Symantec EDR Internals — Event Enrichment Rules [Part I]

Enrichment Overview

  • Has the file been detected by AV vendors ?
  • Is the file connected to any threat actors or campaign ?
  • Are there any related samples online ?
  • Does the file contain interesting strings ?
  • Is the file packed ?
  • Does the file spawn suspicious processes or execute suspicious commands (Process Execution)
  • Etc.
  • Parent / Child Image path on disk.
  • Parent / Child Command line.
  • MD5 / SHA256 hashes for both the Parent / Child processes.
  • PID / PPID.
  • Security Descriptor for both the Parent / Child process processes.
  • Time of execution.
  • Username and SID.
  • Operating System.
  • Publisher
ATT&CK Enrichment

SEDR Enriched Data

  • enriched_data.category_id
  • enriched_data.category_name
  • enriched_data.event_group_id
  • enriched_data.extra_numeric_info.key_name
  • enriched_data.extra_numeric_info.value
  • enriched_data.extra_string_info.key_name
  • enriched_data.extra_string_info.value
  • enriched_data.rule_description
  • enriched_data.rule_id
  • enriched_data.rule_name
  • By understanding this, blue teams (detection engineers) can write more informed queries and obtain a deeper understanding of the underlying internals.
  • Red teams can also use this to gain a deeper understanding and to try to bypass any detections that are in place and are based on these rules.

“atp-rules.sen” — Discovery

grep -irn "eScheduledTask" [Symantec_ProgramData_PATH]
C:\ProgramData\Symantec\Symantec Endpoint Protection\CurrentVersion\Data\Definitions\EDRDefs\[Definition Version]\atp-rules.sen
ATP RULES Content

