diff --git a/CHANGELOG.next.md b/CHANGELOG.next.md index fd550c85fb..90dfe91226 100644 --- a/CHANGELOG.next.md +++ b/CHANGELOG.next.md @@ -21,6 +21,7 @@ Thanks, you're awesome :-) --> * Added `file.drive_letter`. #620 * Added `rule` fields. #665 * Added default `text` analyzer as a multi-field to around 25 more fields. #680 +* Added `registry.*` fieldset for the Windows registry. #673 #### Improvements diff --git a/code/go/ecs/registry.go b/code/go/ecs/registry.go new file mode 100644 index 0000000000..54a01777cf --- /dev/null +++ b/code/go/ecs/registry.go @@ -0,0 +1,54 @@ +// Licensed to Elasticsearch B.V. under one or more contributor +// license agreements. See the NOTICE file distributed with +// this work for additional information regarding copyright +// ownership. Elasticsearch B.V. licenses this file to you under +// the Apache License, Version 2.0 (the "License"); you may +// not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, +// software distributed under the License is distributed on an +// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +// KIND, either express or implied. See the License for the +// specific language governing permissions and limitations +// under the License. + +// Code generated by scripts/gocodegen.go - DO NOT EDIT. + +package ecs + +// Fields related to Windows Registry operations. +type Registry struct { + // Abbreviated name for the hive. + Hive string `ecs:"hive"` + + // Hive-relative path of keys. + Key string `ecs:"key"` + + // Name of the value written. + Value string `ecs:"value"` + + // Full path, including hive, key and value + Path string `ecs:"path"` + + // Standard registry type for encoding contents + DataType string `ecs:"data.type"` + + // Content when writing string types. + // Populated as an array when writing string data to the registry. For + // single string registry types (REG_SZ, REG_EXPAND_SZ), this should be an + // array with one string. For sequences of string with REG_MULTI_SZ, this + // array will be variable length. For numeric data, such as REG_DWORD and + // REG_QWORD, this should be populated with the decimal representation (e.g + // `"1"`). + DataStrings string `ecs:"data.strings"` + + // Original bytes written with base64 encoding. + // For Windows registry operations, such as SetValueEx and RegQueryValueEx, + // this corresponds to the data pointed by `lp_data`. This is optional but + // provides better recoverability and should be populated for REG_BINARY + // encoded values. + DataBytes string `ecs:"data.bytes"` +} diff --git a/docs/field-details.asciidoc b/docs/field-details.asciidoc index d4a16dcd31..f35fc02379 100644 --- a/docs/field-details.asciidoc +++ b/docs/field-details.asciidoc @@ -3493,6 +3493,102 @@ example: `/home/alice` // =============================================================== +|===== + +[[ecs-registry]] +=== Registry Fields + +Fields related to Windows Registry operations. + +==== Registry Field Details + +[options="header"] +|===== +| Field | Description | Level + +// =============================================================== + +| registry.data.bytes +| Original bytes written with base64 encoding. + +For Windows registry operations, such as SetValueEx and RegQueryValueEx, this corresponds to the data pointed by `lp_data`. This is optional but provides better recoverability and should be populated for REG_BINARY encoded values. + +type: keyword + +example: `ZQBuAC0AVQBTAAAAZQBuAAAAAAA=` + +| extended + +// =============================================================== + +| registry.data.strings +| Content when writing string types. + +Populated as an array when writing string data to the registry. For single string registry types (REG_SZ, REG_EXPAND_SZ), this should be an array with one string. For sequences of string with REG_MULTI_SZ, this array will be variable length. For numeric data, such as REG_DWORD and REG_QWORD, this should be populated with the decimal representation (e.g `"1"`). + +type: keyword + +example: `["C:\rta\red_ttp\bin\myapp.exe"]` + +| core + +// =============================================================== + +| registry.data.type +| Standard registry type for encoding contents + +type: keyword + +example: `REG_SZ` + +| core + +// =============================================================== + +| registry.hive +| Abbreviated name for the hive. + +type: keyword + +example: `HKLM` + +| core + +// =============================================================== + +| registry.key +| Hive-relative path of keys. + +type: keyword + +example: `SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe` + +| core + +// =============================================================== + +| registry.path +| Full path, including hive, key and value + +type: keyword + +example: `HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe\Debugger` + +| core + +// =============================================================== + +| registry.value +| Name of the value written. + +type: keyword + +example: `Debugger` + +| core + +// =============================================================== + |===== [[ecs-related]] diff --git a/docs/fields.asciidoc b/docs/fields.asciidoc index c9a73ef9e5..a7d79cca5e 100644 --- a/docs/fields.asciidoc +++ b/docs/fields.asciidoc @@ -66,6 +66,8 @@ all fields are defined. | <> | These fields contain information about a process. +| <> | Fields related to Windows Registry operations. + | <> | Fields meant to facilitate pivoting around a piece of data. | <> | Fields to capture details about rules used to generate alerts or other notable events. diff --git a/generated/beats/fields.ecs.yml b/generated/beats/fields.ecs.yml index 50f95544d2..3a9494b150 100644 --- a/generated/beats/fields.ecs.yml +++ b/generated/beats/fields.ecs.yml @@ -2584,6 +2584,65 @@ norms: false description: The working directory of the process. example: /home/alice + - name: registry + title: Registry + group: 2 + description: Fields related to Windows Registry operations. + type: group + fields: + - name: data.bytes + level: extended + type: keyword + ignore_above: 1024 + description: 'Original bytes written with base64 encoding. + + For Windows registry operations, such as SetValueEx and RegQueryValueEx, this + corresponds to the data pointed by `lp_data`. This is optional but provides + better recoverability and should be populated for REG_BINARY encoded values.' + example: ZQBuAC0AVQBTAAAAZQBuAAAAAAA= + - name: data.strings + level: core + type: keyword + ignore_above: 1024 + description: 'Content when writing string types. + + Populated as an array when writing string data to the registry. For single + string registry types (REG_SZ, REG_EXPAND_SZ), this should be an array with + one string. For sequences of string with REG_MULTI_SZ, this array will be + variable length. For numeric data, such as REG_DWORD and REG_QWORD, this should + be populated with the decimal representation (e.g `"1"`).' + example: '["C:\rta\red_ttp\bin\myapp.exe"]' + - name: data.type + level: core + type: keyword + ignore_above: 1024 + description: Standard registry type for encoding contents + example: REG_SZ + - name: hive + level: core + type: keyword + ignore_above: 1024 + description: Abbreviated name for the hive. + example: HKLM + - name: key + level: core + type: keyword + ignore_above: 1024 + description: Hive-relative path of keys. + example: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe + - name: path + level: core + type: keyword + ignore_above: 1024 + description: Full path, including hive, key and value + example: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution + Options\winword.exe\Debugger + - name: value + level: core + type: keyword + ignore_above: 1024 + description: Name of the value written. + example: Debugger - name: related title: Related group: 2 diff --git a/generated/csv/fields.csv b/generated/csv/fields.csv index 58bcbfb873..260be18ac4 100644 --- a/generated/csv/fields.csv +++ b/generated/csv/fields.csv @@ -342,6 +342,13 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Example,Description 1.4.0-dev,true,process,process.uptime,long,extended,1325,Seconds the process has been up. 1.4.0-dev,true,process,process.working_directory,keyword,extended,/home/alice,The working directory of the process. 1.4.0-dev,true,process,process.working_directory.text,text,extended,/home/alice,The working directory of the process. +1.4.0-dev,true,registry,registry.data.bytes,keyword,extended,ZQBuAC0AVQBTAAAAZQBuAAAAAAA=,Original bytes written with base64 encoding. +1.4.0-dev,true,registry,registry.data.strings,keyword,core,"[""C:\rta\red_ttp\bin\myapp.exe""]",List of strings representing what was written to the registry. +1.4.0-dev,true,registry,registry.data.type,keyword,core,REG_SZ,Standard registry type for encoding contents +1.4.0-dev,true,registry,registry.hive,keyword,core,HKLM,Abbreviated name for the hive. +1.4.0-dev,true,registry,registry.key,keyword,core,SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe,Hive-relative path of keys. +1.4.0-dev,true,registry,registry.path,keyword,core,HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe\Debugger,"Full path, including hive, key and value" +1.4.0-dev,true,registry,registry.value,keyword,core,Debugger,Name of the value written. 1.4.0-dev,true,related,related.ip,ip,extended,,All of the IPs seen on your event. 