From 0f3b9898fcb59a22b4db3f3cb0cc515139e35607 Mon Sep 17 00:00:00 2001 From: rabbitstack Date: Sun, 28 Sep 2025 18:27:47 +0200 Subject: [PATCH] feat(filter): Process token filter fields Introduces the filter fields for the current, child, and parent process token integrity level, elevation type, and the elevation indicator (whether the process token was elevated or not). --- pkg/event/param_windows.go | 4 +- pkg/event/params/params_windows.go | 4 +- pkg/filter/accessor_windows.go | 59 ++++++++- pkg/filter/fields/fields_windows.go | 187 ++++++++++++++++------------ pkg/filter/filter_test.go | 70 +++++++---- pkg/filter/ql/function.go | 6 + pkg/ps/snapshotter_windows.go | 6 +- pkg/ps/snapshotter_windows_test.go | 36 +++--- 8 files changed, 241 insertions(+), 131 deletions(-) diff --git a/pkg/event/param_windows.go b/pkg/event/param_windows.go index 0130265b8..1054260b7 100644 --- a/pkg/event/param_windows.go +++ b/pkg/event/param_windows.go @@ -82,7 +82,7 @@ func (p Param) String() string { if err != nil { return "" } - if p.Name == params.ProcessIntegrityLevel { + if p.Name == params.ProcessTokenIntegrityLevel { return sys.RidToString(sid) } return sid.String() @@ -312,7 +312,7 @@ func (e *Event) produceParams(evt *etw.EventRecord) { e.AppendParam(params.ProcessFlags, params.Flags, flags, WithFlags(PsCreationFlags)) e.AppendParam(params.ProcessTokenElevationType, params.Enum, tokenElevationType, WithEnum(PsTokenElevationTypes)) e.AppendParam(params.ProcessTokenIsElevated, params.Bool, tokenIsElevated > 0) - e.AppendParam(params.ProcessIntegrityLevel, params.SID, tokenMandatoryLabel) + e.AppendParam(params.ProcessTokenIntegrityLevel, params.SID, tokenMandatoryLabel) e.AppendParam(params.Exe, params.DOSPath, exe) case OpenProcess: processID := evt.ReadUint32(0) diff --git a/pkg/event/params/params_windows.go b/pkg/event/params/params_windows.go index 1a860094d..716719496 100644 --- a/pkg/event/params/params_windows.go +++ b/pkg/event/params/params_windows.go @@ -58,8 +58,8 @@ const ( ExitStatus = "exit_status" // StartTime field denotes the process start time. StartTime = "start_time" - // ProcessIntegrityLevel field denotes the process integrity level. - ProcessIntegrityLevel = "integrity_level" + // ProcessTokenIntegrityLevel field denotes the process integrity level. + ProcessTokenIntegrityLevel = "token_integrity_level" // ProcessTokenElevationType field designates the process token elevation type. ProcessTokenElevationType = "token_elevation_type" // ProcessTokenIsElevated field designates if the process token is elevated. diff --git a/pkg/filter/accessor_windows.go b/pkg/filter/accessor_windows.go index d2ea35fd6..aa18c401d 100644 --- a/pkg/filter/accessor_windows.go +++ b/pkg/filter/accessor_windows.go @@ -430,11 +430,64 @@ func (ps *psAccessor) Get(f Field, e *event.Event) (params.Value, error) { return nil, ErrPsNil } return ps.IsProtected, nil + case fields.PsChildTokenIntegrityLevel: + if e.Category != event.Process { + return nil, nil + } + return e.GetParamAsString(params.ProcessTokenIntegrityLevel), nil + case fields.PsChildTokenIsElevated: + if e.Category != event.Process { + return nil, nil + } + return e.Params.GetBool(params.ProcessTokenIsElevated) + case fields.PsChildTokenElevationType: + if e.Category != event.Process { + return nil, nil + } + return e.GetParamAsString(params.ProcessTokenElevationType), nil + case fields.PsTokenIntegrityLevel: + ps := e.PS + if ps == nil { + return nil, ErrPsNil + } + return ps.TokenIntegrityLevel, nil + case fields.PsTokenElevationType: + ps := e.PS + if ps == nil { + return nil, ErrPsNil + } + return ps.TokenElevationType, nil + case fields.PsTokenIsElevated: + ps := e.PS + if ps == nil { + return nil, ErrPsNil + } + return ps.IsTokenElevated, nil + case fields.PsParentTokenIntegrityLevel: + ps := getParentPs(e) + if ps == nil { + return nil, ErrPsNil + } + return ps.TokenIntegrityLevel, nil + case fields.PsParentTokenElevationType: + ps := getParentPs(e) + if ps == nil { + return nil, ErrPsNil + } + return ps.TokenElevationType, nil + case fields.PsParentTokenIsElevated: + ps := getParentPs(e) + if ps == nil { + return nil, ErrPsNil + } + return ps.IsTokenElevated, nil case fields.PsAncestors: if e.PS != nil { ancestors := make([]*pstypes.PS, 0) walk := func(proc *pstypes.PS) { - ancestors = append(ancestors, proc) + if proc != nil { + ancestors = append(ancestors, proc) + } } pstypes.Walk(walk, e.PS) @@ -474,7 +527,9 @@ func (ps *psAccessor) Get(f Field, e *event.Event) (params.Value, error) { ancestors := make([]string, 0) walk := func(proc *pstypes.PS) { - ancestors = append(ancestors, proc.Name) + if proc != nil { + ancestors = append(ancestors, proc.Name) + } } pstypes.Walk(walk, e.PS) diff --git a/pkg/filter/fields/fields_windows.go b/pkg/filter/fields/fields_windows.go index 84904fe02..26517e88f 100644 --- a/pkg/filter/fields/fields_windows.go +++ b/pkg/filter/fields/fields_windows.go @@ -165,6 +165,24 @@ const ( PsChildIsPackagedField Field = "ps.child.is_packaged" // PsChildIsProtectedField represents the field that indicates if the process is to be run as a protected process PsChildIsProtectedField Field = "ps.child.is_protected" + // PsTokenIntegrityLevel represents the field that indicates the current process integrity level + PsTokenIntegrityLevel = "ps.token.integrity_level" + // PsTokenIsElevated represents the field that indicates if the current process token is elevated + PsTokenIsElevated = "ps.token.is_elevated" + // PsTokenElevationType represents the field that indicates if the current process token elevation type + PsTokenElevationType = "ps.token.elevation_type" + // PsChildTokenIntegrityLevel represents the field that indicates the created/child process integrity level + PsChildTokenIntegrityLevel = "ps.child.token.integrity_level" + // PsChildTokenIsElevated represents the field that indicates if the created/child process token is elevated + PsChildTokenIsElevated = "ps.child.token.is_elevated" + // PsChildTokenElevationType represents the field that indicates if the created/child process token elevation type + PsChildTokenElevationType = "ps.child.token.elevation_type" + // PsParentTokenIntegrityLevel represents the field that indicates the parent process integrity level + PsParentTokenIntegrityLevel = "ps.parent.token.integrity_level" + // PsParentTokenIsElevated represents the field that indicates if the parent process token is elevated + PsParentTokenIsElevated = "ps.parent.token.is_elevated" + // PsTokenElevationType represents the field that indicates if the parent process token elevation type + PsParentTokenElevationType = "ps.parent.token.elevation_type" // ThreadBasePrio is the base thread priority ThreadBasePrio Field = "thread.prio" @@ -643,15 +661,18 @@ const ( EntropySegment Segment = "entropy" MD5Segment Segment = "md5" - PIDSegment Segment = "pid" - CmdlineSegment Segment = "cmdline" - ExeSegment Segment = "exe" - ArgsSegment Segment = "args" - CwdSegment Segment = "cwd" - SIDSegment Segment = "sid" - SessionIDSegment Segment = "sessionid" - UsernameSegment Segment = "username" - DomainSegment Segment = "domain" + PIDSegment Segment = "pid" + CmdlineSegment Segment = "cmdline" + ExeSegment Segment = "exe" + ArgsSegment Segment = "args" + CwdSegment Segment = "cwd" + SIDSegment Segment = "sid" + SessionIDSegment Segment = "sessionid" + UsernameSegment Segment = "username" + DomainSegment Segment = "domain" + TokenIntegrityLevelSegment Segment = "token.integrity_level" + TokenIsElevatedSegment Segment = "token.is_elevated" + TokenElevationTypeSegment Segment = "token.elevation_type" TidSegment Segment = "tid" StartAddressSegment Segment = "start_address" @@ -692,6 +713,9 @@ var segments = map[Segment]bool{ SessionIDSegment: true, UsernameSegment: true, DomainSegment: true, + TokenIntegrityLevelSegment: true, + TokenIsElevatedSegment: true, + TokenElevationTypeSegment: true, TidSegment: true, StartAddressSegment: true, UserStackBaseSegment: true, @@ -713,7 +737,7 @@ var segments = map[Segment]bool{ } var allowedSegments = map[Field][]Segment{ - PsAncestors: {NameSegment, PIDSegment, CmdlineSegment, ExeSegment, ArgsSegment, CwdSegment, SIDSegment, SessionIDSegment, UsernameSegment, DomainSegment}, + PsAncestors: {NameSegment, PIDSegment, CmdlineSegment, ExeSegment, ArgsSegment, CwdSegment, SIDSegment, SessionIDSegment, UsernameSegment, DomainSegment, TokenIntegrityLevelSegment, TokenIsElevatedSegment, TokenElevationTypeSegment}, PsThreads: {TidSegment, StartAddressSegment, UserStackBaseSegment, UserStackLimitSegment, KernelStackBaseSegment, KernelStackLimitSegment}, PsModules: {PathSegment, NameSegment, AddressSegment, SizeSegment, ChecksumSegment}, PsMmaps: {AddressSegment, TypeSegment, AddressSegment, SizeSegment, ProtectionSegment, PathSegment}, @@ -846,73 +870,82 @@ var fields = map[Field]FieldInfo{ return true }}}, - PsPid: {PsPid, "process identifier", params.PID, []string{"ps.pid = 1024"}, nil, nil}, - PsPpid: {PsPpid, "parent process identifier", params.PID, []string{"ps.ppid = 45"}, nil, nil}, - PsName: {PsName, "process image name including the file extension", params.UnicodeString, []string{"ps.name contains 'firefox'"}, nil, nil}, - PsComm: {PsComm, "process command line", params.UnicodeString, []string{"ps.comm contains 'java'"}, &Deprecation{Since: "1.10.0", Fields: []Field{PsCmdline}}, nil}, - PsCmdline: {PsCmdline, "process command line", params.UnicodeString, []string{"ps.cmdline contains 'java'"}, nil, nil}, - PsExe: {PsExe, "full name of the process' executable", params.UnicodeString, []string{"ps.exe = 'C:\\Windows\\system32\\cmd.exe'"}, nil, nil}, - PsArgs: {PsArgs, "process command line arguments", params.Slice, []string{"ps.args in ('/cdir', '/-C')"}, nil, nil}, - PsCwd: {PsCwd, "process current working directory", params.UnicodeString, []string{"ps.cwd = 'C:\\Users\\Default'"}, nil, nil}, - PsSID: {PsSID, "security identifier under which this process is run", params.UnicodeString, []string{"ps.sid contains 'SYSTEM'"}, nil, nil}, - PsSessionID: {PsSessionID, "unique identifier for the current session", params.Int16, []string{"ps.sessionid = 1"}, nil, nil}, - PsDomain: {PsDomain, "process domain", params.UnicodeString, []string{"ps.domain contains 'SERVICE'"}, nil, nil}, - PsUsername: {PsUsername, "process username", params.UnicodeString, []string{"ps.username contains 'system'"}, nil, nil}, - PsEnvs: {PsEnvs, "process environment variables", params.Slice, []string{"ps.envs in ('SystemRoot:C:\\WINDOWS')", "ps.envs[windir] = 'C:\\WINDOWS'"}, nil, &Argument{Optional: true, ValidationFunc: func(arg string) bool { return true }}}, - PsHandleNames: {PsHandleNames, "allocated process handle names", params.Slice, []string{"ps.handles in ('\\BaseNamedObjects\\__ComCatalogCache__')"}, nil, nil}, - PsHandleTypes: {PsHandleTypes, "allocated process handle types", params.Slice, []string{"ps.handle.types in ('Key', 'Mutant', 'Section')"}, nil, nil}, - PsDTB: {PsDTB, "process directory table base address", params.Address, []string{"ps.dtb = '7ffe0000'"}, nil, nil}, - PsModuleNames: {PsModuleNames, "modules loaded by the process", params.Slice, []string{"ps.modules in ('crypt32.dll', 'xul.dll')"}, nil, nil}, - PsParentName: {PsParentName, "parent process image name including the file extension", params.UnicodeString, []string{"ps.parent.name contains 'cmd.exe'"}, nil, nil}, - PsParentPid: {PsParentPid, "parent process id", params.Uint32, []string{"ps.parent.pid = 4"}, nil, nil}, - PsParentComm: {PsParentComm, "parent process command line", params.UnicodeString, []string{"ps.parent.comm contains 'java'"}, &Deprecation{Since: "1.10.0", Fields: []Field{PsParentCmdline}}, nil}, - PsParentCmdline: {PsParentCmdline, "parent process command line", params.UnicodeString, []string{"ps.parent.cmdline contains 'java'"}, nil, nil}, - PsParentExe: {PsParentExe, "full name of the parent process' executable", params.UnicodeString, []string{"ps.parent.exe = 'C:\\Windows\\system32\\explorer.exe'"}, nil, nil}, - PsParentArgs: {PsParentArgs, "parent process command line arguments", params.Slice, []string{"ps.parent.args in ('/cdir', '/-C')"}, nil, nil}, - PsParentCwd: {PsParentCwd, "parent process current working directory", params.UnicodeString, []string{"ps.parent.cwd = 'C:\\Temp'"}, nil, nil}, - PsParentSID: {PsParentSID, "security identifier under which the parent process is run", params.UnicodeString, []string{"ps.parent.sid contains 'SYSTEM'"}, nil, nil}, - PsParentDomain: {PsParentDomain, "parent process domain", params.UnicodeString, []string{"ps.parent.domain contains 'SERVICE'"}, nil, nil}, - PsParentUsername: {PsParentUsername, "parent process username", params.UnicodeString, []string{"ps.parent.username contains 'system'"}, nil, nil}, - PsParentSessionID: {PsParentSessionID, "unique identifier for the current session of parent process", params.Int16, []string{"ps.parent.sessionid = 1"}, nil, nil}, - PsParentEnvs: {PsParentEnvs, "parent process environment variables", params.Slice, []string{"ps.parent.envs in ('MOZ_CRASHREPORTER_DATA_DIRECTORY')"}, nil, nil}, - PsParentHandles: {PsParentHandles, "allocated parent process handle names", params.Slice, []string{"ps.parent.handles in ('\\BaseNamedObjects\\__ComCatalogCache__')"}, nil, nil}, - PsParentHandleTypes: {PsParentHandleTypes, "allocated parent process handle types", params.Slice, []string{"ps.parent.handle.types in ('File', 'SymbolicLink')"}, nil, nil}, - PsParentDTB: {PsParentDTB, "parent process directory table base address", params.Address, []string{"ps.parent.dtb = '7ffe0000'"}, nil, nil}, - PsAccessMask: {PsAccessMask, "process desired access rights", params.AnsiString, []string{"ps.access.mask = '0x1400'"}, nil, nil}, - PsAccessMaskNames: {PsAccessMaskNames, "process desired access rights as a string list", params.Slice, []string{"ps.access.mask.names in ('SUSPEND_RESUME')"}, nil, nil}, - PsAccessStatus: {PsAccessStatus, "process access status", params.UnicodeString, []string{"ps.access.status = 'access is denied.'"}, nil, nil}, - PsSiblingPid: {PsSiblingPid, "created or terminated process identifier", params.PID, []string{"ps.sibling.pid = 320"}, &Deprecation{Since: "1.10.0", Fields: []Field{PsChildPid}}, nil}, - PsChildPid: {PsChildPid, "created or terminated process identifier", params.PID, []string{"ps.child.pid = 320"}, nil, nil}, - PsSiblingName: {PsSiblingName, "created or terminated process name", params.UnicodeString, []string{"ps.sibling.name = 'notepad.exe'"}, &Deprecation{Since: "1.10.0", Fields: []Field{PsChildName}}, nil}, - PsChildName: {PsChildName, "created or terminated process name", params.UnicodeString, []string{"ps.child.name = 'notepad.exe'"}, nil, nil}, - PsSiblingComm: {PsSiblingComm, "created or terminated process command line", params.UnicodeString, []string{"ps.sibling.comm contains '\\k \\v'"}, &Deprecation{Since: "1.10.0", Fields: []Field{PsChildCmdline}}, nil}, - PsChildCmdline: {PsChildCmdline, "created or terminated process command line", params.UnicodeString, []string{"ps.child.cmdline contains '\\k \\v'"}, nil, nil}, - PsSiblingArgs: {PsSiblingArgs, "created process command line arguments", params.Slice, []string{"ps.sibling.args in ('/cdir', '/-C')"}, &Deprecation{Since: "1.10.0", Fields: []Field{PsChildArgs}}, nil}, - PsChildArgs: {PsChildArgs, "created process command line arguments", params.Slice, []string{"ps.child.args in ('/cdir', '/-C')"}, nil, nil}, - PsSiblingExe: {PsSiblingExe, "created, terminated, or opened process id", params.UnicodeString, []string{"ps.sibling.exe contains '\\Windows\\cmd.exe'"}, &Deprecation{Since: "1.10.0", Fields: []Field{PsChildExe}}, nil}, - PsChildExe: {PsChildExe, "created, terminated, or opened process id", params.UnicodeString, []string{"ps.child.exe contains '\\Windows\\cmd.exe'"}, nil, nil}, - PsSiblingSID: {PsSiblingSID, "created or terminated process security identifier", params.UnicodeString, []string{"ps.sibling.sid contains 'SERVICE'"}, &Deprecation{Since: "1.10.0", Fields: []Field{PsChildSID}}, nil}, - PsChildSID: {PsChildSID, "created or terminated process security identifier", params.UnicodeString, []string{"ps.child.sid contains 'SERVICE'"}, nil, nil}, - PsSiblingSessionID: {PsSiblingSessionID, "created or terminated process session identifier", params.Int16, []string{"ps.sibling.sessionid == 1"}, &Deprecation{Since: "1.10.0", Fields: []Field{PsChildSessionID}}, nil}, - PsChildSessionID: {PsChildSessionID, "created or terminated process session identifier", params.Int16, []string{"ps.child.sessionid == 1"}, nil, nil}, - PsSiblingDomain: {PsSiblingDomain, "created or terminated process domain", params.UnicodeString, []string{"ps.sibling.domain contains 'SERVICE'"}, &Deprecation{Since: "1.10.0", Fields: []Field{PsChildDomain}}, nil}, - PsChildDomain: {PsChildDomain, "created or terminated process domain", params.UnicodeString, []string{"ps.child.domain contains 'SERVICE'"}, nil, nil}, - PsSiblingUsername: {PsSiblingUsername, "created or terminated process username", params.UnicodeString, []string{"ps.sibling.username contains 'system'"}, &Deprecation{Since: "1.10.0", Fields: []Field{PsChildUsername}}, nil}, - PsChildUsername: {PsChildUsername, "created or terminated process username", params.UnicodeString, []string{"ps.child.username contains 'system'"}, nil, nil}, - PsUUID: {PsUUID, "unique process identifier", params.Uint64, []string{"ps.uuid > 6000054355"}, nil, nil}, - PsParentUUID: {PsParentUUID, "unique parent process identifier", params.Uint64, []string{"ps.parent.uuid > 6000054355"}, nil, nil}, - PsChildUUID: {PsChildUUID, "unique child process identifier", params.Uint64, []string{"ps.child.uuid > 6000054355"}, nil, nil}, - PsChildPeFilename: {PsChildPeFilename, "original file name of the child process executable supplied at compile-time", params.UnicodeString, []string{"ps.child.pe.file.name = 'NOTEPAD.EXE'"}, nil, nil}, - PsChildIsWOW64Field: {PsChildIsWOW64Field, "indicates if the 32-bit child process is created in 64-bit Windows system", params.Bool, []string{"ps.child.is_wow64"}, nil, nil}, - PsChildIsPackagedField: {PsChildIsPackagedField, "indicates if the child process is packaged with the MSIX technology", params.Bool, []string{"ps.child.is_packaged"}, nil, nil}, - PsChildIsProtectedField: {PsChildIsProtectedField, "indicates if the child process is a protected process", params.Bool, []string{"ps.child.is_protected"}, nil, nil}, - PsIsWOW64Field: {PsIsWOW64Field, "indicates if the process generating the event is a 32-bit process created in 64-bit Windows system", params.Bool, []string{"ps.is_wow64"}, nil, nil}, - PsIsPackagedField: {PsIsPackagedField, "indicates if the process generating the event is packaged with the MSIX technology", params.Bool, []string{"ps.is_packaged"}, nil, nil}, - PsIsProtectedField: {PsIsProtectedField, "indicates if the process generating the event is a protected process", params.Bool, []string{"ps.is_protected"}, nil, nil}, - PsParentIsWOW64Field: {PsParentIsWOW64Field, "indicates if the parent process generating the event is a 32-bit process created in 64-bit Windows system", params.Bool, []string{"ps.parent.is_wow64"}, nil, nil}, - PsParentIsPackagedField: {PsParentIsPackagedField, "indicates if the parent process generating the event is packaged with the MSIX technology", params.Bool, []string{"ps.parent.is_packaged"}, nil, nil}, - PsParentIsProtectedField: {PsParentIsProtectedField, "indicates if the the parent process generating the event is a protected process", params.Bool, []string{"ps.parent.is_protected"}, nil, nil}, - PsAncestor: {PsAncestor, "the process ancestor name", params.UnicodeString, []string{"ps.ancestor[1] = 'svchost.exe'", "ps.ancestor in ('winword.exe')"}, nil, &Argument{Optional: true, Pattern: "[0-9]+", ValidationFunc: isNumber}}, + PsPid: {PsPid, "process identifier", params.PID, []string{"ps.pid = 1024"}, nil, nil}, + PsPpid: {PsPpid, "parent process identifier", params.PID, []string{"ps.ppid = 45"}, nil, nil}, + PsName: {PsName, "process image name including the file extension", params.UnicodeString, []string{"ps.name contains 'firefox'"}, nil, nil}, + PsComm: {PsComm, "process command line", params.UnicodeString, []string{"ps.comm contains 'java'"}, &Deprecation{Since: "1.10.0", Fields: []Field{PsCmdline}}, nil}, + PsCmdline: {PsCmdline, "process command line", params.UnicodeString, []string{"ps.cmdline contains 'java'"}, nil, nil}, + PsExe: {PsExe, "full name of the process' executable", params.UnicodeString, []string{"ps.exe = 'C:\\Windows\\system32\\cmd.exe'"}, nil, nil}, + PsArgs: {PsArgs, "process command line arguments", params.Slice, []string{"ps.args in ('/cdir', '/-C')"}, nil, nil}, + PsCwd: {PsCwd, "process current working directory", params.UnicodeString, []string{"ps.cwd = 'C:\\Users\\Default'"}, nil, nil}, + PsSID: {PsSID, "security identifier under which this process is run", params.UnicodeString, []string{"ps.sid contains 'SYSTEM'"}, nil, nil}, + PsSessionID: {PsSessionID, "unique identifier for the current session", params.Int16, []string{"ps.sessionid = 1"}, nil, nil}, + PsDomain: {PsDomain, "process domain", params.UnicodeString, []string{"ps.domain contains 'SERVICE'"}, nil, nil}, + PsUsername: {PsUsername, "process username", params.UnicodeString, []string{"ps.username contains 'system'"}, nil, nil}, + PsEnvs: {PsEnvs, "process environment variables", params.Slice, []string{"ps.envs in ('SystemRoot:C:\\WINDOWS')", "ps.envs[windir] = 'C:\\WINDOWS'"}, nil, &Argument{Optional: true, ValidationFunc: func(arg string) bool { return true }}}, + PsHandleNames: {PsHandleNames, "allocated process handle names", params.Slice, []string{"ps.handles in ('\\BaseNamedObjects\\__ComCatalogCache__')"}, nil, nil}, + PsHandleTypes: {PsHandleTypes, "allocated process handle types", params.Slice, []string{"ps.handle.types in ('Key', 'Mutant', 'Section')"}, nil, nil}, + PsDTB: {PsDTB, "process directory table base address", params.Address, []string{"ps.dtb = '7ffe0000'"}, nil, nil}, + PsModuleNames: {PsModuleNames, "modules loaded by the process", params.Slice, []string{"ps.modules in ('crypt32.dll', 'xul.dll')"}, nil, nil}, + PsParentName: {PsParentName, "parent process image name including the file extension", params.UnicodeString, []string{"ps.parent.name contains 'cmd.exe'"}, nil, nil}, + PsParentPid: {PsParentPid, "parent process