diff --git a/charts/timesketch/.helmignore b/charts/timesketch/.helmignore new file mode 100644 index 0000000..e746a6c --- /dev/null +++ b/charts/timesketch/.helmignore @@ -0,0 +1 @@ +*/configs/* \ No newline at end of file diff --git a/charts/timesketch/Chart.yaml b/charts/timesketch/Chart.yaml new file mode 100644 index 0000000..3f919a5 --- /dev/null +++ b/charts/timesketch/Chart.yaml @@ -0,0 +1,17 @@ +apiVersion: v2 +name: timesketch +description: | + A toolset of DFIR tools +appVersion: "20240508" +type: application +version: 0.1.2 +maintainers: +- name: Tommy Skaug + email: tommy@skaug.me +keywords: +- timesketch +- forensics +- google +- scale +sources: +- https://github.com/google/osdfir-infrastructure diff --git a/charts/timesketch/configs/context_links.yaml b/charts/timesketch/configs/context_links.yaml new file mode 100644 index 0000000..446d396 --- /dev/null +++ b/charts/timesketch/configs/context_links.yaml @@ -0,0 +1,46 @@ +hardcoded_modules: +### format xml dialog + xml_formatter: + short_name: 'Prettify XML' + match_fields: + - xml + - xml_string +### unfurl dialog + unfurl_graph: + short_name: 'Unfurl URL' + match_fields: + - url + - uri + - original_url + +### Add Threat Intel + threat_intel: + short_name: 'Add to Threat Intel' + match_fields: + - url + - uri + - original_url + - ip + - ip_address + - domain + - domain_name + - host + - hostname + - email + - email_address + - hash + - sha256_hash + - sha256 + - sha1_hash + - sha1 + - md5_hash + - md5 + +## External Services +linked_services: +### Virustotal Example: + virustotal_hash_lookup: + short_name: 'VirusTotal' + match_fields: ['hash', 'sha256_hash', 'sha256', 'sha1_hash', 'sha1', 'md5_hash', 'md5'] + context_link: 'https://www.virustotal.com/gui/search/' + redirect_warning: TRUE diff --git a/charts/timesketch/configs/generic.mappings b/charts/timesketch/configs/generic.mappings new file mode 100644 index 0000000..9fbec14 --- /dev/null +++ b/charts/timesketch/configs/generic.mappings @@ -0,0 +1,11 @@ +{ + "date_detection": false, + "properties": { + "datetime": { + "type": "date" + }, + "timesketch_label": { + "type": "nested" + } + } +} diff --git a/charts/timesketch/configs/intelligence_tag_metadata.yaml b/charts/timesketch/configs/intelligence_tag_metadata.yaml new file mode 100644 index 0000000..127f38d --- /dev/null +++ b/charts/timesketch/configs/intelligence_tag_metadata.yaml @@ -0,0 +1,30 @@ +# Configuration file for tags that need highlighting in the intelligence page +# +# For each tag name, the following attributes are defined: +# * weight: Used for ordering, tags with larger weight will appear first in the list of tags. +# * class: Used in the UI to defined a Buefy class to color the tag with (common classes are danger, warning, success, and info) +# +# The `regex` attribute is used to specify regexes to match against the tags. 1:1 tag matches take precedence over regex matches. +# +# With the configuration below, an IOC with the 'malware' tag will have that tag displayed first (heavy weight), in red (danger) + +malware: + weight: 100 + class: 'danger' + +suspicious: + weight: 50 + class: 'warning' + +legit: + weight: 10 + class: 'success' + +default: + weight: 0 + class: 'info' + +regexes: + '^GROUPNAME': + weight: 100 + class: 'danger' diff --git a/charts/timesketch/configs/ontology.yaml b/charts/timesketch/configs/ontology.yaml new file mode 100644 index 0000000..9a5a269 --- /dev/null +++ b/charts/timesketch/configs/ontology.yaml @@ -0,0 +1,38 @@ +# Define the ontology that is available for Timesketch. +# An ontology needs to define the name, which is what will +# be used to identify the ontology. +# + cast_as is used to define how the value should be +# interpreted in code. +# + description is a short text describing the ontology. + +text: + cast_as: str + description: "Free form text." + +int: + cast_as: int + description: "Integer" + +url.safe: + cast_as: str + description: "Safe URL that can be visited." + +url.bad: + cast_as: str + description: "URL related to a sketch, can morph into a search." + +domain: + cast_as: str + description: "Domain related to a sketch, can morp into a search." + +float: + cast_as: float + description: "Float." + +bool: + cast_as: bool + description: "Boolean, True or False values." + +intelligence: + cast_as: dict + description: "Set of key/value pairs to summarize an intelligence report." diff --git a/charts/timesketch/configs/plaso.mappings b/charts/timesketch/configs/plaso.mappings new file mode 100644 index 0000000..91f3f19 --- /dev/null +++ b/charts/timesketch/configs/plaso.mappings @@ -0,0 +1,87 @@ +{ + "properties": { + "application": { + "type": "text", + "fields": { + "keyword": {"type": "keyword"}} + }, + "timesketch_label": { + "type": "nested" + }, + "datetime": { + "type": "date" + }, + "data": { + "type": "text", + "fields": {"keyword": {"type": "keyword"}} + }, + "doc_type": { + "type": "text", + "fields": {"keyword": {"type": "keyword"}} + }, + "event_type": { + "type": "text", + "fields": {"keyword": {"type": "keyword"}} + }, + "exit_status": { + "type": "text", + "fields": {"keyword": {"type": "keyword"}} + }, + "facility": { + "type": "text", + "fields": {"keyword": {"type": "keyword"}} + }, + "file_reference": { + "type": "text", + "fields": {"keyword": {"type": "keyword"}} + }, + "file_size": { + "type": "text", + "fields": {"keyword": {"type": "keyword"}} + }, + "flags": { + "type": "text", + "fields": {"keyword": {"type": "keyword"}} + }, + "identifier": { + "type": "text", + "fields": {"keyword": {"type": "keyword"}} + }, + "message_status": { + "type": "text", + "fields": {"keyword": {"type": "keyword"}} + }, + "message_type": { + "type": "text", + "fields": {"keyword": {"type": "keyword"}} + }, + "offset": { + "type": "text", + "fields": {"keyword": {"type": "keyword"}} + }, + "sequence_number": { + "type": "text", + "fields": {"keyword": {"type": "keyword"}} + }, + "severity": { + "type": "text", + "fields": {"keyword": {"type": "keyword"}} + }, + "source_port": { + "type": "text", + "fields": {"keyword": {"type": "keyword"}} + }, + "user_identifier": { + "type": "text", + "fields": {"keyword": {"type": "keyword"}} + }, + "version": { + "type": "text", + "fields": {"keyword": {"type": "keyword"}} + }, + "http_response_bytes": { + "type": "text", + "fields": {"keyword": {"type": "keyword"}} + } + } +} diff --git a/charts/timesketch/configs/plaso_formatters.yaml b/charts/timesketch/configs/plaso_formatters.yaml new file mode 100644 index 0000000..94efbf5 --- /dev/null +++ b/charts/timesketch/configs/plaso_formatters.yaml @@ -0,0 +1,23 @@ +# Plaso uses formatter definitions to format events into a human readable format. +# The formatter definitions are defined in YAML and loaded by Plaso at runtime. +# This file overrides or extend the default formatter definitions. +# For more information about the formatter definitions see: https://plaso.readthedocs.io/en/latest/sources/user/Output-and-formatting.html#formatter-configuration-file-format + +# Windows Event Log (EVTX) formatter definitions. +type: 'conditional' +data_type: 'windows:evtx:record' +custom_helpers: + - identifier: 'windows_eventlog_message' + output_attribute: 'message_string' +message: + - '[{event_identifier}]' + - '{message_string}' + - 'Source Name: {source_name}' + - 'Strings: {strings}' +short_message: + - '[{event_identifier} / 0x{event_identifier:04x}]' + - 'Source Name: {source_name}' + - 'Strings: {strings}' + - 'Provider identifier: {provider_identifier}' +short_source: 'EVTX' +source: 'WinEVTX' diff --git a/charts/timesketch/configs/regex_features.yaml b/charts/timesketch/configs/regex_features.yaml new file mode 100644 index 0000000..a525f5c --- /dev/null +++ b/charts/timesketch/configs/regex_features.yaml @@ -0,0 +1,182 @@ +# Config file for the feature extraction analyzer. +# A feature extraction definition looks like this: +# name: +# # Define either a query_string or query_dsl. +# query_string: * +# query_dsl: +# # Mandatory fields. +# attribute: +# store_as: +# re: +# # Optional fields. +# re_flags: [] +# emojis: [] +# tags: [] +# overwrite_store_as: True +# overwrite_and_merge_store_as: False +# store_type_list: False +# keep_multimatch: False +# +# Each definition needs to define either a query_string or a query_dsl. +# +# re_flags is a list of flags as strings from the re module. These include: +# - DEBUG +# - DOTALL +# - IGNORECASE +# - LOCALE +# - MULTILINE +# - TEMPLATE +# - UNICODE +# - VERBOSE +# +# The fields tags and emojis are optional. +# +# The field store_as defines the name of the attribute the feature is +# stored as. +# +# The overwrite_store_as is an optional boolean that determines if +# we want to overwrite the field store_as if it already exists. +# +# The overwrite_and_merge_store_as is an optional boolean that determines +# if we want to overwrite the field store_as and merge the existing values. +# +# The store_type_list is an optional boolean that determines if we want to +# store the extracted data in List type (default is text). +# +# The keep_multimatch is an optional boolean that determines if we want to +# store all matching results (default store first result). +# +# The feature extraction works in the way that the query is run, and +# the regular expression is run against the attribute to extract a value. +# The first value extracted is then stored inside the "store_as" attribute. +# If there are emojis or tags defined they are also applied to that event. +# ------------------------------------------------------------------------ + +email_addresses: + query_string: 'source_short:"WEBHIST"' + attribute: 'message' + store_as: 'email_address' + re: '([a-zA-Z0-9_\.+\-]+@[a-zA-Z0-9\-]+\.[a-zA-Z0-9\-\.]+)' + re_flags: [] + tags: ['email-address'] + +gmail_accounts: + query_string: 'source_short:"WEBHIST" AND url:"mail.google.com"' + attribute: 'message' + store_as: 'found_account' + re: '[a-zA-Z0-9_\.+\-]+@(gmail|googlemail)\.com' + re_flags: [] + tags: ['gmail-account'] + emojis: ['ID_BUTTON'] + +github_accounts: + query_string: 'source_short:"WEBHIST" AND + url:"https://github.com/users" AND title:"Your Profile"' + attribute: 'url' + store_as: 'found_account' + re: 'https://github.com/users/([A-z-\d]{1,39})' + re_flags: [] + tags: ['github-account'] + emojis: ['ID_BUTTON'] + +# Linkedin account extraction from profile edit url +linkedin_accounts: + query_string: 'source_short:"WEBHIST" AND + url:"https://www.linkedin.com/in/" AND url:"/edit/"' + attribute: 'url' + store_as: 'found_account' + re: 'https://www.linkedin.com/in/([A-z-\d]{5,32})/edit/' + tags: ['linkedin-account'] + emojis: ['ID_BUTTON'] + +rdp_ts_ipv4_addresses: + query_string: 'data_type:"windows:evtx:record" AND + source_name:"Microsoft-Windows-TerminalServices-LocalSessionManager"' + attribute: 'strings' + store_as: 'ip_address' + re: '(?:[0-9]{1,3}\.){3}[0-9]{1,3}' + +rdp_rds_ipv4_addresses: + query_string: 'data_type:"windows:evtx:record" AND + source_name:"Microsoft-Windows-RemoteDesktopServices-RdpCoreTS"' + attribute: 'strings' + store_as: 'client_ip' + re: '(?:[0-9]{1,3}\.){3}[0-9]{1,3}' + +ssh_client_ipv4_addresses: + query_string: 'reporter:"sshd"' + attribute: 'message' + store_as: 'client_ip' + re: 'Connection from ((?:[0-9]{1,3}\.){3}[0-9]{1,3}) port \d+ on (?:[0-9]{1,3}\.){3}[0-9]{1,3} port \d+(?: rdomain ? .*)?$' + +ssh_client_ipv4_addresses_2: + query_string: 'reporter:"sshd"' + attribute: 'message' + store_as: 'client_ip' + re: 'Connection [a-z]+ by ((?:[0-9]{1,3}\.){3}[0-9]{1,3}) port \d+' + +ssh_host_ipv4_addresses: + query_string: 'reporter:"sshd"' + attribute: 'message' + store_as: 'host_ip' + re: '^\[sshd\] \[\d+\]: Connection from (?:[0-9]{1,3}\.){3}[0-9]{1,3} port \d+ on ((?:[0-9]{1,3}\.){3}[0-9]{1,3}) port \d+(?: rdomain ? .*)?$' + +ssh_client_password_ipv4_addresses: + query_string: 'reporter:"sshd"' + attribute: 'message' + store_as: 'client_ip' + re: '(?:Accepted|Failed) (?:password|publickey) for \w+ from ((?:[0-9]{1,3}\.){3}[0-9]{1,3}) port \d+' + +ssh_disconnected_username: + query_string: 'reporter:"sshd"' + attribute: 'body' + store_as: 'username' + re: 'Disconnected\s+from user (?P[^\s]+) [^\s]+ port \d+$' + +ssh_disconnected_ip_address: + query_string: 'reporter:"sshd"' + attribute: 'body' + store_as: 'ip_address' + re: 'Disconnected from user [^\s]+ (?P[^\s]+) port \d+$' + +ssh_disconnected_port: + query_string: 'reporter:"sshd"' + attribute: 'body' + store_as: 'port' + re: 'Disconnected from user [^\s]+ [^\s]+ port (?P\d+)$' + +ssh_failed_username: + query_string: 'reporter:"sshd"' + attribute: 'body' + store_as: 'username' + re: 'Failed password for (?:invalid user)?\s*(?P[^\s]+) from [^\s]+ port \d+ ssh\d' + +ssh_failed_ip_address: + query_string: 'reporter:"sshd"' + attribute: 'body' + store_as: 'ip_address' + re: 'Failed password for (?:invalid user)?\s*[^\s]+ from (?P[^\s]+) port \d+ ssh\d' + +ssh_failed_port: + query_string: 'reporter:"sshd"' + attribute: 'body' + store_as: 'port' + re: 'Failed password for (?:invalid user)?\s*[^\s]+ from [^\s]+ port (?P\d+) ssh\d' + +ssh_failed_method: + query_string: 'reporter:"sshd"' + attribute: 'body' + store_as: 'authentication_method' + re: 'Failed (?P[^\s]+) for .*ssh\d' + +win_bits_client_ipv4_addresses: + query_string: 'data_type:"windows:evtx:record" AND source_name:Microsoft-Windows-Bits-Client' + attribute: 'strings' + store_as: 'ip_address' + re: '(?:[0-9]{1,3}\.){3}[0-9]{1,3}' + +win_bits_client_url: + query_string: 'data_type:"windows:evtx:record" AND source_name:Microsoft-Windows-Bits-Client' + attribute: 'strings' + store_as: 'url' + re: '(?<=")(?:(?:https?:\/\/)[a-z0-9](?:[a-z0-9-]{0,61}[a-z0-9])?(?:\.[a-z0-9](?:[a-z0-9-]{0,61}[a-z0-9])?)+)(?:[\/\?#][^\s,"]*)?(?=")' diff --git a/charts/timesketch/configs/sigma_config.yaml b/charts/timesketch/configs/sigma_config.yaml new file mode 100644 index 0000000..fde109f --- /dev/null +++ b/charts/timesketch/configs/sigma_config.yaml @@ -0,0 +1,367 @@ +title: Timesketch Sigma config +order: 20 +backends: + - es-dsl + - es-qs + - es-qr + - es-rule +logsources: + linux_file: + category: file_event + product: linux + conditions: + data_type: "fs:stat" + linux_network: + category: network_connection + product: linux + conditions: + data_type: + - "shell:zsh:history" + - "bash:history:command" + - "apt:history:line" + - "selinux:line" + - "syslog" + linux_process_creation: + category: process_creation + product: linux + conditions: + data_type: + - "shell:zsh:history" + - "bash:history:command" + - "apt:history:line" + - "selinux:line" + sshd: + service: sshd + conditions: + data_type: "syslog/sshd" + auth: + service: auth + conditions: + data_type: "syslog" + apache: + product: apache + conditions: + data_type: "apache:access" + vsftp: + service: vsftp + conditions: + data_type: "vsftpd:log" + webserver: + category: webserver + conditions: + data_type: + - "apache:access" + - "iis:log:line" + santa: + category: osx_santa + conditions: + data_type: + - "filesystem:santa:entry" + shell: + service: shell + conditions: + data_type: + - "shell:zsh:history" + - "bash:history:command" + - "apt:history:line" + - "selinux:line" + selinux: + service: selinux + conditions: + data_type: + - "selinux:line" + winprefetch: + service: winprefetch + conditions: + data_type: "windows:prefetch:execution" + product_windows: + product: windows + conditions: + data_type: "windows:evtx:record" + service_windows_security: + service: security + conditions: + source_name: + - "Microsoft-Windows-Security-Auditing" + - "Microsoft-Windows-Eventlog" + service_windows_system: + service: system + conditions: + source_name: + - "Microsoft-Windows-Eventlog" + powershell: + service: powershell + conditions: + source_name: + - "Microsoft-Windows-Security-Auditing" + files: + service: filesystem + conditions: + data_type: + - "fs:stat" + - "fs:mactime:line" + - "filesystem:santa:entry" + - "fs:bodyfile:entry" + sysmon: + service: sysmon + conditions: + source_name: + - "Microsoft-Windows-Sysmon" + syslog: + service: syslog + conditions: + data_type: + - "syslog:line" + # GCP + gcp_audit: + service: gcp.audit + conditions: + query: + - "cloudaudit.googleapis.com" + # log source configurations for generic sigma rules + process_creation: + category: process_creation + product: windows + conditions: + EventID: + - 1 + - 4688 + source_name: + - "Microsoft-Windows-Sysmon" + - "Microsoft-Windows-Security-Auditing" + - "Microsoft-Windows-Eventlog" + fieldmappings: + Image: NewProcessName + ParentImage: ParentProcessName + network_connection: + category: network_connection + product: windows + conditions: + EventID: 3 + rewrite: + product: windows + service: sysmon + process_terminated: + category: process_termination + product: windows + conditions: + EventID: 5 + rewrite: + product: windows + service: sysmon + driver_loaded: + category: driver_load + product: windows + conditions: + EventID: 6 + rewrite: + product: windows + service: sysmon + image_loaded: + category: image_load + product: windows + conditions: + EventID: 7 + rewrite: + product: windows + service: sysmon + create_remote_thread: + category: create_remote_thread + product: windows + conditions: + EventID: 8 + rewrite: + product: windows + service: sysmon + raw_access_thread: + category: raw_access_thread + product: windows + conditions: + EventID: 9 + rewrite: + product: windows + service: sysmon + process_access: + category: process_access + product: windows + conditions: + EventID: 10 + rewrite: + product: windows + service: sysmon + file_creation: + category: file_event + product: windows + conditions: + EventID: 11 + rewrite: + product: windows + service: sysmon + registry_event: + category: registry_event + product: windows + conditions: + EventID: + - 12 + - 13 + - 14 + rewrite: + product: windows + service: sysmon + create_stream_hash: + category: create_stream_hash + product: windows + conditions: + EventID: 15 + rewrite: + product: windows + service: sysmon + pipe_created: + category: pipe_created + product: windows + conditions: + EventID: + - 17 + - 18 + rewrite: + product: windows + service: sysmon + wmi_event: + category: wmi_event + product: windows + conditions: + EventID: + - 19 + - 20 + - 21 + rewrite: + product: windows + service: sysmon + dns_query: + category: dns_query + product: windows + conditions: + EventID: 22 + rewrite: + product: windows + service: sysmon + file_delete: + category: file_delete + product: windows + conditions: + EventID: 23 + rewrite: + product: windows + service: sysmon + ssh: + service: ssh + conditions: + data_type: + - "syslog:ssh:login" + - "syslog:line" +fieldmappings: + EventID: event_identifier + ComputerName: computer_name + EventType: event_type + EventIdentifier: event_identifier + ObjectName: xml_string # that is a bit hacky but the processName is currently not being parsed that is why searching in the raw xml + ObjectType: xml_string # that is a bit hacky but the processName is currently not being parsed that is why searching in the raw xml + ProcessName: xml_string # that is a bit hacky but the processName is currently not being parsed that is why searching in the raw xml + GroupSid: xml_string + CommandLine: xml_string + ServiceName: xml_string + Service: xml_string + Message: xml_string + keywords: xml_string # that might be wrong, only introduced during powershell stuff + Source: message + LogonType: xml_string + LogonProcessName: xml_string + LogonGuid: xml_string + SubjectDomainName: xml_string + SubjectUserName: xml_string + TargetUserSid: xml_string + TargetUserName: xml_String + TargetDomainName: xml_string + TargetLogonId: xml_string + AuthenticationPackageName: xml_string + WorkstationName: xml_string + TransmittedServices: xml_string + ProcessId: xml_string + IpAddress: xml_string + IpPort: xml_String #not sure if that mapping is used somewhere else + SourceNetworkAddress: xml_string + TargetOutboundUserName: xml_string + TargetOutboundDomainName: xml_string + Level: xml_string # this might also cause conflicts. + ServiceFileName: xml_string + ObjectValueName: xml_string + DestPort: xml_string + LayerRTID: xml_string + AccessMask: xml_string + ShareName: xml_string + RelativeTargetName: xml_string + AccountName: xml_string + PrivilegeList: xml_string + SubjectLogonId: xml_string + CallingProcessName: xml_string + SAMAccountName: xml_string + ObjectServer: xml_string + Properties: xml_string + HiveName: xml_string + AttributeLDAPDisplayName: xml_string + GroupName: xml_string + UserName: xml_string + DeviceDescription: xml_string + DeviceClassName: xml_string + TicketOptions: xml_string + TicketEncryptionType: xml_string + SourceWorkstation: xml_string + DestinationAddress: xml_string + DestinationPort: xml_string + SourceAddress: xml_string + Keywords: xml_string + LDAPDisplayName: xml_string + AuditPolicyChanges: xml_string + SourceImage: xml_string + TargetImage: xml_string + TargetFilename: + product=linux: filename + default: xml_string + ImageLoaded: xml_string + QueryName: xml_string + TargetProcessAddress: xml_string + TargetObject: xml_string + Signature: xml_string + StartModule: xml_string + StartFunction: xml_string + IntegrityLevel: xml_string + Description: xml_string + Signed: xml_string + ScriptBlockText: xml_string + ContextInfo: xml_string + OriginalFileName: xml_string # 80167ada-7a12-41ed-b8e9-aa47195c66a1 + Payload: xml_string + HostName: xml_string #96b9f619-aa91-478f-bacb-c3e50f8df575 + HostApplication: xml_string #96b9f619-aa91-478f-bacb-c3e50f8df575 + gcp.audit.method_name: methodName + ParentImage: xml_string + Mutex: message + Value: + service=windefend: xml_string + default: Value + Provider_Name: xml_string + param1: #6c0a7755-6d31-44fa-80e1-133e57752680 + product=windows: xml_string + default: param1 + param2: #6c0a7755-6d31-44fa-80e1-133e57752680 + product=windows: xml_string + default: param2 + GrantedAccess: xml_string #aa35a627-33fb-4d04-a165-d33b4afca3e8 + DestinationIp: + product=linux: message + product=windows: xml_string + default: message + Image: #42df45e7-e6e9-43b5-8f26-bec5b39cc239 + product=linux: message + product=windows: xml_string + default: message diff --git a/charts/timesketch/configs/tags.yaml b/charts/timesketch/configs/tags.yaml new file mode 100644 index 0000000..56597cc --- /dev/null +++ b/charts/timesketch/configs/tags.yaml @@ -0,0 +1,39 @@ +# Config file for the tagger analyzer. +# +# Please refer to docs/guides/analyzers/tagger.md for +# instructions on how to edit this file. + +gcs_bucket_creation_tagger: + query_string: 'serviceName: "storage.googleapis.com" AND methodName: "storage.buckets.create"' + tags: ['gcs-bucket-create'] + emojis: ['BUCKET', 'SPARKLES'] + save_search: true + search_name: 'Bucket creation' + +gcs_bucket_permission_added_tagger: + query_string: 'serviceName: "storage.googleapis.com" AND methodName: "storage.setIamPermissions" AND policyDelta:*ADD*' + tags: ['gcs-bucket-add'] + emojis: ['BUCKET', 'PERSON_STANDING'] + save_search: true + search_name: 'Bucket permission - Add' + +gcs_bucket_permission_remove_tagger: + query_string: 'serviceName: "storage.googleapis.com" AND methodName: "storage.setIamPermissions" AND policyDelta:*REMOVE*' + tags: ['gcs-bucket-remove'] + emojis: ['BUCKET', 'WASTEBASKET'] + save_search: true + search_name: 'Bucket permission - Remove' + +gcs_bucket_permission_world_added_tagger: + query_string: 'serviceName: "storage.googleapis.com" AND methodName: "storage.setIamPermissions" AND policyDelta:*ADD allUsers* OR policyDelta:*ADD allAuthenticatedUsers*' + tags: ['gcs-bucket-world-add'] + emojis: ['BUCKET', 'GLOBE'] + save_search: true + search_name: 'Bucket permission - World Readable' + +yara_match_tagger: + query_string: '_exists_:yara_match AND NOT yara_match.keyword:"-"' + tags: ['yara', '$yara_match'] + modifiers: ['split'] + save_search: true + search_name: 'Yara rule matches' diff --git a/charts/timesketch/configs/winevt_features.yaml b/charts/timesketch/configs/winevt_features.yaml new file mode 100644 index 0000000..09132a3 --- /dev/null +++ b/charts/timesketch/configs/winevt_features.yaml @@ -0,0 +1,1011 @@ +# Config file for the windows event (winevt) plugin of the feature extraction +# analyzer. +# A winevt feature extraction definition looks like this: +# +# name: +# +# source_name: Type: list[str] | REQUIRED | case-insensitive +# A list of source names to match against. Multiple +# entries will be checked with OR. +# +# provider_identifier: Type: list[str] | OPTIONAL | case-insensitive +# A list of provider identifiers to match against. +# Multiple entries will be checked with OR. +# +# event_version: Type: int | REQUIRED +# The event version to match against. +# +# event_identifier: Type: int | REQUIRED +# The event identifier to match against. +# +# references: Type: list[str] | OPTIONAL +# A list of references to provide as context and +# source for the event mapping. E.g. a URL to the +# official Microsoft documentation on the event. +# +# mapping: Type: list[dict] | REQUIRED +# A list of dicts that define the new attribute name +# and the string index of the event to extract the +# value from. Additonally it can also contain an +# alias list to add multiple attributes with +# the same value but different names. +# +# name: Type: str | REQUIRED +# The name of the new attribute to create. +# +# string_index: Type: int | REQUIRED | Starting at index 0 +# The string index of the event to extract the +# value from. Based on the plaso extracted "strings" +# attribute with Windows eventlog entries. +# +# aliases: Type: list[str] | OPTIONAL +# A list of aliases to add additionally to the +# offical name of the attribute. This can be used +# to add different field names matching individual +# field name ontologies. E.g. srcIP, domain, etc. +# +# For more details and examples of such an extraction check the Timesketch +# documentation: +# +# https://timesketch.org/guides/analyzers/feature_extraction/ +# +# ------------------------------------------------------------------------ +# 4624: An account was successfully logged on. +## Windows Server 2008, Windows Vista +security_4624_v0: + source_name: + - Microsoft-Windows-Security-Auditing + provider_identifier: + - '{54849625-5478-4994-a5ba-3e3b0328c30d}' + event_identifier: 4624 + event_version: 0 + references: + - https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4624 + mapping: + - name: subject_user_sid + string_index: 0 + - name: subject_user_name + string_index: 1 + aliases: + - subject_username + - name: subject_domain_name + string_index: 2 + aliases: + - subject_domain + - name: subject_logon_id + string_index: 3 + - name: target_user_sid + string_index: 4 + - name: target_user_name + string_index: 5 + aliases: + - username + - name: target_domain_name + string_index: 6 + aliases: + - domain + - name: target_logon_id + string_index: 7 + aliases: + - logon_id + - name: logon_type + string_index: 8 + - name: logon_process_name + string_index: 9 + - name: authentication_package_name + string_index: 10 + - name: workstation_name + string_index: 11 + - name: logon_guid + string_index: 12 + - name: transmitted_services + string_index: 13 + - name: lm_package_name + string_index: 14 + - name: key_length + string_index: 15 + - name: process_id + string_index: 16 + - name: process_name + string_index: 17 + - name: ip_address + string_index: 18 + - name: ip_port + string_index: 19 + aliases: + - port + +## Windows Server 2012, Windows 8 +security_4624_v1: + source_name: + - Microsoft-Windows-Security-Auditing + provider_identifier: + - '{54849625-5478-4994-a5ba-3e3b0328c30d}' + event_identifier: 4624 + event_version: 1 + references: + - https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4624 + mapping: + - name: subject_user_sid + string_index: 0 + - name: subject_user_name + string_index: 1 + aliases: + - subject_username + - name: subject_domain_name + string_index: 2 + aliases: + - subject_domain + - name: subject_logon_id + string_index: 3 + - name: target_user_sid + string_index: 4 + - name: target_user_name + string_index: 5 + aliases: + - username + - name: target_domain_name + string_index: 6 + aliases: + - domain + - name: target_logon_id + string_index: 7 + aliases: + - logon_id + - name: logon_type + string_index: 8 + - name: logon_process_name + string_index: 9 + - name: authentication_package_name + string_index: 10 + - name: workstation_name + string_index: 11 + - name: logon_guid + string_index: 12 + - name: transmitted_services + string_index: 13 + - name: lm_package_name + string_index: 14 + - name: key_length + string_index: 15 + - name: process_id + string_index: 16 + - name: process_name + string_index: 17 + - name: ip_address + string_index: 18 + - name: ip_port + string_index: 19 + aliases: + - port + - name: impersonation_level + string_index: 20 + +## Windows 10 +security_4624_v2: + source_name: + - Microsoft-Windows-Security-Auditing + provider_identifier: + - '{54849625-5478-4994-a5ba-3e3b0328c30d}' + event_identifier: 4624 + event_version: 2 + references: + - https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4624 + mapping: + - name: subject_user_sid + string_index: 0 + - name: subject_user_name + string_index: 1 + aliases: + - subject_username + - name: subject_domain_name + string_index: 2 + aliases: + - subject_domain + - name: subject_logon_id + string_index: 3 + - name: target_user_sid + string_index: 4 + - name: target_user_name + string_index: 5 + aliases: + - username + - name: target_domain_name + string_index: 6 + aliases: + - domain + - name: target_logon_id + string_index: 7 + aliases: + - logon_id + - name: logon_type + string_index: 8 + - name: logon_process_name + string_index: 9 + - name: authentication_package_name + string_index: 10 + - name: workstation_name + string_index: 11 + - name: logon_guid + string_index: 12 + - name: transmitted_services + string_index: 13 + - name: lm_package_name + string_index: 14 + - name: key_length + string_index: 15 + - name: process_id + string_index: 16 + - name: process_name + string_index: 17 + - name: ip_address + string_index: 18 + - name: ip_port + string_index: 19 + aliases: + - port + - name: impersonation_level + string_index: 20 + - name: restricted_admin_mode + string_index: 21 + - name: target_outbound_user_name + string_index: 22 + - name: target_outbound_domain_name + string_index: 23 + - name: virtual_account + string_index: 24 + - name: target_linked_logon_id + string_index: 25 + - name: elevated_token + string_index: 26 + +# 4625: An account failed to log on. +security_4625_v0: + source_name: + - Microsoft-Windows-Security-Auditing + provider_identifier: + - '{54849625-5478-4994-a5ba-3e3b0328c30d}' + event_identifier: 4625 + event_version: 0 + references: + - https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4625 + mapping: + - name: subject_user_sid + string_index: 0 + - name: subject_user_name + string_index: 1 + aliases: + - subject_username + - name: subject_domain_name + string_index: 2 + aliases: + - subject_domain + - name: subject_logon_id + string_index: 3 + - name: target_user_sid + string_index: 4 + - name: target_user_name + string_index: 5 + aliases: + - username + - name: target_domain_name + string_index: 6 + aliases: + - domain + - name: status + string_index: 7 + - name: failure_reason + string_index: 8 + - name: sub_status + string_index: 9 + - name: logon_type + string_index: 10 + - name: logon_process_name + string_index: 11 + - name: authentication_package_name + string_index: 12 + - name: workstation_name + string_index: 13 + - name: transmitted_services + string_index: 14 + - name: lm_package_name + string_index: 15 + - name: key_length + string_index: 16 + - name: process_id + string_index: 17 + - name: process_name + string_index: 18 + - name: ip_address + string_index: 19 + - name: ip_port + string_index: 20 + aliases: + - port + +# 4634: An account was logged off. +security_4634_v0: + source_name: + - Microsoft-Windows-Security-Auditing + provider_identifier: + - '{54849625-5478-4994-A5BA-3E3B0328C30D}' + event_identifier: 4634 + event_version: 0 + references: + - https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4634 + mapping: + - name: target_user_sid + string_index: 0 + - name: target_user_name + string_index: 1 + aliases: + - username + - name: target_domain_name + string_index: 2 + aliases: + - domain + - name: target_logon_id + string_index: 3 + aliases: + - logon_id + - name: logon_type + string_index: 4 + +# 4648: A logon was attempted using explicit credentials. +security_4648_v0: + source_name: + - Microsoft-Windows-Security-Auditing + provider_identifier: + - '{54849625-5478-4994-A5BA-3E3B0328C30D}' + event_identifier: 4648 + event_version: 0 + references: + - https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4648 + mapping: + - name: subject_user_sid + string_index: 0 + - name: subject_user_name + string_index: 1 + aliases: + - subject_username + - name: subject_domain_name + string_index: 2 + aliases: + - subject_domain + - name: subject_logon_id + string_index: 3 + - name: logon_guid + string_index: 4 + - name: target_user_name + string_index: 5 + aliases: + - username + - name: target_domain_name + string_index: 6 + aliases: + - domain + - name: target_logon_guid + string_index: 7 + - name: target_server_name + string_index: 8 + - name: target_info + string_index: 9 + - name: process_id + string_index: 10 + - name: process_name + string_index: 11 + - name: ip_address + string_index: 12 + - name: ip_port + string_index: 13 + aliases: + - port + +# 4688: A new process has been created. +## Windows Server 2008, Windows Vista. +security_4688_v0: + source_name: + - Microsoft-Windows-Security-Auditing + provider_identifier: + - '{54849625-5478-4994-A5BA-3E3B0328C30D}' + event_identifier: 4688 + event_version: 0 + references: + - https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4688 + mapping: + - name: subject_user_sid + string_index: 0 + - name: subject_user_name + string_index: 1 + aliases: + - subject_username + - name: subject_logon_id + string_index: 2 + - name: new_process_id + string_index: 3 + - name: new_process_name + string_index: 4 + - name: token_elevation_type + string_index: 5 + - name: process_id + string_index: 6 + +## Windows Server 2012 R2, Windows 8.1. +security_4688_v1: + source_name: + - Microsoft-Windows-Security-Auditing + provider_identifier: + - '{54849625-5478-4994-A5BA-3E3B0328C30D}' + event_identifier: 4688 + event_version: 1 + references: + - https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4688 + mapping: + - name: subject_user_sid + string_index: 0 + - name: subject_user_name + string_index: 1 + aliases: + - subject_username + - name: subject_logon_id + string_index: 2 + - name: new_process_id + string_index: 3 + - name: new_process_name + string_index: 4 + - name: token_elevation_type + string_index: 5 + - name: process_id + string_index: 6 + - name: command_line + string_index: 7 + +## Windows 10 +security_4688_v2: + source_name: + - Microsoft-Windows-Security-Auditing + provider_identifier: + - '{54849625-5478-4994-A5BA-3E3B0328C30D}' + event_identifier: 4688 + event_version: 2 + references: + - https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4688 + mapping: + - name: subject_user_sid + string_index: 0 + - name: subject_user_name + string_index: 1 + aliases: + - subject_username + - name: subject_domain_name + string_index: 2 + aliases: + - subject_domain + - name: subject_logon_id + string_index: 3 + - name: new_process_id + string_index: 4 + aliases: + - process_id + - name: new_process_name + string_index: 5 + aliases: + - process_name + - name: token_elevation_type + string_index: 6 + - name: process_id + string_index: 7 + - name: command_line + string_index: 8 + - name: target_user_sid + string_index: 9 + - name: target_user_name + string_index: 10 + aliases: + - username + - name: target_domain_name + string_index: 11 + aliases: + - domain + - name: target_logon_id + string_index: 12 + aliases: + - logon_id + - name: parent_process_name + string_index: 13 + - name: mandatory_level + string_index: 14 + +# 4720: A user account was created. +security_4720_v0: + source_name: + - Microsoft-Windows-Security-Auditing + provider_identifier: + - '{54849625-5478-4994-A5BA-3E3B0328C30D}' + event_identifier: 4720 + event_version: 0 + references: + - https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4720 + mapping: + - name: target_user_name + string_index: 0 + - name: target_domain_name + string_index: 1 + - name: subject_user_sid + string_index: 2 + - name: subject_user_name + string_index: 3 + aliases: + - subject_username + - name: subject_domain_name + string_index: 4 + aliases: + - subject_domain + - name: subject_logon_id + string_index: 5 + - name: privilege_list + string_index: 6 + - name: sam_account_name + string_index: 7 + aliases: + - username + - name: display_name + string_index: 8 + - name: user_principal_name + string_index: 9 + - name: home_directory + string_index: 10 + - name: home_path + string_index: 11 + - name: script_path + string_index: 12 + - name: profile_path + string_index: 13 + - name: user_workstations + string_index: 14 + - name: password_last_set + string_index: 15 + - name: account_expires + string_index: 16 + - name: primary_group_id + string_index: 17 + - name: allowed_to_delegate_to + string_index: 18 + - name: old_uac_value + string_index: 19 + - name: new_uac_value + string_index: 20 + - name: user_account_control + string_index: 21 + - name: user_parameters + string_index: 22 + - name: sid_history + string_index: 23 + - name: logon_hours + string_index: 24 + +# 4728: A member was added to a security-enabled global group +security_4728_v0: + source_name: + - Microsoft-Windows-Security-Auditing + provider_identifier: + - '{54849625-5478-4994-A5BA-3E3B0328C30D}' + event_identifier: 4728 + event_version: 0 + references: + - https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-security-group-management + - https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4732 + mapping: + - name: member_name + string_index: 0 + - name: member_sid + string_index: 1 + - name: target_user_name + string_index: 2 + aliases: + - username + - name: target_domain_name + string_index: 3 + aliases: + - domain + - name: target_sid + string_index: 4 + - name: subject_user_sid + string_index: 5 + - name: subject_user_name + string_index: 6 + aliases: + - subject_username + - name: subject_domain_name + string_index: 7 + aliases: + - subject_domain + - name: subject_logon_id + string_index: 8 + - name: privilege_list + string_index: 9 + +# 4732: A member was added to a security-enabled local group +security_4732_v0: + source_name: + - Microsoft-Windows-Security-Auditing + provider_identifier: + - '{54849625-5478-4994-A5BA-3E3B0328C30D}' + event_identifier: 4732 + event_version: 0 + references: + - https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4732 + mapping: + - name: member_name + string_index: 0 + - name: member_sid + string_index: 1 + - name: target_user_name + string_index: 2 + aliases: + - username + - name: target_domain_name + string_index: 3 + aliases: + - domain + - name: target_sid + string_index: 4 + - name: subject_user_sid + string_index: 5 + - name: subject_user_name + string_index: 6 + aliases: + - subject_username + - name: subject_domain_name + string_index: 7 + aliases: + - subject_domain + - name: subject_logon_id + string_index: 8 + - name: privilege_list + string_index: 9 + +# 7045: A new service was installed in the system. +system_7045_v0: + source_name: + - 'Service Control Manager' + provider_identifier: + - '{555908d1-a6d7-4695-8e1e-26931d2012f4}' + event_identifier: 7045 + event_version: 0 + references: + - https://windows-event-explorer.app.elstc.co/publisher/Service%20Control%20Manager/event/7045/v0 + - https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4697 + mapping: + - name: service_name + string_index: 0 + - name: image_path + string_index: 1 + - name: service_type + string_index: 2 + - name: start_type + string_index: 3 + - name: account_name + string_index: 4 + +# Microsoft-Windows-TerminalServices-LocalSessionManager/Operational Events +## Event ID 21: Remote Desktop Services: Session logon succeeded +terminal_services_21_v0: + source_name: + - Microsoft-Windows-TerminalServices-LocalSessionManager + provider_identifier: + - '{5d896912-022d-40aa-a3a8-4fa5515c76d7}' + event_identifier: 21 + event_version: 0 + references: + - "https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-r2-and-2008/ee891131(v=ws.10)" + mapping: + - name: user + string_index: 0 + - name: session_id + string_index: 1 + - name: source_network_address + string_index: 2 + aliases: + - ip_address + +## Event ID 23: Remote Desktop Services: Session logoff succeeded +terminal_services_23_v0: + source_name: + - Microsoft-Windows-TerminalServices-LocalSessionManager + provider_identifier: + - '{5d896912-022d-40aa-a3a8-4fa5515c76d7}' + event_identifier: 23 + event_version: 0 + references: + - "https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-r2-and-2008/ee907364(v=ws.10)" + mapping: + - name: user + string_index: 0 + - name: session_id + string_index: 1 + +## Event ID 24: Remote Desktop Services: Session has been disconnected +terminal_services_24_v0: + source_name: + - Microsoft-Windows-TerminalServices-LocalSessionManager + provider_identifier: + - '{5d896912-022d-40aa-a3a8-4fa5515c76d7}' + event_identifier: 24 + event_version: 0 + references: + - "https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-r2-and-2008/ee907330(v=ws.10)" + mapping: + - name: user + string_index: 0 + - name: session_id + string_index: 1 + - name: source_network_address + string_index: 2 + aliases: + - ip_address + +## Event ID 25: Remote Desktop Services: Session reconnection succeeded +terminal_services_25_v0: + source_name: + - Microsoft-Windows-TerminalServices-LocalSessionManager + provider_identifier: + - '{5d896912-022d-40aa-a3a8-4fa5515c76d7}' + event_identifier: 25 + event_version: 0 + references: + - "https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-r2-and-2008/ee891126(v=ws.10)" + mapping: + - name: user + string_index: 0 + - name: session_id + string_index: 1 + - name: source_network_address + string_index: 2 + aliases: + - ip_address + +## Event ID 39: Session has been disconnected by session +terminal_services_39_v0: + source_name: + - Microsoft-Windows-TerminalServices-LocalSessionManager + provider_identifier: + - '{5d896912-022d-40aa-a3a8-4fa5515c76d7}' + event_identifier: 39 + event_version: 0 + references: + - "https://ponderthebits.com/2018/02/windows-rdp-related-event-logs-identification-tracking-and-investigation/#:~:text=NOT%20%E2%80%9CLOCAL%E2%80%9D.-,Event%20ID%3A%2039,-Provider%20Name%3A" + mapping: + - name: target_session_id + string_index: 0 + - name: source_session_id + string_index: 1 + +## Event ID 40: Session has been disconnected, reason code +terminal_services_40_v0: + source_name: + - Microsoft-Windows-TerminalServices-LocalSessionManager + provider_identifier: + - '{5d896912-022d-40aa-a3a8-4fa5515c76d7}' + event_identifier: 40 + event_version: 0 + references: + - "https://ponderthebits.com/2018/02/windows-rdp-related-event-logs-identification-tracking-and-investigation/#:~:text=the%20RDP%20session.-,Event%20ID%3A%2040,-Provider%20Name%3A" + mapping: + - name: session_id + string_index: 0 + - name: reason + string_index: 1 + +# Microsoft-Windows-Bits-Client Events +## Event ID 3: The BITS service created a new job. +### Version 0 is used in win2k08 +bits_client_3_v0: + source_name: + - Microsoft-Windows-Bits-Client + provider_identifier: + - '{EF1CC15B-46C1-414E-BB95-E76B077BD51E}' + event_identifier: 3 + event_version: 0 + references: + - "https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-r2-and-2008/cc734602(v=ws.10)" + - "https://github.com/nsacyber/Windows-Event-Log-Messages/blob/master/docs/Datasets.md" + mapping: + - name: job_title + string_index: 0 + - name: job_owner + string_index: 1 + +### Version 1 +bits_client_3_v0: + source_name: + - Microsoft-Windows-Bits-Client + provider_identifier: + - '{EF1CC15B-46C1-414E-BB95-E76B077BD51E}' + event_identifier: 3 + event_version: 1 + references: + - "https://github.com/nsacyber/Windows-Event-Log-Messages/blob/master/docs/Datasets.md" + mapping: + - name: job_title + string_index: 0 + - name: job_id + string_index: 1 + - name: job_owner + string_index: 2 + +### Version 2 is used in win2k16 +bits_client_3_v2: + source_name: + - Microsoft-Windows-Bits-Client + provider_identifier: + - '{EF1CC15B-46C1-414E-BB95-E76B077BD51E}' + event_identifier: 3 + event_version: 2 + references: + - "https://community.microfocus.com/cfs-file/__key/communityserver-wikis-components-files/00-00-00-00-23/MSWinBITSClientEvtLogs.pdf" + - "https://github.com/nsacyber/Windows-Event-Log-Messages/blob/master/docs/Datasets.md" + mapping: + - name: job_title + string_index: 0 + - name: job_id + string_index: 1 + - name: job_owner + string_index: 2 + - name: process_path + string_index: 3 + - name: process_id + string_index: 4 + +### Version 3 is used in win2k19 and win2k22. +bits_client_3_v3: + source_name: + - Microsoft-Windows-Bits-Client + provider_identifier: + - '{ef1cc15b-46c1-414e-bb95-e76b077bd51e}' + event_identifier: 3 + event_version: 3 + references: + - "https://community.microfocus.com/cfs-file/__key/communityserver-wikis-components-files/00-00-00-00-23/MSWinBITSClientEvtLogs.pdf" + - "https://github.com/nsacyber/Windows-Event-Log-Messages/blob/master/docs/Datasets.md" + mapping: + - name: job_title + string_index: 0 + - name: job_id + string_index: 1 + - name: job_owner + string_index: 2 + - name: process_path + string_index: 3 + - name: process_id + string_index: 4 + - name: client_process_start_key + string_index: 5 + +## EventID 4: BITS transfer job is complete. +### Version 1 is used by win2k8 to win2k22 +bits_client_4_v1: + source_name: + - Microsoft-Windows-Bits-Client + provider_identifier: + - '{ef1cc15b-46c1-414e-bb95-e76b077bd51e}' + event_identifier: 4 + event_version: 1 + references: + - "https://community.microfocus.com/cfs-file/__key/communityserver-wikis-components-files/00-00-00-00-23/MSWinBITSClientEvtLogs.pdf" + - "https://github.com/nsacyber/Windows-Event-Log-Messages/blob/master/docs/Datasets.md" + mapping: + - name: user + string_index: 0 + - name: job_title + string_index: 1 + - name: job_id + string_index: 2 + - name: job_owner + string_index: 3 + - name: file_count + string_index: 4 + - name: bytes_transferred + string_index: 5 + aliases: + - bytes_out + - name: bytes_transferred_from_peer + string_index: 6 + aliases: + - bytes_in + +## Event ID 59: BITS started the transfer job. +### Version 1 is used in win2k16, win2k19, and win2k22 +bits_client_59_v1: + source_name: + - Microsoft-Windows-Bits-Client + provider_identifier: + - '{ef1cc15b-46c1-414e-bb95-e76b077bd51e}' + event_identifier: 59 + event_version: 1 + references: + - "https://www.mandiant.com/resources/blog/attacker-use-of-windows-background-intelligent-transfer-service" + - "https://community.microfocus.com/cfs-file/__key/communityserver-wikis-components-files/00-00-00-00-23/MSWinBITSClientEvtLogs.pdf" + - "https://github.com/nsacyber/Windows-Event-Log-Messages/blob/master/docs/Datasets.md" + mapping: + - name: transfer_id + string_index: 0 + - name: name + string_index: 1 + - name: id + string_index: 2 + - name: url + string_index: 3 + - name: peer + string_index: 4 + - name: file_time + string_index: 5 + - name: file_length + string_index: 6 + - name: bytes_total + string_index: 7 + - name: bytes_transferred + string_index: 8 + aliases: + - bytes_out + - name: bytes_transferred_from_peer + string_index: 9 + aliases: + - bytes_in + +## Event ID 60: BITS stopped transferring the transfer job. +bits_client_60_v1: + source_name: + - Microsoft-Windows-Bits-Client + provider_identifier: + - '{ef1cc15b-46c1-414e-bb95-e76b077bd51e}' + event_identifier: 60 + event_version: 1 + references: + - "https://www.mandiant.com/resources/blog/attacker-use-of-windows-background-intelligent-transfer-service" + - "https://community.microfocus.com/cfs-file/__key/communityserver-wikis-components-files/00-00-00-00-23/MSWinBITSClientEvtLogs.pdf" + - "https://github.com/nsacyber/Windows-Event-Log-Messages/blob/master/docs/Datasets.md" + mapping: + - name: transfer_id + string_index: 0 + - name: name + string_index: 1 + - name: id + string_index: 2 + - name: url + string_index: 3 + - name: peer + string_index: 4 + - name: hr + string_index: 5 + - name: file_time + string_index: 6 + aliases: + - file_create_time + - name: file_length + string_index: 7 + aliases: + - file_size + - name: bytes_total + string_index: 8 + - name: bytes_transferred + string_index: 9 + aliases: + - bytes_out + - name: proxy + string_index: 10 + - name: peer_protocol_flag + string_index: 11 + - name: bytes_transferred_from_peer + string_index: 12 + aliases: + - bytes_in + - name: additional_info_hr + string_index: 13 + - name: peer_context_info + string_index: 14 + - name: bandwidth_limit + string_index: 15 + - name: ignore_bandwidth_limits_on_lan + string_index: 16 + diff --git a/charts/timesketch/templates/_helpers.tpl b/charts/timesketch/templates/_helpers.tpl new file mode 100644 index 0000000..c576378 --- /dev/null +++ b/charts/timesketch/templates/_helpers.tpl @@ -0,0 +1,56 @@ +{{/* +Expand the name of the chart. +*/}} +{{- define "timesketch.name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }} +{{- end }} + +{{- define "timesketch.fullname" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}} +{{- end }} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "timesketch.chart" -}} +{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }} +{{- end }} + +{{/* +Common labels +*/}} +{{- define "timesketch.labels" -}} +helm.sh/chart: {{ include "timesketch.chart" . }} +{{ include "timesketch.selectorLabels" . }} +{{- if .Chart.AppVersion }} +app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} +{{- end }} +app.kubernetes.io/managed-by: {{ .Release.Service }} +date: "{{ now | htmlDate }}" +{{- end }} + +{{/* +Selector labels +*/}} +{{- define "timesketch.selectorLabels" -}} +app.kubernetes.io/name: {{ include "timesketch.name" . }} +app.kubernetes.io/instance: {{ .Release.Name }} +{{- end }} + +{{/* +Timesketch service port +*/}} +{{- define "timesketch.service.port" -}} +{{- if .Values.global.timesketch.servicePort -}} +{{ .Values.global.timesketch.servicePort }} +{{- else -}} +{{ .Values.service.port }} +{{- end -}} +{{- end -}} + +{{/* +Create the upload path. +*/}} +{{- define "timesketch.uploadPath" -}} +{{- printf "/data/upload" }} +{{- end }} \ No newline at end of file diff --git a/charts/timesketch/templates/configuration-timesketch.yaml b/charts/timesketch/templates/configuration-timesketch.yaml new file mode 100644 index 0000000..30cfa5f --- /dev/null +++ b/charts/timesketch/templates/configuration-timesketch.yaml @@ -0,0 +1,9 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ include "timesketch.fullname" . }}-configs + namespace: {{ .Release.Namespace | quote }} + labels: + {{- include "timesketch.labels" . | nindent 4 }} +data: + {{- (.Files.Glob "configs/**.{yaml,mappings}").AsConfig | nindent 2 }} \ No newline at end of file diff --git a/charts/timesketch/templates/db-init.yaml b/charts/timesketch/templates/db-init.yaml new file mode 100644 index 0000000..e500a58 --- /dev/null +++ b/charts/timesketch/templates/db-init.yaml @@ -0,0 +1,20 @@ +apiVersion: batch/v1 +kind: Job +metadata: + name: {{ include "timesketch.fullname" . }}-db-init + labels: + {{- include "timesketch.labels" . | nindent 4 }} + annotations: + "helm.sh/hook": pre-install + "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded +spec: + template: + spec: + restartPolicy: Never + containers: + - name: general-db-init + image: "{{ .Values.initContainers.dbInit.image.repository }}:{{ .Values.initContainers.dbInit.image.tag }}" + envFrom: + - secretRef: + name: {{ .Values.postgres.secretName }} + backoffLimit: 3 \ No newline at end of file diff --git a/charts/timesketch/templates/deployment-frontend.yaml b/charts/timesketch/templates/deployment-frontend.yaml new file mode 100644 index 0000000..f761f16 --- /dev/null +++ b/charts/timesketch/templates/deployment-frontend.yaml @@ -0,0 +1,93 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ include "timesketch.fullname" . }}-frontend + namespace: {{ .Release.Namespace | quote }} + labels: + app.kubernetes.io/component: frontend + {{- include "timesketch.labels" . | nindent 4 }} +spec: + replicas: 1 + selector: + matchLabels: + app.kubernetes.io/component: frontend + {{- include "timesketch.selectorLabels" . | nindent 6 }} + template: + metadata: + annotations: + # Have Deployment restart after each upgrade + roll: {{ randAlphaNum 5 | quote }} + prometheus.io/port: {{ .Values.metrics.port | quote }} + prometheus.io/scrape: "true" + labels: + app.kubernetes.io/component: frontend + {{- include "timesketch.selectorLabels" . | nindent 8 }} + spec: + serviceAccountName: {{ include "timesketch.fullname" . }} + securityContext: + {{- toYaml .Values.frontend.podSecurityContext | nindent 8 }} + containers: + - name: frontend + securityContext: + {{- toYaml .Values.frontend.securityContext | nindent 12 }} + image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}" + imagePullPolicy: {{ .Values.image.pullPolicy }} + command: ["sh", "-c", "gunicorn --bind 0.0.0.0:5000 --log-file - \ + --error-logfile - --log-level info \ + --capture-output --timeout 600 --limit-request-line 8190 \ + --workers 4 timesketch.wsgi:application"] + lifecycle: + postStart: + exec: + command: ["/bin/sh", "-c", "tsctl create-user $TIMESKETCH_USER_USERNAME --password $TIMESKETCH_USER_PASSWORD"] + env: + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + apiVersion: v1 + - name: TIMESKETCH_USER_USERNAME + valueFrom: + secretKeyRef: + name: {{ .Values.config.existingUserSecret }} + key: TIMESKETCH_USER_USERNAME + - name: TIMESKETCH_USER_PASSWORD + valueFrom: + secretKeyRef: + name: {{ .Values.config.existingUserSecret }} + key: TIMESKETCH_USER_PASSWORD + volumeMounts: + - name: upload-volume + mountPath: /data/uploads + subPath: uploads + - name: timesketch-default-configs + mountPath: /config + readOnly: true + - name: timesketch-conf + mountPath: /etc/timesketch.conf + subPath: timesketch.conf + readOnly: true + ports: + - containerPort: {{ .Values.metrics.port }} + - containerPort: 5000 + resources: + {{- toYaml .Values.frontend.resources | nindent 12 }} + volumes: + - name: upload-volume + persistentVolumeClaim: + claimName: {{ include "timesketch.fullname" . }}-upload + readOnly: false + - name: timesketch-default-configs + configMap: + name: {{ include "timesketch.fullname" . }}-configs + optional: true + - name: timesketch-conf + secret: + secretName: {{ .Values.config.existingConfSecret }} + optional: true + nodeSelector: + {{- toYaml .Values.frontend.nodeSelector | nindent 8 }} + affinity: + {{- toYaml .Values.frontend.affinity | nindent 8 }} + tolerations: + {{- toYaml .Values.frontend.tolerations | nindent 8 }} diff --git a/charts/timesketch/templates/deployment-worker.yaml b/charts/timesketch/templates/deployment-worker.yaml new file mode 100644 index 0000000..7025521 --- /dev/null +++ b/charts/timesketch/templates/deployment-worker.yaml @@ -0,0 +1,89 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ include "timesketch.fullname" . }}-worker + namespace: {{ .Release.Namespace | quote }} + labels: + app.kubernetes.io/component: worker + {{- include "timesketch.labels" . | nindent 4 }} +spec: + replicas: 1 + selector: + matchLabels: + app.kubernetes.io/component: worker + {{- include "timesketch.selectorLabels" . | nindent 6 }} + template: + metadata: + annotations: + # Have Deployment restart after each upgrade + roll: {{ randAlphaNum 5 | quote }} + prometheus.io/port: {{ .Values.metrics.port | quote }} + prometheus.io/scrape: "true" + labels: + app.kubernetes.io/component: worker + {{- include "timesketch.selectorLabels" . | nindent 8 }} + spec: + serviceAccountName: {{ include "timesketch.fullname" . }} + securityContext: + {{- toYaml .Values.worker.podSecurityContext | nindent 8 }} + containers: + - name: worker + securityContext: + {{- toYaml .Values.worker.securityContext | nindent 12 }} + image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}" + imagePullPolicy: {{ .Values.image.pullPolicy }} + command: ["sh", "-c", "celery -A timesketch.lib.tasks worker \ + --loglevel=DEBUG"] + env: + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + apiVersion: v1 + - name: WORKER_LOG_LEVEL + value: "DEBUG" + - name: TIMESKETCH_USER_USERNAME + valueFrom: + secretKeyRef: + name: {{ .Values.config.existingUserSecret }} + key: TIMESKETCH_USER_USERNAME + - name: TIMESKETCH_USER_PASSWORD + valueFrom: + secretKeyRef: + name: {{ .Values.config.existingUserSecret }} + key: TIMESKETCH_USER_PASSWORD + volumeMounts: + - name: upload-volume + mountPath: /data/uploads + subPath: uploads + - name: timesketch-default-configs + mountPath: /config + readOnly: true + - name: timesketch-conf + mountPath: /etc/timesketch.conf + subPath: timesketch.conf + readOnly: true + ports: + - containerPort: {{ .Values.metrics.port }} + - containerPort: 5000 + resources: + {{- toYaml .Values.worker.resources | nindent 12 }} + volumes: + - name: upload-volume + persistentVolumeClaim: + claimName: {{ include "timesketch.fullname" . }}-upload + readOnly: false + - name: timesketch-default-configs + configMap: + name: {{ include "timesketch.fullname" . }}-configs + optional: true + - name: timesketch-conf + secret: + secretName: {{ .Values.config.existingConfSecret }} + optional: false + nodeSelector: + {{- toYaml .Values.worker.nodeSelector | nindent 8 }} + affinity: + {{- toYaml .Values.worker.affinity | nindent 8 }} + tolerations: + {{- toYaml .Values.worker.tolerations | nindent 8 }} diff --git a/charts/timesketch/templates/pvc.yaml b/charts/timesketch/templates/pvc.yaml new file mode 100644 index 0000000..688eb6e --- /dev/null +++ b/charts/timesketch/templates/pvc.yaml @@ -0,0 +1,20 @@ +--- +kind: PersistentVolumeClaim +apiVersion: v1 +metadata: + name: {{ include "timesketch.fullname" . }}-upload + labels: + {{- include "timesketch.labels" . | nindent 4 }} +spec: + accessModes: + - {{ .Values.upload.persistence.accessMode | quote }} + resources: + requests: + storage: {{ .Values.upload.persistence.size | quote }} +{{- if .Values.upload.persistence.storageClass }} +{{- if (eq "-" .Values.upload.persistence.storageClass) }} + storageClassName: "" +{{- else }} + storageClassName: "{{ .Values.upload.persistence.storageClass }}" +{{- end }} +{{- end }} diff --git a/charts/timesketch/templates/service.yaml b/charts/timesketch/templates/service.yaml new file mode 100644 index 0000000..142052d --- /dev/null +++ b/charts/timesketch/templates/service.yaml @@ -0,0 +1,16 @@ +apiVersion: v1 +kind: Service +metadata: + name: {{ include "timesketch.fullname" . }}-frontend + namespace: {{ .Release.Namespace | quote }} + labels: + {{- include "timesketch.labels" . | nindent 4 }} +spec: + type: ClusterIP + ports: + - port: 8080 + protocol: TCP + targetPort: 5000 + selector: + app.kubernetes.io/component: frontend + {{- include "timesketch.selectorLabels" . | nindent 4 }} \ No newline at end of file diff --git a/charts/timesketch/templates/serviceaccount.yaml b/charts/timesketch/templates/serviceaccount.yaml new file mode 100644 index 0000000..29eefaa --- /dev/null +++ b/charts/timesketch/templates/serviceaccount.yaml @@ -0,0 +1,6 @@ +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ include "timesketch.fullname" . }} + labels: + {{- include "timesketch.labels" . | nindent 4 }} \ No newline at end of file diff --git a/charts/timesketch/tests/values.yaml b/charts/timesketch/tests/values.yaml new file mode 100644 index 0000000..224a0c7 --- /dev/null +++ b/charts/timesketch/tests/values.yaml @@ -0,0 +1,31 @@ +config: + externalUrl: https://cache.example.com/ + +persistence: + existingClaim: attic + +initContainers: + dbInit: + image: + repository: ghcr.io/onedr0p/postgres-init + tag: "16" + envFrom: + - secretRef: + name: attic-secret + +envFromSecret: attic-secret + +image: + repository: ghcr.io/zhaofengli/attic + tag: 4dbdbee45728d8ce5788db6461aaaa89d98081f0 + +postgres: + secretName: attic-secret + +resources: + limits: + memory: "3Gi" + cpu: "1000m" +# requests: +# cpu: 100m +# memory: 250Mi diff --git a/charts/timesketch/values.yaml b/charts/timesketch/values.yaml new file mode 100644 index 0000000..3989524 --- /dev/null +++ b/charts/timesketch/values.yaml @@ -0,0 +1,50 @@ +config: + externalUrl: https://timesketch.example.com/ + existingConfSecret: timesketch-conf + existingUserSecret: timesketch-user + createUser: true + +initContainers: + dbInit: + image: + repository: ghcr.io/onedr0p/postgres-init + tag: "16" + envFrom: + - secretRef: + name: timesketch-secret + +image: + repository: us-docker.pkg.dev/osdfir-registry/timesketch/timesketch + pullPolicy: IfNotPresent + tag: "20240508" + imagePullSecrets: [] + +worker: + podSecurityContext: {} + securityContext: {} + +frontend: + podSecurityContext: {} + securityContext: {} + +postgres: + secretName: timesketch-secret + +upload: + persistence: + accessMode: ReadWriteMany + size: 10Gi + storageClass: ceph-filesystem + persistentVolumeClaim: timesketch-upload + +resources: + limits: + memory: "3Gi" + cpu: "1000m" + requests: + cpu: 100m + memory: 250Mi + +metrics: + enabled: true + port: 9001