiString, proc.TokenIntegrityLevel) e.AppendParam(params.ProcessTokenIsElevated, params.Bool, proc.IsTokenElevated) } diff --git a/pkg/ps/snapshotter_windows_test.go b/pkg/ps/snapshotter_windows_test.go index 92b1879fd..254c76d2f 100644 --- a/pkg/ps/snapshotter_windows_test.go +++ b/pkg/ps/snapshotter_windows_test.go @@ -200,12 +200,12 @@ func TestWriteInternalEventsEnrichment(t *testing.T) { { Type: event.CreateProcessInternal, Params: event.Params{ - params.ProcessID: {Name: params.ProcessID, Type: params.PID, Value: uint32(1024)}, - params.ProcessParentID: {Name: params.ProcessParentID, Type: params.PID, Value: uint32(444)}, - params.Exe: {Name: params.Exe, Type: params.UnicodeString, Value: `C:\Windows\System32\svchost.exe`}, - params.ProcessIntegrityLevel: {Name: params.ProcessIntegrityLevel, Type: params.AnsiString, Value: "HIGH"}, - params.ProcessTokenIsElevated: {Name: params.ProcessTokenIsElevated, Type: params.Bool, Value: true}, - params.ProcessTokenElevationType: {Name: params.ProcessTokenElevationType, Type: params.AnsiString, Value: "FULL"}, + params.ProcessID: {Name: params.ProcessID, Type: params.PID, Value: uint32(1024)}, + params.ProcessParentID: {Name: params.ProcessParentID, Type: params.PID, Value: uint32(444)}, + params.Exe: {Name: params.Exe, Type: params.UnicodeString, Value: `C:\Windows\System32\svchost.exe`}, + params.ProcessTokenIntegrityLevel: {Name: params.ProcessTokenIntegrityLevel, Type: params.AnsiString, Value: "HIGH"}, + params.ProcessTokenIsElevated: {Name: params.ProcessTokenIsElevated, Type: params.Bool, Value: true}, + params.ProcessTokenElevationType: {Name: params.ProcessTokenElevationType, Type: params.AnsiString, Value: "FULL"}, }, }, }, @@ -236,12 +236,12 @@ func TestWriteInternalEventsEnrichment(t *testing.T) { { Type: event.CreateProcessInternal, Params: event.Params{ - params.ProcessID: {Name: params.ProcessID, Type: params.PID, Value: uint32(1024)}, - params.ProcessParentID: {Name: params.ProcessParentID, Type: params.PID, Value: uint32(444)}, - params.Exe: {Name: params.Exe, Type: params.UnicodeString, Value: `C:\Windows\System32\svchost.exe`}, - params.ProcessIntegrityLevel: {Name: params.ProcessIntegrityLevel, Type: params.AnsiString, Value: "HIGH"}, - params.ProcessTokenIsElevated: {Name: params.ProcessTokenIsElevated, Type: params.Bool, Value: true}, - params.ProcessTokenElevationType: {Name: params.ProcessTokenElevationType, Type: params.AnsiString, Value: "FULL"}, + params.ProcessID: {Name: params.ProcessID, Type: params.PID, Value: uint32(1024)}, + params.ProcessParentID: {Name: params.ProcessParentID, Type: params.PID, Value: uint32(444)}, + params.Exe: {Name: params.Exe, Type: params.UnicodeString, Value: `C:\Windows\System32\svchost.exe`}, + params.ProcessTokenIntegrityLevel: {Name: params.ProcessTokenIntegrityLevel, Type: params.AnsiString, Value: "HIGH"}, + params.ProcessTokenIsElevated: {Name: params.ProcessTokenIsElevated, Type: params.Bool, Value: true}, + params.ProcessTokenElevationType: {Name: params.ProcessTokenElevationType, Type: params.AnsiString, Value: "FULL"}, }, }, }, @@ -262,12 +262,12 @@ func TestWriteInternalEventsEnrichment(t *testing.T) { { Type: event.CreateProcessInternal, Params: event.Params{ - params.ProcessID: {Name: params.ProcessID, Type: params.PID, Value: uint32(1024)}, - params.ProcessParentID: {Name: params.ProcessParentID, Type: params.PID, Value: uint32(444)}, - params.Exe: {Name: params.Exe, Type: params.UnicodeString, Value: `C:\Windows\System32\svchost.exe`}, - params.ProcessIntegrityLevel: {Name: params.ProcessIntegrityLevel, Type: params.AnsiString, Value: "HIGH"}, - params.ProcessTokenIsElevated: {Name: params.ProcessTokenIsElevated, Type: params.Bool, Value: true}, - params.ProcessTokenElevationType: {Name: params.ProcessTokenElevationType, Type: params.AnsiString, Value: "FULL"}, + params.ProcessID: {Name: params.ProcessID, Type: params.PID, Value: uint32(1024)}, + params.ProcessParentID: {Name: params.ProcessParentID, Type: params.PID, Value: uint32(444)}, + params.Exe: {Name: params.Exe, Type: params.UnicodeString, Value: `C:\Windows\System32\svchost.exe`}, + params.ProcessTokenIntegrityLevel: {Name: params.ProcessTokenIntegrityLevel, Type: params.AnsiString, Value: "HIGH"}, + params.ProcessTokenIsElevated: {Name: params.ProcessTokenIsElevated, Type: params.Bool, Value: true}, + params.ProcessTokenElevationType: {Name: params.ProcessTokenElevationType, Type: params.AnsiString, Value: "FULL"}, }, }, {