RC-1
This commit is contained in:
177
main.go
177
main.go
@@ -52,31 +52,6 @@ type ChannelConfig struct {
|
||||
IDs map[uint32]bool
|
||||
}
|
||||
|
||||
var channelConfigs = []ChannelConfig{
|
||||
{
|
||||
Name: "System",
|
||||
IDs: map[uint32]bool{
|
||||
1074: true, // Shutdown/Reboot
|
||||
6005: true, // Eventlog gestartet
|
||||
6006: true, // Eventlog gestoppt
|
||||
},
|
||||
},
|
||||
{
|
||||
Name: "Application",
|
||||
IDs: map[uint32]bool{
|
||||
1000: true, // Beispiel: Application Error
|
||||
},
|
||||
},
|
||||
// Beispiel:
|
||||
// {
|
||||
// Name: "Security",
|
||||
// IDs: map[uint32]bool{
|
||||
// 4624: true,
|
||||
// 4625: true,
|
||||
// },
|
||||
// },
|
||||
}
|
||||
|
||||
type AgentConfig struct {
|
||||
BackendURL string `json:"backend_url"`
|
||||
EnrollmentKey string `json:"enrollment_key"`
|
||||
@@ -784,16 +759,6 @@ func evtClose(h windows.Handle) error {
|
||||
return nil
|
||||
}
|
||||
|
||||
func isIgnorableEvtNextError(err error) bool {
|
||||
var errno syscall.Errno
|
||||
if errors.As(err, &errno) {
|
||||
return errno == windows.ERROR_TIMEOUT ||
|
||||
errno == windows.ERROR_NO_MORE_ITEMS ||
|
||||
errno == ERROR_EVT_INVALID_OPERATION
|
||||
}
|
||||
return false
|
||||
}
|
||||
|
||||
func installService() error {
|
||||
exepath, err := os.Executable()
|
||||
if err != nil {
|
||||
@@ -951,8 +916,146 @@ func defaultAgentConfig() *AgentConfig {
|
||||
EnrollmentKey: getenvDefault("SIEM_ENROLLMENT_KEY", "BITTE_SEHR_LANG_UND_ZUFAELLIG"),
|
||||
StateFile: `C:\ProgramData\WinEventForwarder\state.json`,
|
||||
ChannelRules: []ChannelRule{
|
||||
{Name: "System", IDs: []uint32{1074, 6005, 6006}},
|
||||
{Name: "Security", IDs: []uint32{4624, 4625}},
|
||||
|
||||
// =========================
|
||||
// SYSTEM
|
||||
// =========================
|
||||
{
|
||||
Name: "System",
|
||||
IDs: []uint32{
|
||||
1074, // planned shutdown
|
||||
6005, // startup
|
||||
6006, // shutdown
|
||||
6008, // unexpected shutdown
|
||||
7045, // service installed
|
||||
},
|
||||
},
|
||||
|
||||
// =========================
|
||||
// SECURITY
|
||||
// =========================
|
||||
{
|
||||
Name: "Security",
|
||||
IDs: []uint32{
|
||||
|
||||
// --- Logon / Auth ---
|
||||
4624, // logon success
|
||||
4625, // logon failed
|
||||
4648, // explicit credentials
|
||||
4672, // special privileges
|
||||
4673, 4674,
|
||||
|
||||
// --- Security / Audit ---
|
||||
1102, // log cleared
|
||||
4719, // audit policy
|
||||
4902, 4904, 4905, 4906, 4907, 4908, 4912,
|
||||
|
||||
// --- Time ---
|
||||
4616, // system time changed
|
||||
|
||||
// --- User ---
|
||||
4720, 4722, 4723, 4724, 4725, 4726,
|
||||
4738,
|
||||
4740,
|
||||
|
||||
// --- Groups ---
|
||||
4727, 4728, 4729,
|
||||
4730, 4731, 4732, 4733, 4734, 4735, 4737,
|
||||
4754, 4755, 4756, 4757, 4758,
|
||||
|
||||
// --- Computer ---
|
||||
4741, 4742, 4743,
|
||||
|
||||
// --- Kerberos / NTLM ---
|
||||
4768, 4769,
|
||||
4771, 4776,
|
||||
|
||||
// --- Services / Tasks ---
|
||||
4697,
|
||||
4698, 4699,
|
||||
4700, 4701, 4702,
|
||||
|
||||
// --- AD / Directory ---
|
||||
4662, // object access
|
||||
4670, // permission change
|
||||
5136, 5137, 5141,
|
||||
|
||||
// --- Shares ---
|
||||
5140, 5145,
|
||||
|
||||
// --- AD CS ---
|
||||
4882, 4885, 4886, 4887,
|
||||
4890, 4891, 4892,
|
||||
4898, 4899, 4900,
|
||||
|
||||
// --- Defender ---
|
||||
5001, // real-time protection disabled
|
||||
},
|
||||
},
|
||||
|
||||
// =========================
|
||||
// POWERSHELL
|
||||
// =========================
|
||||
{
|
||||
Name: "Microsoft-Windows-PowerShell/Operational",
|
||||
IDs: []uint32{
|
||||
4104, // script block
|
||||
},
|
||||
},
|
||||
{
|
||||
Name: "Windows PowerShell",
|
||||
IDs: []uint32{
|
||||
4104,
|
||||
},
|
||||
},
|
||||
|
||||
// =========================
|
||||
// DEFENDER
|
||||
// =========================
|
||||
{
|
||||
Name: "Microsoft-Windows-Windows Defender/Operational",
|
||||
IDs: []uint32{
|
||||
1116, // malware detected
|
||||
1117, // remediation
|
||||
1118, 1119,
|
||||
5007, // config change
|
||||
5013,
|
||||
},
|
||||
},
|
||||
|
||||
// =========================
|
||||
// WMI (Lateral Movement!)
|
||||
// =========================
|
||||
{
|
||||
Name: "Microsoft-Windows-WMI-Activity/Operational",
|
||||
IDs: []uint32{
|
||||
5857, 5858, 5859, 5860, 5861,
|
||||
},
|
||||
},
|
||||
|
||||
// =========================
|
||||
// RDP
|
||||
// =========================
|
||||
{
|
||||
Name: "Microsoft-Windows-TerminalServices-RemoteConnectionManager/Operational",
|
||||
IDs: []uint32{
|
||||
1149, // RDP login
|
||||
},
|
||||
},
|
||||
|
||||
// =========================
|
||||
// OPTIONAL (laut!)
|
||||
// =========================
|
||||
|
||||
/*
|
||||
{
|
||||
Name: "Security",
|
||||
IDs: []uint32{
|
||||
4688, // process creation (SEHR LAUT!)
|
||||
},
|
||||
},
|
||||
*/
|
||||
|
||||
},
|
||||
}
|
||||
}
|
||||
|
||||
BIN
siem-agent.exe
BIN
siem-agent.exe
Binary file not shown.
Reference in New Issue
Block a user