“atp-rules.sen” — Structure

  • Aggregators : Function definitions /references to be used by nodes to perform specific actions.
  • Nodes : Represents a tree like structure where every node “can” be related to another following a specific flow based on conditions and node type
  • nodeID
  • childrenIDs
  • parentID
  • nodeType
Example Node
  • AlphaNoTestNode : Jump directly to the nodeID’s specified inside the childrenIDs attribute.
  • AlphaConstantTestNode : Verify some value within the event against a constant value defined inside the node.
  • AlphaSwitchNode : Act as a switch case statement. A specific value within the event will be checked against multiple cases.
  • BetaActionNode : Specify the action to take against the event (We’ll see an example later)
  • BetaResolutionNode : TBD
  • BetaJoinNode : Jump to “BetaActionNode” nodes
  • AlphaMemoryNode : Jump to “BetaJoinNode” nodes
  • AlphaIntraEventTestNode : TBD
  • bop : Stands for “Binary Operation”. It can have one of the following values : “NOT_EQUAL”, “EQUAL”, “REGEX_LIKE”, “REGEX_NOT_LIKE”, “LESS_THAN”, “CONTAINS”, “NOT_CONTAINS”, “GREATER_THAN”, “GREATER_OR_EQUAL”, “LESS_OR_EQUAL”
  • constantLiteral : Contains the value to compare against
“AlphaConstantTestNode” Example
{
"artifacts": {
"actor": {
"object_type": "process",
"path": {
"value": [
"c:\\windows\\system32\\svchost.exe"
]
},
"normalized_path": {
"value": [
"CSIDL_SYSTEM\\svchost.exe"
]
},
"sha2": {
"value": [
"DD191A5B23DF92E12A8845291F2FB5ED423B76A28A5A464418442584AFD1E048"
]
},
"md5": {
"value": [
"9520A99E87D7196E5D09833146424113"
]
},
"user_sid": {
"value": [
"S-1-5-18"
]
},
"user_name": {
"value": [
"SYSTEM"
]
},
"user_domain": {
"value": [
"NT AUTHORITY"
]
},
"file_id": {
"value": [
281273379610221
]
},
"size": {
"value": [
53744
]
},
"session_id": {
"value": [
0
]
},
"pid": {
"value": [
2344
]
},
"uid": {
"value": [
"73324417-689B-F1EB-AB5E-602D86CC3F92"
]
},
"created": {
"value": "2019-03-19T04:44:33.676Z"
},
"modified": {
"value": "2019-03-19T04:44:33.676Z"
},
"security_descriptor": {
"value": [
"O:S-1-5-5-0-210746G:SYD:(A;;0x1fffff;;;S-1-5-5-0-111111)(A;;0x1400;;;BA)S:AI"
]
},
"signature_company_name": {
"value": [
"Microsoft Windows Publisher"
]
},
"signature_value_ids": {
"value": [
3,
5
]
},
"signature_level_id": {
"value": [
60
]
},
"cmd_line": {
"value": [
"C:\\WINDOWS\\system32\\svchost.exe -k netsvcs -p -s Schedule"
]
},
"original_name": {
"value": [
"svchost.exe"
]
},
"integrity_id": {
"value": [
6
]
},
"start_time": "2021-02-06T16:51:01.623Z",
"tid": {
"value": [
19480
]
}
},
"target": {
"object_type": "process",
"path": {
"value": [
"c:\\program files (x86)\\google\\update\\googleupdate.exe"
]
},
"normalized_path": {
"value": [
"CSIDL_PROGRAM_FILES\\google\\update\\googleupdate.exe"
]
},
"sha2": {
"value": [
"794CF7644115198DB451431ACF5F89FF9A97550482B1E3F7F13EB7ACA6120A11"
]
},
"md5": {
"value": [
"82F657B0AEE67A6A560321CF0927F9F7"
]
},
"user_sid": {
"value": [
"S-1-5-18"
]
},
"user_name": {
"value": [
"SYSTEM"
]
},
"user_domain": {
"value": [
"NT AUTHORITY"
]
},
"file_id": {
"value": [
281634986915819
]
},
"size": {
"value": [
154920
]
},
"session_id": {
"value": [
0
]
},
"pid": {
"value": [
17964
]
},
"uid": {
"value": [
"11111111-1111-1111-1111-111111111111"
]
},
"created": {
"value": "2019-10-03T07:50:16.921Z"
},
"modified": {
"value": "2019-10-03T07:50:16.765Z"
},
"security_descriptor": {
"value": [
"O:SYG:SYD:(A;;0x1fffff;;;SY)(A;;RC;;;OW)(A;;0x1fffff;;;S-1-5-11-1111111111-1111111111-111111111-1111111111-111111111)S:AI"
]
},
"signature_company_name": {
"value": [
"Google Inc"
]
},
"signature_value_ids": {
"value": [
3
]
},
"signature_level_id": {
"value": [
40
]
},
"cmd_line": {
"value": [
"C:\\Program Files (x86)\\Google\\Update\\GoogleUpdate.exe\\ /ua /installsource scheduler"
]
},
"original_name": {
"value": [
"GoogleUpdate.exe"
]
},
"integrity_id": {
"value": [
6
]
},
"start_time": "2021-02-11T07:16:24.866Z"
}
},
"action": [
"launch"
],
"type_id": {
"value": [
8001
]
},
"id": {
"value": [
1
]
},
"begin_time": {
"value": "2021-02-11T07:16:24.866Z"
},
"correlation_uid": {
"value": [
"XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX"
]
},
"device_user_idle": true,
"receive_time": {
"value": "2021-02-11T07:16:24.907Z"
},
"timezone": -60,
"ref_uid": {
"value": "XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX"
},
"seq_num": XXXXXX,
"edr_ver": "XXXXXX"
}
{
"nodeID": 1,
"childrenIDs": [
2,
286225
],
"parentID": 0,
"nodeType": "AlphaNoTestNode"
}
{
"nodeID": 2,
"childrenIDs": [
286392,
248750,
223501,
248844,
223496,
262526,
285418,
223507,
262514,
259973,
225407,
3,
248874,
223504,
248879,
248847
],
"parentID": 1,
"nodeType": "AlphaConstantTestNode",
"field": [
"artifacts",
"actor",
"signature_level_id",
"value",
"[0]"
],
