sendnrw/siem-agent
2
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases 3 Wiki Activity

RC-1
All checks were successful
build-binaries / build (.exe, amd64, windows) (push) Has been skipped
Details
build-binaries / release (push) Has been skipped
Details
build-binaries / publish-agent (push) Has been skipped
Details

Browse Source
This commit is contained in:
jbergner
2026-04-24 21:57:24 +02:00
parent 7515bda711
commit 670e89efa9
2 changed files with 140 additions and 37 deletions
Download Patch File Download Diff File Expand all files Collapse all files

177
main.go
View File

@@ -52,31 +52,6 @@ type ChannelConfig struct {
IDs map[uint32]bool IDs map[uint32]bool
} }
var channelConfigs = []ChannelConfig{
{
Name: "System",
IDs: map[uint32]bool{
1074: true, // Shutdown/Reboot
6005: true, // Eventlog gestartet
6006: true, // Eventlog gestoppt
},
},
{
Name: "Application",
IDs: map[uint32]bool{
1000: true, // Beispiel: Application Error
},
},
// Beispiel:
// {
// Name: "Security",
// IDs: map[uint32]bool{
// 4624: true,
// 4625: true,
// },
// },
}
type AgentConfig struct { type AgentConfig struct {
BackendURL string `json:"backend_url"` BackendURL string `json:"backend_url"`
EnrollmentKey string `json:"enrollment_key"` EnrollmentKey string `json:"enrollment_key"`
@@ -784,16 +759,6 @@ func evtClose(h windows.Handle) error {
return nil return nil
} }
func isIgnorableEvtNextError(err error) bool {
var errno syscall.Errno
if errors.As(err, &errno) {
return errno == windows.ERROR_TIMEOUT ||
errno == windows.ERROR_NO_MORE_ITEMS ||
errno == ERROR_EVT_INVALID_OPERATION
}
return false
}
func installService() error { func installService() error {
exepath, err := os.Executable() exepath, err := os.Executable()
if err != nil { if err != nil {
@@ -951,8 +916,146 @@ func defaultAgentConfig() *AgentConfig {
EnrollmentKey: getenvDefault("SIEM_ENROLLMENT_KEY", "BITTE_SEHR_LANG_UND_ZUFAELLIG"), EnrollmentKey: getenvDefault("SIEM_ENROLLMENT_KEY", "BITTE_SEHR_LANG_UND_ZUFAELLIG"),
StateFile: `C:\ProgramData\WinEventForwarder\state.json`, StateFile: `C:\ProgramData\WinEventForwarder\state.json`,
ChannelRules: []ChannelRule{ ChannelRules: []ChannelRule{
{Name: "System", IDs: []uint32{1074, 6005, 6006}},
{Name: "Security", IDs: []uint32{4624, 4625}}, // =========================
// SYSTEM
// =========================
{
Name: "System",
IDs: []uint32{
1074, // planned shutdown
6005, // startup
6006, // shutdown
6008, // unexpected shutdown
7045, // service installed
},
},
// =========================
// SECURITY
// =========================
{
Name: "Security",
IDs: []uint32{
// --- Logon / Auth ---
4624, // logon success
4625, // logon failed
4648, // explicit credentials
4672, // special privileges
4673, 4674,
// --- Security / Audit ---
1102, // log cleared
4719, // audit policy
4902, 4904, 4905, 4906, 4907, 4908, 4912,
// --- Time ---
4616, // system time changed
// --- User ---
4720, 4722, 4723, 4724, 4725, 4726,
4738,
4740,
// --- Groups ---
4727, 4728, 4729,
4730, 4731, 4732, 4733, 4734, 4735, 4737,
4754, 4755, 4756, 4757, 4758,
// --- Computer ---
4741, 4742, 4743,
// --- Kerberos / NTLM ---
4768, 4769,
4771, 4776,
// --- Services / Tasks ---
4697,
4698, 4699,
4700, 4701, 4702,
// --- AD / Directory ---
4662, // object access
4670, // permission change
5136, 5137, 5141,
// --- Shares ---
5140, 5145,
// --- AD CS ---
4882, 4885, 4886, 4887,
4890, 4891, 4892,
4898, 4899, 4900,
// --- Defender ---
5001, // real-time protection disabled
},
},
// =========================
// POWERSHELL
// =========================
{
Name: "Microsoft-Windows-PowerShell/Operational",
IDs: []uint32{
4104, // script block
},
},
{
Name: "Windows PowerShell",
IDs: []uint32{
4104,
},
},
// =========================
// DEFENDER
// =========================
{
Name: "Microsoft-Windows-Windows Defender/Operational",
IDs: []uint32{
1116, // malware detected
1117, // remediation
1118, 1119,
5007, // config change
5013,
},
},
// =========================
// WMI (Lateral Movement!)
// =========================
{
Name: "Microsoft-Windows-WMI-Activity/Operational",
IDs: []uint32{
5857, 5858, 5859, 5860, 5861,
},
},
// =========================
// RDP
// =========================
{
Name: "Microsoft-Windows-TerminalServices-RemoteConnectionManager/Operational",
IDs: []uint32{
1149, // RDP login
},
},
// =========================
// OPTIONAL (laut!)
// =========================
/*
{
Name: "Security",
IDs: []uint32{
4688, // process creation (SEHR LAUT!)
},
},
*/
}, },
} }
} }

BIN
siem-agent.exe
View File

Binary file not shown.