1.4.0-dev,true,rule,rule.category,keyword,extended,Attempted Information Leak,Rule category 1.4.0-dev,true,rule,rule.description,keyword,extended,Block requests to public DNS over HTTPS / TLS protocols,Rule description diff --git a/generated/ecs/ecs_flat.yml b/generated/ecs/ecs_flat.yml index 95bcf10ec1..3775384e52 100644 --- a/generated/ecs/ecs_flat.yml +++ b/generated/ecs/ecs_flat.yml @@ -3689,6 +3689,87 @@ process.working_directory: order: 26 short: The working directory of the process. type: keyword +registry.data.bytes: + description: 'Original bytes written with base64 encoding. + + For Windows registry operations, such as SetValueEx and RegQueryValueEx, this + corresponds to the data pointed by `lp_data`. This is optional but provides better + recoverability and should be populated for REG_BINARY encoded values.' + example: ZQBuAC0AVQBTAAAAZQBuAAAAAAA= + flat_name: registry.data.bytes + ignore_above: 1024 + level: extended + name: data.bytes + order: 6 + short: Original bytes written with base64 encoding. + type: keyword +registry.data.strings: + description: 'Content when writing string types. + + Populated as an array when writing string data to the registry. For single string + registry types (REG_SZ, REG_EXPAND_SZ), this should be an array with one string. + For sequences of string with REG_MULTI_SZ, this array will be variable length. + For numeric data, such as REG_DWORD and REG_QWORD, this should be populated with + the decimal representation (e.g `"1"`).' + example: '["C:\rta\red_ttp\bin\myapp.exe"]' + flat_name: registry.data.strings + ignore_above: 1024 + level: core + name: data.strings + order: 5 + short: List of strings representing what was written to the registry. + type: keyword +registry.data.type: + description: Standard registry type for encoding contents + example: REG_SZ + flat_name: registry.data.type + ignore_above: 1024 + level: core + name: data.type + order: 4 + short: Standard registry type for encoding contents + type: keyword +registry.hive: + description: Abbreviated name for the hive. + example: HKLM + flat_name: registry.hive + ignore_above: 1024 + level: core + name: hive + order: 0 + short: Abbreviated name for the hive. + type: keyword +registry.key: + description: Hive-relative path of keys. + example: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe + flat_name: registry.key + ignore_above: 1024 + level: core + name: key + order: 1 + short: Hive-relative path of keys. + type: keyword +registry.path: + description: Full path, including hive, key and value + example: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution + Options\winword.exe\Debugger + flat_name: registry.path + ignore_above: 1024 + level: core + name: path + order: 3 + short: Full path, including hive, key and value + type: keyword +registry.value: + description: Name of the value written. + example: Debugger + flat_name: registry.value + ignore_above: 1024 + level: core + name: value + order: 2 + short: Name of the value written. + type: keyword related.ip: description: All of the IPs seen on your event. flat_name: related.ip diff --git a/generated/ecs/ecs_nested.yml b/generated/ecs/ecs_nested.yml index a5255de8aa..6f47608c87 100644 --- a/generated/ecs/ecs_nested.yml +++ b/generated/ecs/ecs_nested.yml @@ -4087,6 +4087,96 @@ process: short: These fields contain information about a process. title: Process type: group +registry: + description: Fields related to Windows Registry operations. + fields: + data.bytes: + description: 'Original bytes written with base64 encoding. + + For Windows registry operations, such as SetValueEx and RegQueryValueEx, this + corresponds to the data pointed by `lp_data`. This is optional but provides + better recoverability and should be populated for REG_BINARY encoded values.' + example: ZQBuAC0AVQBTAAAAZQBuAAAAAAA= + flat_name: registry.data.bytes + ignore_above: 1024 + level: extended + name: data.bytes + order: 6 + short: Original bytes written with base64 encoding. + type: keyword + data.strings: + description: 'Content when writing string types. + + Populated as an array when writing string data to the registry. For single + string registry types (REG_SZ, REG_EXPAND_SZ), this should be an array with + one string. For sequences of string with REG_MULTI_SZ, this array will be + variable length. For numeric data, such as REG_DWORD and REG_QWORD, this should + be populated with the decimal representation (e.g `"1"`).' + example: '["C:\rta\red_ttp\bin\myapp.exe"]' + flat_name: registry.data.strings + ignore_above: 1024 + level: core + name: data.strings + order: 5 + short: List of strings representing what was written to the registry. + type: keyword + data.type: + description: Standard registry type for encoding contents + example: REG_SZ + flat_name: registry.data.type + ignore_above: 1024 + level: core + name: data.type + order: 4 + short: Standard registry