From a2952c5cb0ce5531fd582fcda6d6887ea675d8c2 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?J=C3=A1n=20Tren=C4=8Dansk=C3=BD?= Date: Sun, 1 Dec 2024 22:47:38 +0100 Subject: [PATCH] ESET Endpoint Security Log Parsing Artifact (#931) Artifact that uses ESET Log Collector tool to convert threat logs into XMLs and parse them through Velociraptor. Covers all important log sources that are commonly encountered in enterprise setting. Tested on ESET Endpoint Security. Examples: ![image](https://github.com/user-attachments/assets/e4d0ec41-a512-4301-a1a5-6250aedd353b) ![image](https://github.com/user-attachments/assets/9326ae3a-0ca6-493e-9934-7c631fdaadfe) ![image](https://github.com/user-attachments/assets/aae0ded3-242c-488e-a353-7d013fb1ee49) --- content/exchange/artifacts/ESETLogs.yaml | 71 ++++++++++++++++++++++++ 1 file changed, 71 insertions(+) create mode 100644 content/exchange/artifacts/ESETLogs.yaml diff --git a/content/exchange/artifacts/ESETLogs.yaml b/content/exchange/artifacts/ESETLogs.yaml new file mode 100644 index 00000000000..00ccd369d9f --- /dev/null +++ b/content/exchange/artifacts/ESETLogs.yaml @@ -0,0 +1,71 @@ +name: Windows.ESET.Logs +author: Ján Trenčanský - j91321@infosec.exchange +description: | + Parse logs from ESET antivirus products. This log contains information about detections made by the ESET modules such as Real-time filesystem proteciton, Firewall, HIPS, Device Control, HTTP filter, AMSI Scanner etc. + +type: CLIENT + +tools: + - name: ESETLogCollector + url: https://download.eset.com/com/eset/tools/diagnosis/log_collector/latest/esetlogcollector.exe + expected_hash: c5c9b4ec7feca3f3ac43c71454e7e51f13f19ce52a0583d34b32f7df4bbea5db + serve_locally: true + +precondition: SELECT OS From info() where OS = 'windows' + +parameters: + - name: LogTargets + default: "Threat,Hips,Fw,Web,Dev,BlkF" + description: Selection of log targets to collect + +required_permissions: +- EXECVE + +sources: + - name: Antivirus + query: | + LET tool <= SELECT * FROM Artifact.Generic.Utils.FetchBinary(ToolName="ESETLogCollector") + LET tempfolder <= tempdir(remove_last=true) + LET exe <= SELECT * FROM execve(argv= [ tool[0].OSPath, + "/accepteula", "/OType:xml", "/Targets:"+LogTargets, tempfolder+'\\logstmp.zip' ], length=10000000) + LET zip <= SELECT * FROM unzip(filename=tempfolder+'\\logstmp.zip',output_directory=tempfolder+'\\logs') + + LET xml <= SELECT get(item=parse_xml(file=OSPath), member='Events.Event') AS entries FROM glob(globs=tempfolder+'\\logs\\ESET\\Logs\\Common\\virlog.dat.xml') + SELECT * FROM foreach( + row=xml.entries, + query={SELECT _value.AttrIdx AS ID, _value.AttrTime AS Timestamp, 'virlog.dat' AS Log, _value.Threat AS Threat, _value.AttrLevel AS Level, _value.Action AS Action, _value.Name AS Object, _value.Col7 AS SHA1, _value.Info AS Information, _value.Col8 AS Firstseen, _value.Scanner AS Scanner, _value.Object AS ObjectType, _value.User AS User, _value.AttrDeleted AS DeletedInLog FROM foreach(row=_value)}) + + - name: HIPS + query: | + LET xml <= SELECT get(item=parse_xml(file=OSPath), member='Events.Event') AS entries FROM glob(globs=tempfolder+'\\logs\\ESET\\Logs\\Common\\hipslog.dat.xml') + SELECT _value.AttrIdx AS ID, _value.AttrTime AS Timestamp, 'hipslog.dat' AS Log, _value.Rule AS RuleName, _value.AttrLevel AS Level, _value.Action AS Action, _value.Application AS Application, _value.Application_Hash AS ApplicationSHA1, _value.Target AS Target, _value.Target_Hash AS TargetSHA1, _value.AttrDeleted AS DeletedInLog FROM foreach( + row=xml.entries, + query={SELECT * FROM foreach(row=_value)}) + + - name: Firewall + query: | + LET xml <= SELECT get(item=parse_xml(file=OSPath), member='Events.Event') AS entries FROM glob(globs=tempfolder+'\\logs\\ESET\\Logs\\Net\\epfwlog.dat.xml') + SELECT _value.AttrIdx AS ID, _value.AttrTime AS Timestamp, 'epfwlog.dat' AS Log, _value.Event AS Event, _value.Rule_worm_name AS RuleName, _value.AttrLevel AS Level, _value.Action AS Action, _value.Source AS Source, _value.Target AS Target, _value.Protocol AS Protocol, _value.Application AS Application, _value.Hash AS SHA1, _value.User AS User, _value.AttrDeleted AS DeletedInLog FROM foreach( + row=xml.entries, + query={SELECT * FROM foreach(row=_value)}) + + - name: FilteredWebsites + query: | + LET xml <= SELECT get(item=parse_xml(file=OSPath), member='Events.Event') AS entries FROM glob(globs=tempfolder+'\\logs\\ESET\\Logs\\Net\\urllog.dat.xml') + SELECT _value.AttrIdx AS ID, _value.AttrTime AS Timestamp, 'urllog.dat' AS Log, _value.URL AS URL, _value.Status AS Action, _value.Detection AS Threat, _value.AttrLevel AS Level, _value.Application AS Application, _value.Hash AS SHA1, _value.User AS User, _value.IP_address AS IPAddress, _value.AttrDeleted AS DeletedInLog FROM foreach( + row=xml.entries, + query={SELECT * FROM foreach(row=_value)}) + + - name: BlockedFiles + query: | + LET xml <= SELECT get(item=parse_xml(file=OSPath), member='Events.Event') AS entries FROM glob(globs=tempfolder+'\\logs\\ESET\\Logs\\Common\\blocked.dat.xml') + SELECT _value.AttrIdx AS ID, _value.AttrTime AS Timestamp, 'blocked.dat' AS Log, _value.File AS File, _value.Source AS Blocker, _value.Reason AS Reason, _value.AttrLevel AS Level, _value.Application AS Application, _value.Hash AS SHA1, _value.User AS User, _value.First_seen_here AS FirstSeen, _value.AttrDeleted AS DeletedInLog FROM foreach( + row=xml.entries, + query={SELECT * FROM foreach(row=_value)}) + + - name: DeviceControl + query: | + LET xml <= SELECT get(item=parse_xml(file=OSPath), member='Events.Event') AS entries FROM glob(globs=tempfolder+'\\logs\\ESET\\Logs\\Common\\devctrllog.dat.xml') + SELECT _value.AttrIdx AS ID, _value.AttrTime AS Timestamp, 'devctrllog.dat' AS Log, _value.Device AS Device, _value.Status AS Action, _value.AttrLevel AS Level, _value.User AS User, _value.User_SID AS SID, _value.Group AS Group, _value.Group_SID AS GroupSID, _value.Device_details AS DeviceDetails, _value.Event_details AS EventDetails, _value.AttrDeleted AS DeletedInLog FROM foreach( + row=xml.entries, + query={SELECT * FROM foreach(row=_value)}) \ No newline at end of file