private IEvent GetProcessCreationEvent(Dictionary <string, string> ev) { var commandline = GetEventPropertyFromMessage(ev[MessageFieldName], NewProcessCommandLineFieldName); var executable = GetEventPropertyFromMessage(ev[MessageFieldName], ProcessNameFieldName); var payload = new ProcessCreationPayload { Executable = executable, ProcessId = Convert.ToUInt32(GetEventPropertyFromMessage(ev[MessageFieldName], ProcessIdFieldName), 16), ParentProcessId = Convert.ToUInt32(GetEventPropertyFromMessage(ev[MessageFieldName], CreatorProcessIdFieldName), 16), UserName = GetEventPropertyFromMessage(ev[MessageFieldName], AccountNameFieldName, 1), UserId = GetEventPropertyFromMessage(ev[MessageFieldName], LogonIdFieldName), CommandLine = string.IsNullOrWhiteSpace(commandline) ? executable : commandline, Time = DateTime.Parse(ev[TimeGeneratedFieldName]), ExtraDetails = new Dictionary <string, string> { { $"CREATOR_{SecurityIdFieldName}", GetEventPropertyFromMessage(ev[MessageFieldName], SecurityIdFieldName) }, { $"CREATOR_{AccountDomainFieldName}", GetEventPropertyFromMessage(ev[MessageFieldName], AccountDomainFieldName) }, { $"CREATOR_{AccountNameFieldName}", GetEventPropertyFromMessage(ev[MessageFieldName], AccountNameFieldName) }, { $"TARGET_{SecurityIdFieldName}", GetEventPropertyFromMessage(ev[MessageFieldName], SecurityIdFieldName, 1) }, { $"TARGET_{AccountDomainFieldName}", GetEventPropertyFromMessage(ev[MessageFieldName], AccountDomainFieldName, 1) }, { $"TARGET_{AccountNameFieldName}", GetEventPropertyFromMessage(ev[MessageFieldName], AccountNameFieldName, 1) }, { $"TARGET_{LogonIdFieldName}", GetEventPropertyFromMessage(ev[MessageFieldName], LogonIdFieldName, 1) }, { TokenElevationTypeFieldName, GetEventPropertyFromMessage(ev[MessageFieldName], TokenElevationTypeFieldName) }, { MandatoryLabelFieldName, GetEventPropertyFromMessage(ev[MessageFieldName], MandatoryLabelFieldName) } } }; return(new ProcessCreate(AgentConfiguration.GetEventPriority <ProcessCreate>(), payload)); }
/// <summary> /// Converts an audit event to a device event /// </summary> /// <param name="auditEvent">Audit event to convert</param> /// <returns>Device event based on the input</returns> private IEvent AuditEventToDeviceEvent(AuditEvent auditEvent) { ProcessCreationPayload payload = new ProcessCreationPayload { CommandLine = EncodedAuditFieldsUtils.DecodeHexStringIfNeeded(auditEvent.GetPropertyValue(AuditEvent.AuditMessageProperty.CommandLine), Encoding.UTF8), Executable = auditEvent.GetPropertyValue(AuditEvent.AuditMessageProperty.Executable), ProcessId = Convert.ToUInt32(auditEvent.GetPropertyValue(AuditEvent.AuditMessageProperty.ProcessId)), ParentProcessId = Convert.ToUInt32(auditEvent.GetPropertyValue(AuditEvent.AuditMessageProperty.ParentProcessId)), Time = auditEvent.TimeUTC, UserId = auditEvent.GetPropertyValue(AuditEvent.AuditMessageProperty.UserId) }; return(new ProcessCreate(Priority, payload)); }
public void ProcessCreate() { var payload = new ProcessCreationPayload { CommandLine = "c:\app.exe", Executable = "app.exe", ParentProcessId = 34, ProcessId = 56, Time = DateTime.UtcNow, UserId = "admin", UserName = "******" }; var obj = new ProcessCreate(EventPriority.Low, payload); obj.ValidateSchema(); }
/// <summary> /// Converts an audit event to a device event /// </summary> /// <param name="auditEvent">Audit event to convert</param> /// <returns>Device event based on the input</returns> private IEvent AuditEventToDeviceEvent(AuditEvent auditEvent) { var executable = auditEvent.GetPropertyValue(AuditEvent.AuditMessageProperty.Executable); bool isExecutableExist = executableHash.TryGetValue(executable, out string hash); hash = isExecutableExist ? hash : ""; ProcessCreationPayload payload = new ProcessCreationPayload { CommandLine = EncodedAuditFieldsUtils.DecodeHexStringIfNeeded(auditEvent.GetPropertyValue(AuditEvent.AuditMessageProperty.CommandLine), Encoding.UTF8), Executable = executable, ProcessId = Convert.ToUInt32(auditEvent.GetPropertyValue(AuditEvent.AuditMessageProperty.ProcessId)), ParentProcessId = Convert.ToUInt32(auditEvent.GetPropertyValue(AuditEvent.AuditMessageProperty.ParentProcessId)), Time = auditEvent.TimeUTC, UserId = auditEvent.GetPropertyValue(AuditEvent.AuditMessageProperty.UserId), ExtraDetails = new Dictionary <string, string>() { { "Hash", hash } } }; return(new ProcessCreate(Priority, payload)); }