tsale / edr-telemetry Goto Github PK
View Code? Open in Web Editor NEWThis project aims to compare and evaluate the telemetry of various EDR products.
This project aims to compare and evaluate the telemetry of various EDR products.
I would like to add Cisco Secure Endpoint EDR information.
Creating this issue for tracking.
File Renaming is captured as an ActionType under DeviceFileEvents
Please can add trend solution in this list ?
Tks
Diego
It would be good to break out Windows vs. Linux telemetry for EDR as the two platforms have much different coverage needs. Linux coverage can cover process attacks like Windows. However, it also has a lot of non-process based data that need to have good telemetry to detect attacks.
I'd propose as a starting point these high level-categories for telemetry type data:
Processes (process activity, creation times, owners, binary data, network activity, etc.)
Files (general coverage for file attributes, creation times, owners, hashes, entropy, etc.)
Directories (general directory coverage for attributes like files above, etc.)
Logs (syslog, utmp, btmp, wtmp, lastlog, log data, etc.)
Users (accounts, passwords, SSH keys, login activity, etc.)
Kernel (kernel modules, status, etc.)
Systemd (services, lingering processes, general systemd units).
Scheduled Tasks (cron/at/systemd running, owners, etc.)
These telemetries are missing from the comparison:
Task Start
Service Start
If we are going to even include deletion of these, then surely starting it would be included in the comparison..
I am collecting telemetry data in Splunk for CrowdStrike, and I have "vertex_type=domain", it should include DNS queries (even with the sampling)
First thanks for all the handwork with this project.
For v0.2 of the telemetry-generator.ps1
would it be possible to add a check if Invoke-AtomicRedTeam
is already installed?
Could work something like so
...
# Function that checks if Invoke-AtomicRedTeam is already installed
function Check-ARTInstalled {
try {
Get-Command Invoke-AtomicTest -ErrorAction Stop | Out-Null
return $true
}
catch {
return $false
}
}
...
# Install Invoke-Atomic if not already installed
if (-not (Check-ARTInstalled)) {
Install-ART
}
...
Thanks again!
I think there might be an issue with Pipe Connection and Pipe Creation on the CrowdStrike field.
From reading the CrowdStrike docs, I can see that there is an eventfield called SmbClientNamedPipeConnectEtw:
"
An event that indicates when a machine connects to a remote SMB (Server Message Block) named pipe. The event contains the pattern id of the associated indicator and is supported on all Windows platform except 8.1 and Server 2012 R2. Captured using the ETW consumer.
"
CrowdStrike also has: NamedPipeDetectInfo which has the following NamedPipeOperationType which can be:
Not sure how you want to integrate, but sharing some notes on potential mappings:
Process Activity = https://attack.mitre.org/datasources/DS0009/
Process Creation = https://attack.mitre.org/datasources/DS0009/#Process%20Creation
Process Termination = https://attack.mitre.org/datasources/DS0009/#Process%20Termination
Process Access = https://attack.mitre.org/datasources/DS0009/#Process%20Access
Image/Library Loaded = https://attack.mitre.org/datasources/DS0011/#Module%20Load
Remote Thread Creation = partially https://attack.mitre.org/datasources/DS0009/#OS%20API%20Execution & https://attack.mitre.org/datasources/DS0009/#Process%20Access (? 🤷 )
Process Tampering Activity = https://attack.mitre.org/datasources/DS0009/#Process%20Modification
File Manipulation = https://attack.mitre.org/datasources/DS0022/
File Creation = https://attack.mitre.org/datasources/DS0022/#File%20Creation
File Opened = https://attack.mitre.org/datasources/DS0022/#File%20Access
File Deletion = https://attack.mitre.org/datasources/DS0022/#File%20Deletion
File Modification = https://attack.mitre.org/datasources/DS0022/#File%20Modification
File Renaming = https://attack.mitre.org/datasources/DS0022/#File%20Modification
User Account Activity = https://attack.mitre.org/datasources/DS0002/
Local Account Creation = https://attack.mitre.org/datasources/DS0002/#User%20Account%20Creation
Local Account Modification = https://attack.mitre.org/datasources/DS0002/#User%20Account%20Modification
Local Account Deletion = https://attack.mitre.org/datasources/DS0002/#User%20Account%20Deletion
Account Login = https://attack.mitre.org/datasources/DS0002/#User%20Account%20Authentication + https://attack.mitre.org/datasources/DS0028/#Logon%20Session%20Creation
Account Logoff = [null]
Network Activity = https://attack.mitre.org/datasources/DS0029/
