private IEvent GetProcessCreationEvent(Dictionary <string, string> ev) { var commandline = GetEventPropertyFromMessage(ev[MessageFieldName], NewProcessCommandLineFieldName); var executable = GetEventPropertyFromMessage(ev[MessageFieldName], ProcessNameFieldName); var payload = new ProcessCreationPayload { Executable = executable, ProcessId = Convert.ToUInt32(GetEventPropertyFromMessage(ev[MessageFieldName], ProcessIdFieldName), 16), ParentProcessId = Convert.ToUInt32(GetEventPropertyFromMessage(ev[MessageFieldName], CreatorProcessIdFieldName), 16), UserName = GetEventPropertyFromMessage(ev[MessageFieldName], AccountNameFieldName, 1), UserId = GetEventPropertyFromMessage(ev[MessageFieldName], LogonIdFieldName), CommandLine = string.IsNullOrWhiteSpace(commandline) ? executable : commandline, Time = DateTime.Parse(ev[TimeGeneratedFieldName]), ExtraDetails = new Dictionary <string, string> { { $"CREATOR_{SecurityIdFieldName}", GetEventPropertyFromMessage(ev[MessageFieldName], SecurityIdFieldName) }, { $"CREATOR_{AccountDomainFieldName}", GetEventPropertyFromMessage(ev[MessageFieldName], AccountDomainFieldName) }, { $"CREATOR_{AccountNameFieldName}", GetEventPropertyFromMessage(ev[MessageFieldName], AccountNameFieldName) }, { $"TARGET_{SecurityIdFieldName}", GetEventPropertyFromMessage(ev[MessageFieldName], SecurityIdFieldName, 1) }, { $"TARGET_{AccountDomainFieldName}", GetEventPropertyFromMessage(ev[MessageFieldName], AccountDomainFieldName, 1) }, { $"TARGET_{AccountNameFieldName}", GetEventPropertyFromMessage(ev[MessageFieldName], AccountNameFieldName, 1) }, { $"TARGET_{LogonIdFieldName}", GetEventPropertyFromMessage(ev[MessageFieldName], LogonIdFieldName, 1) }, { TokenElevationTypeFieldName, GetEventPropertyFromMessage(ev[MessageFieldName], TokenElevationTypeFieldName) }, { MandatoryLabelFieldName, GetEventPropertyFromMessage(ev[MessageFieldName], MandatoryLabelFieldName) } } }; return(new ProcessCreate(AgentConfiguration.GetEventPriority <ProcessCreate>(), payload)); }
private IEvent GetProcessExitEvent(Dictionary <string, string> ev) { var payload = new ProcessTerminationPayload { Executable = GetEventPropertyFromMessage(ev[MessageFieldName], ProcessNameFieldName), ProcessId = Convert.ToUInt32(GetEventPropertyFromMessage(ev[MessageFieldName], ProcessIdFieldName), 16), ExitStatus = Convert.ToInt32(GetEventPropertyFromMessage(ev[MessageFieldName], ExitStatusFieldName), 16), Time = DateTime.Parse(ev[TimeGeneratedFieldName]), ExtraDetails = new Dictionary <string, string> { { AccountDomainFieldName, GetEventPropertyFromMessage(ev[MessageFieldName], AccountDomainFieldName) }, { AccountNameFieldName, GetEventPropertyFromMessage(ev[MessageFieldName], AccountNameFieldName) }, { LogonIdFieldName, GetEventPropertyFromMessage(ev[MessageFieldName], LogonIdFieldName) } } }; return(new ProcessTerminate(AgentConfiguration.GetEventPriority <ProcessTerminate>(), payload)); }