id", params.Uint32, []string{"ps.parent.pid = 4"}, nil, nil}, + PsParentComm: {PsParentComm, "parent process command line", params.UnicodeString, []string{"ps.parent.comm contains 'java'"}, &Deprecation{Since: "1.10.0", Fields: []Field{PsParentCmdline}}, nil}, + PsParentCmdline: {PsParentCmdline, "parent process command line", params.UnicodeString, []string{"ps.parent.cmdline contains 'java'"}, nil, nil}, + PsParentExe: {PsParentExe, "full name of the parent process' executable", params.UnicodeString, []string{"ps.parent.exe = 'C:\\Windows\\system32\\explorer.exe'"}, nil, nil}, + PsParentArgs: {PsParentArgs, "parent process command line arguments", params.Slice, []string{"ps.parent.args in ('/cdir', '/-C')"}, nil, nil}, + PsParentCwd: {PsParentCwd, "parent process current working directory", params.UnicodeString, []string{"ps.parent.cwd = 'C:\\Temp'"}, nil, nil}, + PsParentSID: {PsParentSID, "security identifier under which the parent process is run", params.UnicodeString, []string{"ps.parent.sid contains 'SYSTEM'"}, nil, nil}, + PsParentDomain: {PsParentDomain, "parent process domain", params.UnicodeString, []string{"ps.parent.domain contains 'SERVICE'"}, nil, nil}, + PsParentUsername: {PsParentUsername, "parent process username", params.UnicodeString, []string{"ps.parent.username contains 'system'"}, nil, nil}, + PsParentSessionID: {PsParentSessionID, "unique identifier for the current session of parent process", params.Int16, []string{"ps.parent.sessionid = 1"}, nil, nil}, + PsParentEnvs: {PsParentEnvs, "parent process environment variables", params.Slice, []string{"ps.parent.envs in ('MOZ_CRASHREPORTER_DATA_DIRECTORY')"}, nil, nil}, + PsParentHandles: {PsParentHandles, "allocated parent process handle names", params.Slice, []string{"ps.parent.handles in ('\\BaseNamedObjects\\__ComCatalogCache__')"}, nil, nil}, + PsParentHandleTypes: {PsParentHandleTypes, "allocated parent process handle types", params.Slice, []string{"ps.parent.handle.types in ('File', 'SymbolicLink')"}, nil, nil}, + PsParentDTB: {PsParentDTB, "parent process directory table base address", params.Address, []string{"ps.parent.dtb = '7ffe0000'"}, nil, nil}, + PsAccessMask: {PsAccessMask, "process desired access rights", params.AnsiString, []string{"ps.access.mask = '0x1400'"}, nil, nil}, + PsAccessMaskNames: {PsAccessMaskNames, "process desired access rights as a string list", params.Slice, []string{"ps.access.mask.names in ('SUSPEND_RESUME')"}, nil, nil}, + PsAccessStatus: {PsAccessStatus, "process access status", params.UnicodeString, []string{"ps.access.status = 'access is denied.'"}, nil, nil}, + PsSiblingPid: {PsSiblingPid, "created or terminated process identifier", params.PID, []string{"ps.sibling.pid = 320"}, &Deprecation{Since: "1.10.0", Fields: []Field{PsChildPid}}, nil}, + PsChildPid: {PsChildPid, "created or terminated process identifier", params.PID, []string{"ps.child.pid = 320"}, nil, nil}, + PsSiblingName: {PsSiblingName, "created or terminated process name", params.UnicodeString, []string{"ps.sibling.name = 'notepad.exe'"}, &Deprecation{Since: "1.10.0", Fields: []Field{PsChildName}}, nil}, + PsChildName: {PsChildName, "created or terminated process name", params.UnicodeString, []string{"ps.child.name = 'notepad.exe'"}, nil, nil}, + PsSiblingComm: {PsSiblingComm, "created or terminated process command line", params.UnicodeString, []string{"ps.sibling.comm contains '\\k \\v'"}, &Deprecation{Since: "1.10.0", Fields: []Field{PsChildCmdline}}, nil}, + PsChildCmdline: {PsChildCmdline, "created or terminated process command line", params.UnicodeString, []string{"ps.child.cmdline contains '\\k \\v'"}, nil, nil}, + PsSiblingArgs: {PsSiblingArgs, "created process command line arguments", params.Slice, []string{"ps.sibling.args in ('/cdir', '/-C')"}, &Deprecation{Since: "1.10.0", Fields: []Field{PsChildArgs}}, nil}, + PsChildArgs: {PsChildArgs, "created process command line arguments", params.Slice, []string{"ps.child.args in ('/cdir', '/-C')"}, nil, nil}, + PsSiblingExe: {PsSiblingExe, "created, terminated, or opened process id", params.UnicodeString, []string{"ps.sibling.exe contains '\\Windows\\cmd.exe'"}, &Deprecation{Since: "1.10.0", Fields: []Field{PsChildExe}}, nil}, + PsChildExe: {PsChildExe, "created, terminated, or opened process id", params.UnicodeString, []string{"ps.child.exe contains '\\Windows\\cmd.exe'"}, nil, nil}, + PsSiblingSID: {PsSiblingSID, "created or terminated process security identifier", params.UnicodeString, []string{"ps.sibling.sid contains 'SERVICE'"}, &Deprecation{Since: "1.10.0", Fields: []Field{PsChildSID}}, nil}, + PsChildSID: {PsChildSID, "created or terminated process security identifier", params.UnicodeString, []string{"ps.child.sid contains 'SERVICE'"}, nil, nil}, + PsSiblingSessionID: {PsSiblingSessionID, "created or terminated process session identifier", params.Int16, []string{"ps.sibling.sessionid == 1"}, &Deprecation{Since: "1.10.0", Fields: []Field{PsChildSessionID}}, nil}, + PsChildSessionID: {PsChildSessionID, "created or terminated process session identifier", params.Int16, []string{"ps.child.sessionid == 1"}, nil, nil}, + PsSiblingDomain: {PsSiblingDomain, "created or terminated process domain", params.UnicodeString, []string{"ps.sibling.domain contains 'SERVICE'"}, &Deprecation{Since: "1.10.0", Fields: []Field{PsChildDomain}}, nil}, + PsChildDomain: {PsChildDomain, "created or terminated process domain", params.UnicodeString, []string{"ps.child.domain contains 'SERVICE'"}, nil, nil}, + PsSiblingUsername: {PsSiblingUsername, "created or terminated process