"bop": "NOT_EQUAL",
"constantLiteral": 50
}
{
"nodeID": 3,
"nodeType": "AlphaSwitchNode",
"parentID": 2,
"switchField": [
"action",
"[0]"
],
"switchCases": [
{
"caseLiteral": "statistic",
"caseChildNodeID": 248225
},
{
"caseLiteral": "set",
"caseChildNodeID": 15
},
{
"caseLiteral": "logon",
"caseChildNodeID": 262550
},
{
"caseLiteral": "launch",
"caseChildNodeID": 8506
},
{
"caseLiteral": "set_attributes",
"caseChildNodeID": 248211
},
{
"caseLiteral": "delete",
"caseChildNodeID": 4
},
{
"caseLiteral": "accept",
"caseChildNodeID": 279450
},
{
"caseLiteral": "modify",
"caseChildNodeID": 4101
},
{
"caseLiteral": "logoff",
"caseChildNodeID": 279983
},
{
"caseLiteral": "load",
"caseChildNodeID": 220446
},
{
"caseLiteral": "rename",
"caseChildNodeID": 248314
},
{
"caseLiteral": "create",
"caseChildNodeID": 24
},
{
"caseLiteral": "set_security",
"caseChildNodeID": 262472
},
{
"caseLiteral": "terminate",
"caseChildNodeID": 262507
},
{
"caseLiteral": "injection",
"caseChildNodeID": 8461
},
{
"caseLiteral": "close",
"caseChildNodeID": 262445
},
{
"caseLiteral": "connect",
"caseChildNodeID": 8518
},
{
"caseLiteral": "open",
"caseChildNodeID": 248882
}
]
}
{
"nodeID": 8506,
"childrenIDs": [
260984,
261179,
223053,
260248,
260987,
223049,
225796,
223027,
260954,
260963,
285406,
220361,
260966,
223002,
220418,
260972,
260975,
223830,
223035,
260960,
260990,
225259,
281861,
261980,
223041,
223190,
222948,
220341,
248795,
223107,
222955,
220352,
223045,
260981,
260978,
284341,
220443,
225647,
225946,
225397,
223031,
222964,
260969,
225246
],
"parentID": 3,
"nodeType": "AlphaNoTestNode"
}
{
"nodeID": 220341,
"nodeType": "AlphaSwitchNode",
"parentID": 8506,
"switchField": {
"fieldType": "CalculatedField",
"function": {
"functionName": "TAIL_STRING",
"literalParameters": [
11
]
},
"parameterField": {
"fieldType": "CalculatedField",
"function": {
"functionName": "LOWERCASE",
"literalParameters": []
},
"parameterField": [
"artifacts",
"actor",
"normalized_path",
"value",
"[0]"
]
}
},
"switchCases": [
{
"caseLiteral": "\\dnscmd.exe",
"caseChildNodeID": 223695
},
{
"caseLiteral": "\\pcwrun.exe",
"caseChildNodeID": 223695
},
{
"caseLiteral": "outlook.exe",
"caseChildNodeID": 220386
},
{
"caseLiteral": "\\regasm.exe",
"caseChildNodeID": 223695
},
{
"caseLiteral": "winproj.exe",
"caseChildNodeID": 220386
},
{
"caseLiteral": "\\bginfo.exe",
"caseChildNodeID": 223695
},
{
"caseLiteral": "acrobat.exe",
"caseChildNodeID": 220386
},
{
"caseLiteral": "\\ieexec.exe",
"caseChildNodeID": 223695
},
{
"caseLiteral": "\\chrome.exe",
"caseChildNodeID": 260257
},
{
"caseLiteral": "\\pcalua.exe",
"caseChildNodeID": 223695
},
{
"caseLiteral": "\\appvlp.exe",
"caseChildNodeID": 223695
},
{
"caseLiteral": "svchost.exe",
"caseChildNodeID": 223166
},
{
"caseLiteral": "winword.exe",
"caseChildNodeID": 220386
},
{
"caseLiteral": "\\windbg.exe",
"caseChildNodeID": 279426
}
]
}
CSIDL_SYSTEM\\svchost.exe ==> csidl_system\\svchost.exe
csidl_system\\svchost.exe ==> svchost.exe
{
"nodeID": 223166,
"childrenIDs": [
223167
],
"parentID": 220341,
"nodeType": "AlphaNoTestNode"
}
{
"nodeID": 223167,
"childrenIDs": [
223168
],
"parentID": 223166,
"nodeType": "AlphaConstantTestNode",
"field": {
"fieldType": "CalculatedField",
"function": {
"functionName": "LOWERCASE",
"literalParameters": []
},
"parameterField": {
"fieldType": "CalculatedField",
"function": {
"functionName": "EXTRACT_MATCH",
"literalParameters": [
".*svchost\\.exe.*-k\\s+netsvcs.*schedule.*",
0
]
},
"parameterField": {
"fieldType": "CalculatedField",
"function": {
"functionName": "LOWERCASE",
"literalParameters": []
},
"parameterField": [
"artifacts",
"actor",
"cmd_line",
"value",
"[0]"
]
}
}
},
"bop": "NOT_EQUAL",
"constantLiteral": ""
}
".*svchost\\.exe.*-k\\s+netsvcs.*schedule.*"
{
"nodeID": 223170,
"childrenIDs": [],
"nodeType": "BetaActionNode",
"nextResolverNodeID": 223171,
"ruleSourceFile": "mitre_ttps.fl",
"ruleSourceLine": 216,
"ruleSourceColumn": 0,
"ruleName": "eScheduledTaskLaunch",
"ruleID": 998,
"ruleDesc": "Scheduled task launch detected",
"actions": [
{
"actionType": "send",
"betaIndex": 0,
"fieldsToAdd": [
{
"fieldName": [
"suspicion_score"
],
"fieldValue": {
"rvalType": "Literal",
"literalValue": 0
}
},
{
"fieldName": [
"category_id"
],
"fieldValue": {
"rvalType": "Literal",
"literalValue": 201
}
},
{
"fieldName": [
"category_name"
],
"fieldValue": {
"rvalType": "Literal",
"literalValue": "Generic Data to be sent to ATP"
}
}
]
}
]
}
".*forfiles(?:\\.exe)?.*\\/c.*\\.lnk.*"".*wmic(\\.exe\\\"?)?.*\\s+/node.*"".*reg(\\.exe)?\\\"?\\s+(save|query|export)\\s+(hkey_local_machine|hklm)\\\\(sam|security)(\\\\|\\s+|$).*""procdump(64)?(\\.exe)?\\\"?\\s+(.*\\s+)?\\-ma(\\s+.*)?\\s+lsass\\.exe\\s+.*\\.dmp""psexec(64)?(\\.exe)?\\\"?\\s+(.*\\s+)?net\\s+(start|stop|pause|continue)\\s+.*"

