diff --git a/main.go b/main.go index 4c62a84..679d7a1 100644 --- a/main.go +++ b/main.go @@ -52,31 +52,6 @@ type ChannelConfig struct { IDs map[uint32]bool } -var channelConfigs = []ChannelConfig{ - { - Name: "System", - IDs: map[uint32]bool{ - 1074: true, // Shutdown/Reboot - 6005: true, // Eventlog gestartet - 6006: true, // Eventlog gestoppt - }, - }, - { - Name: "Application", - IDs: map[uint32]bool{ - 1000: true, // Beispiel: Application Error - }, - }, - // Beispiel: - // { - // Name: "Security", - // IDs: map[uint32]bool{ - // 4624: true, - // 4625: true, - // }, - // }, -} - type AgentConfig struct { BackendURL string `json:"backend_url"` EnrollmentKey string `json:"enrollment_key"` @@ -784,16 +759,6 @@ func evtClose(h windows.Handle) error { return nil } -func isIgnorableEvtNextError(err error) bool { - var errno syscall.Errno - if errors.As(err, &errno) { - return errno == windows.ERROR_TIMEOUT || - errno == windows.ERROR_NO_MORE_ITEMS || - errno == ERROR_EVT_INVALID_OPERATION - } - return false -} - func installService() error { exepath, err := os.Executable() if err != nil { @@ -951,8 +916,146 @@ func defaultAgentConfig() *AgentConfig { EnrollmentKey: getenvDefault("SIEM_ENROLLMENT_KEY", "BITTE_SEHR_LANG_UND_ZUFAELLIG"), StateFile: `C:\ProgramData\WinEventForwarder\state.json`, ChannelRules: []ChannelRule{ - {Name: "System", IDs: []uint32{1074, 6005, 6006}}, - {Name: "Security", IDs: []uint32{4624, 4625}}, + + // ========================= + // SYSTEM + // ========================= + { + Name: "System", + IDs: []uint32{ + 1074, // planned shutdown + 6005, // startup + 6006, // shutdown + 6008, // unexpected shutdown + 7045, // service installed + }, + }, + + // ========================= + // SECURITY + // ========================= + { + Name: "Security", + IDs: []uint32{ + + // --- Logon / Auth --- + 4624, // logon success + 4625, // logon failed + 4648, // explicit credentials + 4672, // special privileges + 4673, 4674, + + // --- Security / Audit --- + 1102, // log cleared + 4719, // audit policy + 4902, 4904, 4905, 4906, 4907, 4908, 4912, + + // --- Time --- + 4616, // system time changed + + // --- User --- + 4720, 4722, 4723, 4724, 4725, 4726, + 4738, + 4740, + + // --- Groups --- + 4727, 4728, 4729, + 4730, 4731, 4732, 4733, 4734, 4735, 4737, + 4754, 4755, 4756, 4757, 4758, + + // --- Computer --- + 4741, 4742, 4743, + + // --- Kerberos / NTLM --- + 4768, 4769, + 4771, 4776, + + // --- Services / Tasks --- + 4697, + 4698, 4699, + 4700, 4701, 4702, + + // --- AD / Directory --- + 4662, // object access + 4670, // permission change + 5136, 5137, 5141, + + // --- Shares --- + 5140, 5145, + + // --- AD CS --- + 4882, 4885, 4886, 4887, + 4890, 4891, 4892, + 4898, 4899, 4900, + + // --- Defender --- + 5001, // real-time protection disabled + }, + }, + + // ========================= + // POWERSHELL + // ========================= + { + Name: "Microsoft-Windows-PowerShell/Operational", + IDs: []uint32{ + 4104, // script block + }, + }, + { + Name: "Windows PowerShell", + IDs: []uint32{ + 4104, + }, + }, + + // ========================= + // DEFENDER + // ========================= + { + Name: "Microsoft-Windows-Windows Defender/Operational", + IDs: []uint32{ + 1116, // malware detected + 1117, // remediation + 1118, 1119, + 5007, // config change + 5013, + }, + }, + + // ========================= + // WMI (Lateral Movement!) + // ========================= + { + Name: "Microsoft-Windows-WMI-Activity/Operational", + IDs: []uint32{ + 5857, 5858, 5859, 5860, 5861, + }, + }, + + // ========================= + // RDP + // ========================= + { + Name: "Microsoft-Windows-TerminalServices-RemoteConnectionManager/Operational", + IDs: []uint32{ + 1149, // RDP login + }, + }, + + // ========================= + // OPTIONAL (laut!) + // ========================= + + /* + { + Name: "Security", + IDs: []uint32{ + 4688, // process creation (SEHR LAUT!) + }, + }, + */ + }, } } diff --git a/siem-agent.exe b/siem-agent.exe index f6eb293..2b1d969 100644 Binary files a/siem-agent.exe and b/siem-agent.exe differ