private IEvent GetProcessCreationEvent(Dictionary <string, string> ev)
{
var commandline = GetEventPropertyFromMessage(ev[MessageFieldName], NewProcessCommandLineFieldName);
var executable = GetEventPropertyFromMessage(ev[MessageFieldName], ProcessNameFieldName);
var payload = new ProcessCreationPayload
{
Executable = executable,
ProcessId = Convert.ToUInt32(GetEventPropertyFromMessage(ev[MessageFieldName], ProcessIdFieldName), 16),
ParentProcessId = Convert.ToUInt32(GetEventPropertyFromMessage(ev[MessageFieldName], CreatorProcessIdFieldName), 16),
UserName = GetEventPropertyFromMessage(ev[MessageFieldName], AccountNameFieldName, 1),
UserId = GetEventPropertyFromMessage(ev[MessageFieldName], LogonIdFieldName),
CommandLine = string.IsNullOrWhiteSpace(commandline) ? executable : commandline,
Time = DateTime.Parse(ev[TimeGeneratedFieldName]),
ExtraDetails = new Dictionary <string, string>
{
{ $"CREATOR_{SecurityIdFieldName}", GetEventPropertyFromMessage(ev[MessageFieldName], SecurityIdFieldName) },
{ $"CREATOR_{AccountDomainFieldName}", GetEventPropertyFromMessage(ev[MessageFieldName], AccountDomainFieldName) },
{ $"CREATOR_{AccountNameFieldName}", GetEventPropertyFromMessage(ev[MessageFieldName], AccountNameFieldName) },
{ $"TARGET_{SecurityIdFieldName}", GetEventPropertyFromMessage(ev[MessageFieldName], SecurityIdFieldName, 1) },
{ $"TARGET_{AccountDomainFieldName}", GetEventPropertyFromMessage(ev[MessageFieldName], AccountDomainFieldName, 1) },
{ $"TARGET_{AccountNameFieldName}", GetEventPropertyFromMessage(ev[MessageFieldName], AccountNameFieldName, 1) },
{ $"TARGET_{LogonIdFieldName}", GetEventPropertyFromMessage(ev[MessageFieldName], LogonIdFieldName, 1) },
{ TokenElevationTypeFieldName, GetEventPropertyFromMessage(ev[MessageFieldName], TokenElevationTypeFieldName) },
{ MandatoryLabelFieldName, GetEventPropertyFromMessage(ev[MessageFieldName], MandatoryLabelFieldName) }
}
};
return(new ProcessCreate(AgentConfiguration.GetEventPriority <ProcessCreate>(), payload));
}
/// <summary>
/// Converts an audit event to a device event
/// </summary>
/// <param name="auditEvent">Audit event to convert</param>
/// <returns>Device event based on the input</returns>
private IEvent AuditEventToDeviceEvent(AuditEvent auditEvent)
{
ProcessCreationPayload payload = new ProcessCreationPayload
{
CommandLine = EncodedAuditFieldsUtils.DecodeHexStringIfNeeded(auditEvent.GetPropertyValue(AuditEvent.AuditMessageProperty.CommandLine), Encoding.UTF8),
Executable = auditEvent.GetPropertyValue(AuditEvent.AuditMessageProperty.Executable),
ProcessId = Convert.ToUInt32(auditEvent.GetPropertyValue(AuditEvent.AuditMessageProperty.ProcessId)),
ParentProcessId = Convert.ToUInt32(auditEvent.GetPropertyValue(AuditEvent.AuditMessageProperty.ParentProcessId)),
Time = auditEvent.TimeUTC,
UserId = auditEvent.GetPropertyValue(AuditEvent.AuditMessageProperty.UserId)
};
return(new ProcessCreate(Priority, payload));
}
public void ProcessCreate()
{
var payload = new ProcessCreationPayload
{
CommandLine = "c:\app.exe",
Executable = "app.exe",
ParentProcessId = 34,
ProcessId = 56,
Time = DateTime.UtcNow,
UserId = "admin",
UserName = "******"
};
var obj = new ProcessCreate(EventPriority.Low, payload);
obj.ValidateSchema();
}
/// <summary>
/// Converts an audit event to a device event
/// </summary>
/// <param name="auditEvent">Audit event to convert</param>
/// <returns>Device event based on the input</returns>
private IEvent AuditEventToDeviceEvent(AuditEvent auditEvent)
{
var executable = auditEvent.GetPropertyValue(AuditEvent.AuditMessageProperty.Executable);
bool isExecutableExist = executableHash.TryGetValue(executable, out string hash);
hash = isExecutableExist ? hash : "";
ProcessCreationPayload payload = new ProcessCreationPayload
{
CommandLine = EncodedAuditFieldsUtils.DecodeHexStringIfNeeded(auditEvent.GetPropertyValue(AuditEvent.AuditMessageProperty.CommandLine), Encoding.UTF8),
Executable = executable,
ProcessId = Convert.ToUInt32(auditEvent.GetPropertyValue(AuditEvent.AuditMessageProperty.ProcessId)),
ParentProcessId = Convert.ToUInt32(auditEvent.GetPropertyValue(AuditEvent.AuditMessageProperty.ParentProcessId)),
Time = auditEvent.TimeUTC,
UserId = auditEvent.GetPropertyValue(AuditEvent.AuditMessageProperty.UserId),
ExtraDetails = new Dictionary <string, string>()
{
{ "Hash", hash }
}
};
return(new ProcessCreate(Priority, payload));
}
