Extract fields from PwSh classic logs

[YamatoSecurity]

As per these discussions: SigmaHQ/sigma#4510 and Yamato-Security/hayabusa-rules#514
It seems best to extract out fields from the Data field in PwSh classic logs to get the sigma rules to work internally in Hayabusa.

@fukusuket Are you interested in this?

[fukusuket]

Thank you so much for mation :) Yes, I would love to implement it!💪

Please let me confirm one thing!
They came to the conclusion that they will use Data fields on the Sigma side, but is it okay to implement this feature?

[YamatoSecurity]

@fukusuket Whoops! Sorry my English is bad so I misread that part. (焦）ww
Even so, it is probably better to extract the fields on Hayabusa's side anyways for easier data processing and the ability to create more specific rules that don't use Data if a user chooses to. What do you think?

[fukusuket]

I agree, I think it would be better if the user could choose!
At first, Before implementing it, I would like to start by checking what we can do :) 💪

[YamatoSecurity]

Sounds good! Let's talk about it at Thurs meeting.

[fukusuket]

memo:

About field localization
SigmaHQ/sigma#4519 (comment)

Also just FYI, something to take care in hayabusa is that some of the fields are localized. For example HostApplication in a french layout becomes Application hote :)

Elastic Winlogbeat impl
https://qiita.com/rhpenguin/items/6dc4c3f82cd87122958c
https://www.elastic.co/guide/en/beats/winlogbeat/current/winlogbeat-module-powershell.html
https://github.com/elastic/beats/blob/master/x-pack/winlogbeat/module/powershell/ingest/powershell.yml

[fukusuket]

@YamatoSecurity @hitenkoku
I haven't implemented it yet, but I think the specifications that could be implemented are as follows🤔
What do you think? I hope we can discuss the details at MTG :)

Processing process

1. Filter Channel: 'Windows PowerShell' and EventID: 400, 403, 600, 800
2. Separate fields with \r\n\t
3. Trim the field with \r\n\t
4. Field name and value are before and after =

The logic above is the same as the logic below.
https://github.com/elastic/beats/blob/master/x-pack/winlogbeat/module/powershell/ingest/powershell.yml

Processing timing
When reading the evtx (before analysis evtx)

Output image
before:

{
    "Timestamp": "2023-10-12 16:29:06.591 +09:00",
    "Computer": "MyComputer",
    "Channel": "PwShClassic",
    "EventID": 400,
    "Level": "info",
    "RecordID": 7,
    "RuleTitle": "PwShClassic",
    "Details": {
    },
    "ExtraFieldInfo": {
        "Data": "Available",
        "Data": "NewEngineState=Available\\r\\n\\tPreviousEngineState=None\\r\\n\\r\\n\\tSequenceNumber=13\\r\\n\\r\\n\\tHostName=ConsoleHost\\r\\n\\tHostVersion=5.1.22621.1778\\r\\n\\tHostId=bafb59f7-0327-4c95-9b52-e515e2c033ff\\r\\n\\tHostApplication=powershell -ExecutionPolicy Bypass -windowstyle hidden -command C:\\mcj\\tool\\win10\\ssd_fw_update\\ssd_fw_update.ps1\\r\\n\\tEngineVersion=5.1.22621.1778\\r\\n\\tRunspaceId=8d3b7b41-5bb3-4bb3-abe4-2c75c231a021\\r\\n\\tPipelineId=\\r\\n\\tCommandName=\\r\\n\\tCommandType=\\r\\n\\tScriptName=\\r\\n\\tCommandPath=\\r\\n\\tCommandLine=",
        "Data": "None"
    }
}

after:

{
    "Timestamp": "2023-10-12 16:29:06.591 +09:00",
    "Computer": "MyComputer",
    "Channel": "PwShClassic",
    "EventID": 400,
    "Level": "info",
    "RecordID": 7,
    "RuleTitle": "PwShClassic",
    "Details": {
    },
    "ExtraFieldInfo": {
        "Data": "Available",
        "NewEngineState": "Available",
        "PreviousEngineState": "None",
        "SequenceNumber": "13",
        "HostName": "ConsoleHost",
        "HostVersion": "5.1.22621.1778",
        "HostId": "bafb59f7-0327-4c95-9b52-e515e2c033ff"
        "HostApplication": "powershell -ExecutionPolicy Bypass -windowstyle hidden -command C:\\mcj\\tool\\win10\\ssd_fw_update\\ssd_fw_update.ps1",
        "EngineVersion": "5.1.22621.1778",
        "RunspaceId": "8d3b7b41-5bb3-4bb3-abe4-2c75c231a021",
        "PipelineId": "",
        "CommandName": "",
        "CommandType": "",
        "ScriptName": "",
        "CommandPath": "",
        "CommandLine": "",
        "Data": "None"
    }
}

Output CSV in the same way as above.

Option
This process can be enabled using the hayabusa argument (initial value is disabled)

Should I create a dedicated yml file?
yml will not be created.

• Will be implemented as logic within Rust in the first release, created when other events also require parsing.

Other notes
After implementing the prototype, evaluate the following:

• Performance degrades significantly
• Implementation becomes too complex

If the above is the case, we will not release this feature.

[YamatoSecurity]

@fukusuket Sounds good to me!

[fukusuket]

Sorry for changing the specifications so many times... In the end, I created it with specifications #1201 (comment).