Add specialized parsing to powershell classic events

Fixes: #32
Velocidex · May 2, 2024 · aec7324 · aec7324
1 parent 997eb5e
commit aec7324
Show file tree

Hide file tree

Showing 5 changed files with 104 additions and 2 deletions.
diff --git a/config/windows_hayabusa_event_monitoring.yaml b/config/windows_hayabusa_event_monitoring.yaml
@@ -704,7 +704,12 @@ Sources:
 
   '*/windows/powershell-classic':
     query: |
-      SELECT * FROM watch_evtx(accessor='file', filename=ROOT + "/Windows PowerShell.evtx")
+      SELECT *, EventData + dict(
+         Data=EventData.Data[2],
+         HostApplication=parse_string_with_regex(
+           regex="HostApplication=([^\\r\\n]+)",
+           string=EventData.Data[2]).g1) AS EventData
+      FROM watch_evtx(accessor='file', filename=ROOT + "/Windows PowerShell.evtx")
     channel:
       - Windows PowerShell
     fields:

diff --git a/config/windows_hayabusa_rules.yaml b/config/windows_hayabusa_rules.yaml
@@ -696,7 +696,12 @@ Sources:
 
   '*/windows/powershell-classic':
     query: |
-      SELECT * FROM parse_evtx(filename=ROOT + "/Windows PowerShell.evtx")
+      SELECT *, EventData + dict(
+         Data=EventData.Data[2],
+         HostApplication=parse_string_with_regex(
+           regex="HostApplication=([^\\r\\n]+)",
+           string=EventData.Data[2]).g1) AS EventData
+      FROM parse_evtx(filename=ROOT + "/Windows PowerShell.evtx")
     channel:
       - Windows PowerShell
     fields:

diff --git a/tests/testcases/fixtures/powershell_classic.json b/tests/testcases/fixtures/powershell_classic.json
@@ -0,0 +1,35 @@
+{
+    "System": {
+        "Provider": {
+            "Name": "PowerShell"
+        },
+        "EventID": {
+            "Qualifiers": 0,
+            "Value": 400
+        },
+        "Version": 0,
+        "Level": 4,
+        "Task": 6,
+        "Opcode": 0,
+        "Keywords": 36028797018963970,
+        "TimeCreated": {
+            "SystemTime": 1705127155.1681073
+        },
+        "EventRecordID": 1,
+        "Correlation": {},
+        "Execution": {
+            "ProcessID": 0,
+            "ThreadID": 0
+        },
+        "Channel": "Windows PowerShell",
+        "Computer": "WIN-2VKA2DK38DT",
+        "Security": {}
+    },
+    "EventData": {
+        "Data": [
+            "Registry",
+            "Started",
+            "\tProviderName=Registry\r\n\tNewProviderState=Started\r\n\r\n\tSequenceNumber=1\r\n\r\n\tHostName=ConsoleHost\r\n\tHostVersion=5.1.20348.558\r\n\tHostId=1cfcf98e-3a81-443f-91bf-cdc325c0ed3d\r\n\tHostApplication=powershell.exe\r\n\tEngineVersion=\r\n\tRunspaceId=\r\n\tPipelineId=\r\n\tCommandName=\r\n\tCommandType=\r\n\tScriptName=\r\n\tCommandPath=\r\n\tCommandLine="
+        ]
+    }
+}
diff --git a/tests/testcases/powershell_classic.in.yaml b/tests/testcases/powershell_classic.in.yaml
@@ -0,0 +1,11 @@
+Parameters:
+  fixture: /testcases/fixtures/powershell_classic.json
+
+Queries:
+- LET _ <= SELECT mock(plugin='parse_evtx', results=[parse_json(data=read_file(filename=testDir+ fixture)),]) FROM scope()
+
+# Check for Details field working correctly - the log source should
+# extract the HostApplication field.
+- SELECT * FROM Artifact.Windows.Hayabusa.Rules(
+    RuleStatus='All Rules', RuleLevel='All', RuleTitleFilter="PwSh Engine Started")
+  LIMIT 1
diff --git a/tests/testcases/powershell_classic.out.yaml b/tests/testcases/powershell_classic.out.yaml
@@ -0,0 +1,46 @@
+LET _ <= SELECT mock(plugin='parse_evtx', results=[parse_json(data=read_file(filename=testDir+ fixture)),]) FROM scope()[]SELECT * FROM Artifact.Windows.Hayabusa.Rules( RuleStatus='All Rules', RuleLevel='All', RuleTitleFilter="PwSh Engine Started") LIMIT 1[
+ {
+  "Timestamp": "2024-01-13T06:25:55.168107271Z",
+  "Computer": "WIN-2VKA2DK38DT",
+  "Channel": "Windows PowerShell",
+  "EID": 400,
+  "Level": "informational",
+  "Title": "PwSh Engine Started",
+  "RecordID": 1,
+  "Details": "HostApplication: powershell.exe",
+  "_Event": {
+   "System": {
+    "Provider": {
+     "Name": "PowerShell"
+    },
+    "EventID": {
+     "Qualifiers": 0,
+     "Value": 400
+    },
+    "Version": 0,
+    "Level": 4,
+    "Task": 6,
+    "Opcode": 0,
+    "Keywords": 36028797018963970,
+    "TimeCreated": {
+     "SystemTime": 1705127155.1681073
+    },
+    "EventRecordID": 1,
+    "Correlation": {},
+    "Execution": {
+     "ProcessID": 0,
+     "ThreadID": 0
+    },
+    "Channel": "Windows PowerShell",
+    "Computer": "WIN-2VKA2DK38DT",
+    "Security": {}
+   },
+   "EventData": {
+    "Data": "\tProviderName=Registry\r\n\tNewProviderState=Started\r\n\r\n\tSequenceNumber=1\r\n\r\n\tHostName=ConsoleHost\r\n\tHostVersion=5.1.20348.558\r\n\tHostId=1cfcf98e-3a81-443f-91bf-cdc325c0ed3d\r\n\tHostApplication=powershell.exe\r\n\tEngineVersion=\r\n\tRunspaceId=\r\n\tPipelineId=\r\n\tCommandName=\r\n\tCommandType=\r\n\tScriptName=\r\n\tCommandPath=\r\n\tCommandLine=",
+    "HostApplication": "powershell.exe"
+   },
+   "Message": null
+  },
+  "_Source": "Windows.Hayabusa.Rules"
+ }
+]