TCP Connection = https://attack.mitre.org/datasources/DS0029/#Network%20Connection%20Creation
UDP Connection = https://attack.mitre.org/datasources/DS0029/#Network%20Connection%20Creation
URL = https://attack.mitre.org/datasources/DS0029/#Network%20Traffic%20Content (? 🤷)
DNS Query = https://attack.mitre.org/datasources/DS0029/#Network%20Traffic%20Content (? 🤷)
File Downloaded =https://attack.mitre.org/datasources/DS0029/#Network%20Traffic%20Content + https://attack.mitre.org/datasources/DS0022/#File%20Creation (? 🤷)
Hash Algorithms = https://attack.mitre.org/datasources/DS0022/#File%20Metadata (? 🤷)
MD5 = https://attack.mitre.org/datasources/DS0022/#File%20Metadata (? 🤷)
SHA = https://attack.mitre.org/datasources/DS0022/#File%20Metadata (? 🤷)
IMPHASH = https://attack.mitre.org/datasources/DS0022/#File%20Metadata (? 🤷)
Registry Activity = https://attack.mitre.org/datasources/DS0024/
Key/Value Creation = https://attack.mitre.org/datasources/DS0024/#Windows%20Registry%20Key%20Creation
Key/Value Modification = https://attack.mitre.org/datasources/DS0024/#Windows%20Registry%20Key%20Modification
Key/Value Deletion = https://attack.mitre.org/datasources/DS0024/#Windows%20Registry%20Key%20Deletion
Schedule Task Activity = https://attack.mitre.org/datasources/DS0003/
Scheduled Task Creation = https://attack.mitre.org/datasources/DS0003/#Scheduled%20Job%20Creation
Scheduled Task Modification = https://attack.mitre.org/datasources/DS0003/#Scheduled%20Job%20Modification
Scheduled Task Deletion = https://attack.mitre.org/datasources/DS0003/#Scheduled%20Job%20Modification (? 🤷)
Service Activity = https://attack.mitre.org/datasources/DS0019/
Service Creation = https://attack.mitre.org/datasources/DS0019/#Service%20Creation
Service Modification = https://attack.mitre.org/datasources/DS0019/#Service%20Modification
Service Deletion = https://attack.mitre.org/datasources/DS0019/#Service%20Modification (? 🤷)
Driver/Module Activity = https://attack.mitre.org/datasources/DS0027/
Driver Loaded = https://attack.mitre.org/datasources/DS0027/#Driver%20Load
Driver Modification = https://attack.mitre.org/datasources/DS0022/#File%20Modification (? 🤷)
Driver Unloaded = [null]
Device Operations = https://attack.mitre.org/datasources/DS0016/
Virtual Disk Mount = https://attack.mitre.org/datasources/DS0016/#Drive%20Creation
USB Device Unmount = https://attack.mitre.org/datasources/DS0016/#Drive%20Creation
USB Device Mount = https://attack.mitre.org/datasources/DS0016/#Drive%20Creation
Other Relevant Events
Group Policy Modification = https://attack.mitre.org/datasources/DS0026/#Active%20Directory%20Object%20Modification (? 🤷)
Named Pipe Activity = https://attack.mitre.org/datasources/DS0023/
Pipe Creation = https://attack.mitre.org/datasources/DS0023/#Named%20Pipe%20Metadata (? 🤷)
Pipe Connection = https://attack.mitre.org/datasources/DS0023/#Named%20Pipe%20Metadata (? 🤷)
EDR SysOps = https://attack.mitre.org/datasources/DS0013/
Agent Start = https://attack.mitre.org/datasources/DS0013/#Host%20Status (? 🤷)
Agent Stop = https://attack.mitre.org/datasources/DS0013/#Host%20Status (? 🤷)
Agent Install = https://attack.mitre.org/datasources/DS0013/#Host%20Status (? 🤷)
Agent Uninstall = https://attack.mitre.org/datasources/DS0013/#Host%20Status (? 🤷)
Agent Tampering = https://attack.mitre.org/datasources/DS0013/#Host%20Status (? 🤷)
Agent Keep-Alive = https://attack.mitre.org/datasources/DS0013/#Host%20Status (? 🤷)
Agent Errors = https://attack.mitre.org/datasources/DS0013/#Host%20Status (? 🤷)
WMI Activity = https://attack.mitre.org/datasources/DS0005/
WmiEventConsumerToFilter = https://attack.mitre.org/datasources/DS0005/#WMI%20Creation
WmiEventConsumer = https://attack.mitre.org/datasources/DS0005/#WMI%20Creation
WmiEventFilter = https://attack.mitre.org/datasources/DS0005/#WMI%20Creation
BIT JOBS Activity = [null]
BIT JOBS Activity = [null]
PowerShell Activity = https://attack.mitre.org/datasources/DS0012/ + https://attack.mitre.org/datasources/DS0017/
Script-Block Activity = https://attack.mitre.org/datasources/DS0012/#Script%20Execution
I love this project but for me it lacks the telemetry protection information.
In sigmaHQ you can find many rule "evenlog clear", "etw Disable /Tamper " ....
Long time ago I add phant0m to atomic-red-team to test this.
Could there be one or more checkboxes for telemetry manipulation detection ?
Thanks
Hello,
Regarding Crowdstrike telemetry, some events are generated only when EDR detects suspicious behavior in the same process tree (Event FileOpenInfo related to File Opened operation for example).