username", params.UnicodeString, []string{"ps.sibling.username contains 'system'"}, &Deprecation{Since: "1.10.0", Fields: []Field{PsChildUsername}}, nil}, + PsChildUsername: {PsChildUsername, "created or terminated process username", params.UnicodeString, []string{"ps.child.username contains 'system'"}, nil, nil}, + PsUUID: {PsUUID, "unique process identifier", params.Uint64, []string{"ps.uuid > 6000054355"}, nil, nil}, + PsParentUUID: {PsParentUUID, "unique parent process identifier", params.Uint64, []string{"ps.parent.uuid > 6000054355"}, nil, nil}, + PsChildUUID: {PsChildUUID, "unique child process identifier", params.Uint64, []string{"ps.child.uuid > 6000054355"}, nil, nil}, + PsChildPeFilename: {PsChildPeFilename, "original file name of the child process executable supplied at compile-time", params.UnicodeString, []string{"ps.child.pe.file.name = 'NOTEPAD.EXE'"}, nil, nil}, + PsChildIsWOW64Field: {PsChildIsWOW64Field, "indicates if the 32-bit child process is created in 64-bit Windows system", params.Bool, []string{"ps.child.is_wow64"}, nil, nil}, + PsChildIsPackagedField: {PsChildIsPackagedField, "indicates if the child process is packaged with the MSIX technology", params.Bool, []string{"ps.child.is_packaged"}, nil, nil}, + PsChildIsProtectedField: {PsChildIsProtectedField, "indicates if the child process is a protected process", params.Bool, []string{"ps.child.is_protected"}, nil, nil}, + PsIsWOW64Field: {PsIsWOW64Field, "indicates if the process generating the event is a 32-bit process created in 64-bit Windows system", params.Bool, []string{"ps.is_wow64"}, nil, nil}, + PsIsPackagedField: {PsIsPackagedField, "indicates if the process generating the event is packaged with the MSIX technology", params.Bool, []string{"ps.is_packaged"}, nil, nil}, + PsIsProtectedField: {PsIsProtectedField, "indicates if the process generating the event is a protected process", params.Bool, []string{"ps.is_protected"}, nil, nil}, + PsParentIsWOW64Field: {PsParentIsWOW64Field, "indicates if the parent process generating the event is a 32-bit process created in 64-bit Windows system", params.Bool, []string{"ps.parent.is_wow64"}, nil, nil}, + PsParentIsPackagedField: {PsParentIsPackagedField, "indicates if the parent process generating the event is packaged with the MSIX technology", params.Bool, []string{"ps.parent.is_packaged"}, nil, nil}, + PsParentIsProtectedField: {PsParentIsProtectedField, "indicates if the the parent process generating the event is a protected process", params.Bool, []string{"ps.parent.is_protected"}, nil, nil}, + PsAncestor: {PsAncestor, "the process ancestor name", params.UnicodeString, []string{"ps.ancestor[1] = 'svchost.exe'", "ps.ancestor in ('winword.exe')"}, nil, &Argument{Optional: true, Pattern: "[0-9]+", ValidationFunc: isNumber}}, + PsTokenIntegrityLevel: {PsTokenIntegrityLevel, "process token integrity level", params.UnicodeString, []string{"ps.token.integrity_level = 'SYSTEM'"}, nil, nil}, + PsTokenIsElevated: {PsTokenIsElevated, "indicates if the process token is elevated", params.Bool, []string{"ps.token.is_elevated = true"}, nil, nil}, + PsTokenElevationType: {PsTokenElevationType, "process token elevation type", params.AnsiString, []string{"ps.token.elevation_type = 'LIMITED'"}, nil, nil}, + PsChildTokenIntegrityLevel: {PsChildTokenIntegrityLevel, "child process token integrity level", params.UnicodeString, []string{"ps.child.token.integrity_level = 'SYSTEM'"}, nil, nil}, + PsChildTokenIsElevated: {PsChildTokenIsElevated, "indicates if the child process token is elevated", params.Bool, []string{"ps.child.token.is_elevated = true"}, nil, nil}, + PsChildTokenElevationType: {PsChildTokenElevationType, "child process token elevation type", params.AnsiString, []string{"ps.child.token.elevation_type = 'LIMITED'"}, nil, nil}, + PsParentTokenIntegrityLevel: {PsParentTokenIntegrityLevel, "parent process token integrity level", params.UnicodeString, []string{"ps.parent.token.integrity_level = 'HIGH'"}, nil, nil}, + PsParentTokenIsElevated: {PsParentTokenIsElevated, "indicates if the parent process token is elevated", params.Bool, []string{"ps.parent.token.is_elevated = true"}, nil, nil}, + PsParentTokenElevationType: {PsParentTokenElevationType, "parent process token elevation type", params.AnsiString, []string{"ps.parent.token.elevation_type = 'LIMITED'"}, nil, nil}, ThreadBasePrio: {ThreadBasePrio, "scheduler priority of the thread", params.Int8, []string{"thread.prio = 5"}, nil, nil}, ThreadIOPrio: {ThreadIOPrio, "I/O priority hint for scheduling I/O operations", params.Int8, []string{"thread.io.prio = 4"}, nil, nil}, diff --git a/pkg/filter/filter_test.go b/pkg/filter/filter_test.go index 2b46669fc..c658da0f8 100644 --- a/pkg/filter/filter_test.go +++ b/pkg/filter/filter_test.go @@ -109,21 +109,6 @@ func TestStringFields(t *testing.T) { } func TestProcFilter(t *testing.T) { - pars := event.Params{ - params.Cmdline: {Name: params.Cmdline, Type: params.UnicodeString, Value: "C:\\Windows\\system32\\svchost-fake.exe -k RPCSS"}, - params.ProcessName: {Name: params.ProcessName, Type: params.AnsiString, Value: "svchost-fake.exe"}, - params.ProcessID: {Name: params.ProcessID, Type: params.PID, Value: uint32(1234)}, - params.ProcessParentID: {Name: params.ProcessParentID, Type: params.PID, Value: uint32(345)}, - params.UserSID: {Name: params.UserSID, Type: params.WbemSID, Value: []byte{224, 8, 226, 31, 15, 167, 255, 255, 0, 0, 0, 0, 15, 167, 255, 255, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0}}, - params.Username: {Name: params.Username, Type: params.UnicodeString, Value: "loki"}, - params.Domain: {Name: params.Domain, Type: params.UnicodeString, Value: "TITAN"}, - params.ProcessFlags: {Name: params.ProcessFlags, Type: params.Flags, Value: uint32(0x000000E)}, - } - - pars1 := event.Params{ - params.DesiredAccess: {Name: params.DesiredAccess, Type: params.Flags, Value: uint32(0x1400), Flags: event.PsAccessRightFlags}, - } - ps1 := &pstypes.PS{ Name: "wininit.exe", Username: "SYSTEM", @@ -138,17 +123,32 @@ func TestProcFilter(t *testing.T) { Name: "System", }, }, - IsWOW64: false, - IsProtected: true, - IsPackaged: false, + IsWOW64: false, + IsProtected: true, + IsPackaged: false, + TokenIntegrityLevel: "SYSTEM", + IsTokenElevated: false, + TokenElevationType: "DEFAULT", } evt := &event.Event{ Type: event.CreateProcess, Category: event.Process, - Params: pars, - Name: "CreateProcess", - PID: 1023, + Params: event.Params{ + params.Cmdline: {Name: params.Cmdline, Type: params.UnicodeString, Value: "C:\\Windows\\system32\\svchost-fake.exe -k RPCSS"}, + params.ProcessName: {Name: params.ProcessName, Type: params.AnsiString, Value: "svchost-fake.exe"}, + params.ProcessID: {Name: params.ProcessID, Type: params.PID, Value: uint32(1234)}, + params.ProcessParentID: {Name: params.ProcessParentID, Type: params.PID, Value: uint32(345)}, + params.UserSID: {Name: params.UserSID, Type: params.WbemSID, Value: []byte{224, 8, 226, 31, 15, 167, 255, 255, 0, 0, 0, 0, 15, 167, 255, 255, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0}}, + params.Username: {Name: params.Username, Type: params.UnicodeString, Value: "loki"}, + params.Domain: {Name: params.Domain, Type: params.UnicodeString, Value: "TITAN"}, + params.ProcessFlags: {Name: params.ProcessFlags, Type: params.Flags, Value: uint32(0x000000E)}, + params.ProcessTokenIntegrityLevel: {Name: params.ProcessTokenIntegrityLevel, Type: params.AnsiString, Value: "SYSTEM"}, + params.ProcessTokenIsElevated: {Name: params.ProcessTokenIsElevated, Type: params.Bool, Value: true}, + params.ProcessTokenElevationType: {Name: params.ProcessTokenElevationType, Type: params.AnsiString, Value: "FULL"}, + }, + Name: "CreateProcess", + PID: 1023, PS: &pstypes.PS{ Name: "svchost.exe", Cmdline: "C:\\Windows\\System32\\svchost.exe", @@ -171,9 +171,12 @@ func TestProcFilter(t *testing.T) { {Size: 34545, BaseAddress: va.Address(144229524944769), Protection: 4653056, File: "C:\\Windows\\System32\\ucrtbase.dll", Type: "IMAGE"}, //EXECUTE_READWRITE|READONLY {Size: 4096, BaseAddress: va.Address(145229445447666), Protection: 12845056, Type: "PAGEFILE"}, // READWRITE 12845056 }, - IsProtected: false, - IsPackaged: true, - IsWOW64: false, + IsProtected: false, + IsPackaged: true, + IsWOW64: false, + TokenIntegrityLevel: "SYSTEM", + IsTokenElevated: false, + TokenElevationType: "DEFAULT", }, } evt.Timestamp, _ = time.Parse(time.RFC3339, "2011-05-03T15:04:05.323Z") @@ -181,9 +184,11 @@ func TestProcFilter(t *testing.T) { evt1 := &event.Event{ Type: event.OpenProcess, Category: event.Process, - Params: pars1, - Name: "OpenProcess", - PID: 1023, + Params: event.Params{ + params.DesiredAccess: {Name: params.DesiredAccess, Type: params.Flags, Value: uint32(0x1400), Flags: event.PsAccessRightFlags}, + }, + Name: "OpenProcess", + PID: 1023, PS: &pstypes.PS{ Name: "svchost.exe", Parent: ps1, @@ -240,6 +245,16 @@ func TestProcFilter(t *testing.T) { {`ps.parent.is_wow64`, false}, {`ps.parent.is_packaged`, false}, {`ps.parent.is_protected`, true}, + {`ps.token.integrity_level = 'SYSTEM'`, true}, + {`ps.token.is_elevated = false`, true}, + {`ps.token.elevation_type = 'DEFAULT'`, true}, + {`ps.child.token.integrity_level = 'SYSTEM'`, true}, + {`ps.child.token.is_elevated = true`, true}, + {`ps.child.token.elevation_type = 'FULL'`, true}, + {`ps.parent.token.integrity_level = 'SYSTEM'`, true}, + {`ps.parent.token.is_elevated = false`, true}, + {`ps.parent.token.elevation_type = 'DEFAULT'`, true}, + {`evt.name = 'CreateProcess' and ps.name contains 'svchost'`, true}, {`ps.modules IN ('kernel32.dll')`, true}, @@ -262,6 +277,7 @@ func TestProcFilter(t *testing.T) { {`foreach(ps._ancestors, $proc, $proc.username = 'SYSTEM')`, true}, {`foreach(ps._ancestors, $proc, $proc.domain = 'NT AUTHORITY')`, true}, {`foreach(ps._ancestors, $proc, $proc.username = upper('system'))`, true}, + {`foreach(ps._ancestors, $proc, $proc.token.integrity_level = 'SYSTEM' and $proc.token.is_elevated = false and $proc.token.elevation_type = 'DEFAULT')`, true}, {`ps.args intersects ('-k', 'DcomLaunch')`, true}, {`ps.args intersects ('-w', 'DcomLaunch')`, false}, diff --git a/pkg/filter/ql/function.go b/pkg/filter/ql/function.go index e4c0c5982..fa213415e 100644 --- a/pkg/filter/ql/function.go +++ b/pkg/filter/ql/function.go @@ -487,6 +487,12 @@ func (f *Foreach) procMapValuer(segments []*BoundSegmentLiteral, proc *pstypes.P valuer[key] = proc.Username case fields.DomainSegment: valuer[key] = proc.Domain + case fields.TokenIntegrityLevelSegment: + valuer[key] = proc.TokenIntegrityLevel + case fields.TokenIsElevatedSegment: + valuer[key] = proc.IsTokenElevated + case fields.TokenElevationTypeSegment: + valuer[key] = proc.TokenElevationType } } return valuer diff --git a/pkg/ps/snapshotter_windows.go b/pkg/ps/snapshotter_windows.go index d95b475ef..68801b5ac 100644 --- a/pkg/ps/snapshotter_windows.go +++ b/pkg/ps/snapshotter_windows.go @@ -185,7 +185,7 @@ func (s *snapshotter) Write(e *event.Event) error { e.AppendParam(params.Exe, params.Path, ps.Exe) } - e.AppendParam(params.ProcessIntegrityLevel, params.AnsiString, ps.TokenIntegrityLevel) + e.AppendParam(params.ProcessTokenIntegrityLevel, params.AnsiString, ps.TokenIntegrityLevel) e.AppendParam(params.ProcessTokenElevationType, params.AnsiString, ps.TokenElevationType) e.AppendParam(params.ProcessTokenIsElevated, params.Bool, ps.IsTokenElevated) @@ -370,7 +370,7 @@ func (s *snapshotter) newProcState(pid, ppid uint32, e *event.Event) (*pstypes.P Ppid: ppid, Exe: e.GetParamAsString(params.Exe), Name: filepath.Base(e.GetParamAsString(params.Exe)), - TokenIntegrityLevel: e.GetParamAsString(params.ProcessIntegrityLevel), + TokenIntegrityLevel: e.GetParamAsString(params.ProcessTokenIntegrityLevel), TokenElevationType: e.GetParamAsString(params.ProcessTokenElevationType), IsTokenElevated: e.Params.TryGetBool(params.ProcessTokenIsElevated), Threads: make(map[uint32]pstypes.Thread), @@ -460,7 +460,7 @@ func (s *snapshotter) newProcState(pid, ppid uint32, e *event.Event) (*pstypes.P proc.TokenIntegrityLevel = sys.RidToString(tokenMandatoryLabel.Label.Sid) proc.IsTokenElevated = token.IsElevated() - e.AppendParam(params.ProcessIntegrityLevel, params.AnsiString, proc.TokenIntegrityLevel) + e.AppendParam(params.ProcessTokenIntegrityLevel, params.AnsiString, proc.TokenIntegrityLevel) e.AppendParam(params.ProcessTokenIsElevated, params.Bool, proc.IsTokenElevated) } diff --git a/pkg/ps/snapshotter_windows_test.go b/pkg/ps/snapshotter_windows_test.go index 92b1879fd..254c76d2f 100644 --- a/pkg/ps/snapshotter_windows_test.go +++ b/pkg/ps/snapshotter_windows_test.go @@ -200,12 +200,12 @@ func TestWriteInternalEventsEnrichment(t *testing.T) { { Type: event.CreateProcessInternal, Params: event.Params{ - params.ProcessID: {Name: params.ProcessID, Type: params.PID, Value: uint32(1024)}, - params.ProcessParentID: {Name: params.ProcessParentID, Type: params.PID, Value: uint32(444)}, - params.Exe: {Name: params.Exe, Type: params.UnicodeString, Value: `C:\Windows\System32\svchost.exe`}, - params.ProcessIntegrityLevel: {Name: params.ProcessIntegrityLevel, Type: params.AnsiString, Value: "HIGH"}, - params.ProcessTokenIsElevated: {Name: params.ProcessTokenIsElevated, Type: params.Bool, Value: true}, - params.ProcessTokenElevationType: {Name: params.ProcessTokenElevationType, Type: params.AnsiString, Value: "FULL"}, + params.ProcessID: {Name: params.ProcessID, Type: params.PID, Value: uint32(1024)}, + params.ProcessParentID: {Name: params.ProcessParentID, Type: params.PID, Value: uint32(444)}, + params.Exe: {Name: params.Exe, Type: params.UnicodeString, Value: `C:\Windows\System32\svchost.exe`}, + params.ProcessTokenIntegrityLevel: {Name: params.ProcessTokenIntegrityLevel, Type: params.AnsiString, Value: "HIGH"}, + params.ProcessTokenIsElevated: {Name: params.ProcessTokenIsElevated, Type: params.Bool, Value: true}, + params.ProcessTokenElevationType: {Name: params.ProcessTokenElevationType, Type: params.AnsiString, Value: "FULL"}, }, }, }, @@ -236,12 +236,12 @@ func TestWriteInternalEventsEnrichment(t *testing.T) { { Type: event.CreateProcessInternal, Params: event.Params{ - params.ProcessID: {Name: params.ProcessID, Type: params.PID, Value: uint32(1024)}, - params.ProcessParentID: {Name: params.ProcessParentID, Type: params.PID, Value: uint32(444)}, - params.Exe: {Name: params.Exe, Type: params.UnicodeString, Value: `C:\Windows\System32\svchost.exe`}, - params.ProcessIntegrityLevel: {Name: params.ProcessIntegrityLevel, Type: params.AnsiString, Value: "HIGH"}, - params.ProcessTokenIsElevated: {Name: params.ProcessTokenIsElevated, Type: params.Bool, Value: true}, - params.ProcessTokenElevationType: {Name: params.ProcessTokenElevationType, Type: params.AnsiString, Value: "FULL"}, + params.ProcessID: {Name: params.ProcessID, Type: params.PID, Value: uint32(1024)}, + params.ProcessParentID: {Name: params.ProcessParentID, Type: params.PID, Value: uint32(444)}, + params.Exe: {Name: params.Exe, Type: params.UnicodeString, Value: `C:\Windows\System32\svchost.exe`}, + params.ProcessTokenIntegrityLevel: {Name: params.ProcessTokenIntegrityLevel, Type: params.AnsiString, Value: "HIGH"}, + params.ProcessTokenIsElevated: {Name: params.ProcessTokenIsElevated, Type: params.Bool, Value: true}, + params.ProcessTokenElevationType: {Name: params.ProcessTokenElevationType, Type: params.AnsiString, Value: "FULL"}, }, }, }, @@ -262,12 +262,12 @@ func TestWriteInternalEventsEnrichment(t *testing.T) { { Type: event.CreateProcessInternal, Params: event.Params{ - params.ProcessID: {Name: params.ProcessID, Type: params.PID, Value: uint32(1024)}, - params.ProcessParentID: {Name: params.ProcessParentID, Type: params.PID, Value: uint32(444)}, - params.Exe: {Name: params.Exe, Type: params.UnicodeString, Value: `C:\Windows\System32\svchost.exe`}, - params.ProcessIntegrityLevel: {Name: params.ProcessIntegrityLevel, Type: params.AnsiString, Value: "HIGH"}, - params.ProcessTokenIsElevated: {Name: params.ProcessTokenIsElevated, Type: params.Bool, Value: true}, - params.ProcessTokenElevationType: {Name: params.ProcessTokenElevationType, Type: params.AnsiString, Value: "FULL"}, + params.ProcessID: {Name: params.ProcessID, Type: params.PID, Value: uint32(1024)}, + params.ProcessParentID: {Name: params.ProcessParentID, Type: params.PID, Value: uint32(444)}, + params.Exe: {Name: params.Exe, Type: params.UnicodeString, Value: `C:\Windows\System32\svchost.exe`}, + params.ProcessTokenIntegrityLevel: {Name: params.ProcessTokenIntegrityLevel, Type: params.AnsiString, Value: "HIGH"}, + params.ProcessTokenIsElevated: {Name: params.ProcessTokenIsElevated, Type: params.Bool, Value: true}, + params.ProcessTokenElevationType: {Name: params.ProcessTokenElevationType, Type: params.AnsiString, Value: "FULL"}, }, }, {