Conclusion & Future Research

  • DLL responsible parsing the events (Listener.dll).
  • Aggregation functions.
  • Enrichment engine within SEDR.
"rule": "(enriched_data.rule_name='eScripting' and event_actor.file.name='regsvr32.exe')"

"rule": "(enriched_data.rule_name='dedup_eSND_ePECreation' and event_actor.file.name='powershell.exe')"

"rule": "(enriched_data.rule_name='eGenericProcessLaunch' and (process.file.name='cscript.exe' or process.file.name='wscript.exe'))"

--

--

--

I write about #ThreatHunting #WindowsInternals #Malware #DFIR and occasionally #Python.

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

Install Theme in Drupal 9

Configure External Listener For Always On Availability Groups in GCP

Balancing Act

DAW + Audio Engine Dev Update (#7.5) — Dealing with Unproductivity

What Life as a Developer is Like and How You Can Become One

Source code OpenVPN code for free 2022

Object fighting becomes important, roll next year pre-season test

Docker issue on Container: “Error: ENOSPC: no space left on device”

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Nasreddine Bencherchali

Nasreddine Bencherchali

I write about #ThreatHunting #WindowsInternals #Malware #DFIR and occasionally #Python.

More from Medium

Apollo 2.0 — New Year, New Features

Creating Malicious .wms Files — Malware Mondays #3

Should You Trust Your Admin Tools?

D3T3CT to PRoT3CT- PwnKit-CVE-2021–4034 🔥