/artifacts/definitions/Windows/EventLogs/Symantec.yaml

https://github.com/Velocidex/velociraptor · YAML · 55 lines · 49 code · 6 blank · 0 comment · 0 complexity · 2c5d11f7406b361fdb0370ac1407d309 MD5 · raw file 

    

  1. name: Windows.EventLogs.Symantec
    2. 

  2. description: |
    3. 

  3.   Query the Symantec Endpoint Protection Event Logs. The default artifact will 
    4. 

  4.   return EventId 51 and high value strings with goals bubble up some events for 
    5. 

  5.   triage.
    6. 

  6.   
    7. 

  7.   Note:  
    8. 

  8.   EventID selection is controlled by regex to allow multiple EID selections.  
    9. 

  9.   If running a hunt, consider also hunting EventId 45 - Tamper Protection 
    10. 

  10.   Detection (this will be noisy so whitelist is required).  
    11. 

  11.   IgnoreRegex allows filtering out events relevant to the target environment.  
    12. 

  12.   
    13. 

  13. reference: 
    14. 

  14.     - https://www.nextron-systems.com/wp-content/uploads/2019/10/Antivirus_Event_Analysis_CheatSheet_1.7.2.pdf
    15. 

  15.   
    16. 

  16. author: Matt Green - @mgreen27
    17. 

  17. 

  18. parameters:
    19. 

  19.   - name: SymantecEventLog
    20. 

  20.     default: C:\Windows\system32\winevt\logs\Symantec Endpoint Protection Client.evtx
    21. 

  21.   - name: RegexEventIds
    22. 

  22.     description: "Regex of Event IDs to hunt for. Consider EID 45 for Tamper Protection Detection"
    23. 

  23.     default: ^51$
    24. 

  24.   - name: TargetRegex
    25. 

  25.     description: "Regex to hunt for - default is high value SEP detections"
    26. 

  26.     default: "Infostealer|Hacktool|Mimi|SecurityRisk|WinCredEd|NetCat|Backdoor|Pwdump|SuperScan|XScan|PasswordRevealer|Trojan|Malscript|Agent|Malware|Exploit|webshell|cobalt|Mpreter|sploit|Meterpreter|RAR|7z|encrypted|tsclient|PerfLogs" 
    27. 

  27.   - name: IgnoreRegex
    28. 

  28.     description: "Regex to ignore events with EventData strings matching."
    29. 

  29.   - name: DateAfter
    30. 

  30.     type: timestamp
    31. 

  31.     description: "search for events after this date. YYYY-MM-DDTmm:hh:ssZ"
    32. 

  32.   - name: DateBefore
    33. 

  33.     type: timestamp
    34. 

  34.     description: "search for events before this date. YYYY-MM-DDTmm:hh:ssZ"
    35. 

  35.     
    36. 

  36. sources:
    37. 

  37.     - queries:
    38. 

  38.       - LET DateAfterTime <= if(condition=DateAfter, 
    39. 

  39.             then=timestamp(epoch=DateAfter), else=timestamp(epoch="1600-01-01"))
    40. 

  40.       - LET DateBeforeTime <= if(condition=DateBefore, 
    41. 

  41.             then=timestamp(epoch=DateBefore), else=timestamp(epoch="2200-01-01"))
    42. 

  42.       - SELECT timestamp(epoch=System.TimeCreated.SystemTime) As EventTime,
    43. 

  43.               System.EventID.Value as EventId,
    44. 

  44.               System.Computer as Computer,
    45. 

  45.               EventData.Data[0] as EventData
    46. 

  46.         FROM parse_evtx(filename=SymantecEventLog)
    47. 

  47.         WHERE
    48. 

  48.             EventTime < DateBeforeTime AND
    49. 

  49.             EventTime > DateAfterTime AND
    50. 

  50.             format(format="%v",args=System.EventID.Value) =~ RegexEventIds AND
    51. 

  51.             EventData =~ TargetRegex AND
    52. 

  52.             if(condition=IgnoreRegex, 
    53. 

  53.                 then= NOT EventData=~IgnoreRegex, 
    54. 

  54.                 else= True)
    55.