type for encoding contents + type: keyword + hive: + description: Abbreviated name for the hive. + example: HKLM + flat_name: registry.hive + ignore_above: 1024 + level: core + name: hive + order: 0 + short: Abbreviated name for the hive. + type: keyword + key: + description: Hive-relative path of keys. + example: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe + flat_name: registry.key + ignore_above: 1024 + level: core + name: key + order: 1 + short: Hive-relative path of keys. + type: keyword + path: + description: Full path, including hive, key and value + example: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution + Options\winword.exe\Debugger + flat_name: registry.path + ignore_above: 1024 + level: core + name: path + order: 3 + short: Full path, including hive, key and value + type: keyword + value: + description: Name of the value written. + example: Debugger + flat_name: registry.value + ignore_above: 1024 + level: core + name: value + order: 2 + short: Name of the value written. + type: keyword + group: 2 + name: registry + prefix: registry. + short: Fields related to Windows Registry operations. + title: Registry + type: group related: description: 'This field set is meant to facilitate pivoting around a piece of data. diff --git a/generated/elasticsearch/6/template.json b/generated/elasticsearch/6/template.json index 04ef3cef8e..37d2226b69 100644 --- a/generated/elasticsearch/6/template.json +++ b/generated/elasticsearch/6/template.json @@ -1624,6 +1624,42 @@ } } }, + "registry": { + "properties": { + "data": { + "properties": { + "bytes": { + "ignore_above": 1024, + "type": "keyword" + }, + "strings": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "hive": { + "ignore_above": 1024, + "type": "keyword" + }, + "key": { + "ignore_above": 1024, + "type": "keyword" + }, + "path": { + "ignore_above": 1024, + "type": "keyword" + }, + "value": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, "related": { "properties": { "ip": { diff --git a/generated/elasticsearch/7/template.json b/generated/elasticsearch/7/template.json index b1b35e0266..ff3ad98a9a 100644 --- a/generated/elasticsearch/7/template.json +++ b/generated/elasticsearch/7/template.json @@ -1623,6 +1623,42 @@ } } }, + "registry": { + "properties": { + "data": { + "properties": { + "bytes": { + "ignore_above": 1024, + "type": "keyword" + }, + "strings": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "hive": { + "ignore_above": 1024, + "type": "keyword" + }, + "key": { + "ignore_above": 1024, + "type": "keyword" + }, + "path": { + "ignore_above": 1024, + "type": "keyword" + }, + "value": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, "related": { "properties": { "ip": { diff --git a/schemas/registry.yml b/schemas/registry.yml new file mode 100644 index 0000000000..6642850396 --- /dev/null +++ b/schemas/registry.yml @@ -0,0 +1,62 @@ +--- +- name: registry + title: Registry + group: 2 + description: Fields related to Windows Registry operations. + type: group + fields: + + - name: hive + level: core + type: keyword + description: Abbreviated name for the hive. + example: HKLM + + - name: key + level: core + type: keyword + description: Hive-relative path of keys. + example: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe + + - name: value + level: core + type: keyword + example: Debugger + description: Name of the value written. + + - name: path + level: core + type: keyword + description: Full path, including hive, key and value + example: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe\Debugger + + - name: data.type + level: core + type: keyword + description: Standard registry type for encoding contents + example: REG_SZ + + - name: data.strings + level: core + type: keyword + short: List of strings representing what was written to the registry. + example: '["C:\rta\red_ttp\bin\myapp.exe"]' + description: > + Content when writing string types. + + Populated as an array when writing string data to the registry. + For single string registry types (REG_SZ, REG_EXPAND_SZ), this should be an array with one string. + For sequences of string with REG_MULTI_SZ, this array will be variable length. + For numeric data, such as REG_DWORD and REG_QWORD, this should be populated with the decimal representation (e.g `"1"`). + + - name: data.bytes + level: extended + type: keyword + short: Original bytes written with base64 encoding. + example: "ZQBuAC0AVQBTAAAAZQBuAAAAAAA=" + description: > + Original bytes written with base64 encoding. + + For Windows registry operations, such as SetValueEx and RegQueryValueEx, this corresponds to the data pointed by `lp_data`. + This is optional but provides better recoverability and should be populated for REG_BINARY encoded values. +