This does not mean that the box should be red, but it may be useful to add if a condition is necessary for the generation of the event.
Looks like Defender for Endpoint telemetry information is missing.
I can help get some stuff started based on what is available through Advanced Hunting. There may be additional data available in the device timeline as pointed out by Olaf Hartong, and potentially other sources locally. But I could at least provide a place to start if you don't mind having some fields with ❓ for a while
I want to contribute data from Rapid7's InsightIDR product, however it's not necessarily a true EDR - it doesn't block/prevent, but creates detections and generates all the same kind of telemetry in a SIEM. Is this something that'd be accepted on the project?
A few things- this is a really neat table.
For Microsoft, MDE does consume the IMPHASH as telemetry, but its not made available for inspection to the end user/admin/consumer. This is not publicly documented that I could find. However, Defender AV clearly has this documented as something it uses for inspection speifically when Cloud Based protection is enabled. (reference: https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/cloud-protection-microsoft-antivirus-sample-submission?view=o365-worldwide
File Open - MDE does log file open in certain scenarios, below example:
The above screen cap is without Purview integration....PurviewDLP is the solution for tracking file opens, copies etc from Microsoft that MDE integrates with (reference: https://techcommunity.microsoft.com/t5/security-compliance-and-identity/common-questions-on-microsoft-purview-data-loss-prevention-for/ba-p/3732610
Agent State is tracked via the Agent Health in the Device Inventory and on the Device pages (ref:https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/check-sensor-status?view=o365-worldwide
Agent Keep Alive is reflected via the First Seen and Last Seen properties on the device page (ref:https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/machines-view-overview?view=o365-worldwide
Agent also logs to Event Logs detailed status ref: https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/event-error-codes?view=o365-worldwide
BITS transfer - arguably - https://github.com/Azure/Azure-Sentinel/tree/master/Hunting%20Queries/Microsoft%20365%20Defender/Execution/PowerShell%20downloads.yaml would have to poke around and see if non-ps initiated would show or not either in the telemetry or Advanced Hunting.
MDE also integrates with Intel's TDT as well (hardware integration) https://www.intel.com/content/www/us/en/architecture-and-technology/vpro/hardware-shield/threat-detection-technology.html
I think it could be helpful to know if an EDR captures shell commands/history. In particular, native shell commands don't spawn new processes, so most EDR won't naturally see them.
Love the idea of this. Thanks for the work on it.
One question, which Trellix EDR product does this cover, ENS (originally McAfee) or HX (originally FireEye)?
Wanted to see if there was any thoughts about mapping to MITRE ATT&CK as it would be a great map across the industry and usable at scale. If theres been work on this done private I'd be interested to assist or work with it.
Any interest in adding https://github.com/0xrawsec/whids ?
Can you use colors, and or monikers that make it easier to tell who has what :) To some of us, Reds/Greens are not great to use for this. Standard black Y/N/P/? (yes no partial unknown) would work too. Pink/Red/Orange are hard to tell apart for my collogues. :) Love the repo!
MD5 is only calculated on some events, i can see the following fields containing MD5 hashes:
behaviors{}.md5
behaviors{}.parent_details.parent_md5
event.MD5String
(event streams logs)properties.MD5HashData
(vertex_type=module)it's a little part of the detections but it is partially logged.
for the behaviors{}
detections for example, i can see the following behaviors detected with md5 hashes:
This is super cool and useful thanks for shareing. One thing that would be a possible awesome contribution would be to know the isolation capabilties of these tools? ie. can you remotely isolate affected systems? Understood this list is more related to the telemtry output from the different tools but it would be cool to know some other capabilities the tools have and be able to benchmark them. Also another step could be to include the DFIR capabilties of the tools but understand this would need significant reserach and testing. Just throwing ideas out there. Great project thanks again!
Is it possible to add a "console" category for logs generated through actions performed on the EDR console? This category could include:
Please add wazuh in this list, it is open source edr/xdr....
hi there,
would it be possible to add a more verbose description as to what the values a capability can take mean?
i.e. i was about to create a pull request changing the "network activity > url" value for mde to "partially", as the relevant network events logged by mde don't reliably populate the url field. it sometimes only contains a domain or trims the url parameters vs. what is logged on a proxy at the same time.
that's when i realized that i was unsure whether this would fulfil the criteria for "partially" or if the events simply being present in whatever quality is already enough to qualify for "implemented".
similarly i was unsure about the following: mde allows seeing bits jobs activity in the ProcessEventsTable and NetworkEventsTable, but doesn't have something specially dedicated. would that be regarded "partially" or still "not implemented"? btw. should be bits jobs in the json, not bit jobs 😉.
cheers,
hrun
The list stated that Cortex XDR does not have FILE Open telemetry, but it's available for Linux an Mac, this should marked as partially at least reference: https://docs-cortex.paloaltonetworks.com/r/Cortex-XDR/Cortex-XDR-Pro-Administrator-Guide/Endpoint-Data-Collection
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google ❤️ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.