Add new rules in tag_windows.txt to application_execution tag

[lprat]

One line description of pull request

Add new tag in data/tag_windows.txt to "application_execution".

Description:

Add new tag in data/tag_windows.txt to "application_execution":

• Event "Microsoft-Windows-Program-Compatibility-Assistant" id 17 :

<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
  <System>
    <Provider Name="Microsoft-Windows-Program-Compatibility-Assistant" Guid="{}"/>
    <EventID>17</EventID>
    <Version>0</Version>
    <Level>4</Level>
    <Task>0</Task>
    <Opcode>0</Opcode>
    <Keywords>0x4000000000000000</Keywords>
    <TimeCreated SystemTime="2020-07-03T09:12:24.307780200Z"/>
    <EventRecordID>2</EventRecordID>
    <Correlation/>
    <Execution ProcessID="992" ThreadID="3588"/>
    <Channel>Microsoft-Windows-Application-Experience/Program-Compatibility-Assistant</Channel>
    <Computer>...</Computer>
    <Security UserID="S-1-5-18"/>
  </System>
  <UserData>
    <ResolverFiredEvent xmlns="http://www.microsoft.com/Windows/Diagnosis/PCA/events">
      <ExePath>C:\Program Files (x86)\Google\Chrome\Application\chrome.exe</ExePath>
      <ResolverName>WrpMitigation</ResolverName>
    </ResolverFiredEvent>
  </UserData>
</Event>

• Event "Microsoft-Windows-Security-Auditing" id 4673:

  • https://learn.microsoft.com/fr-fr/windows/security/threat-protection/auditing/event-4673

• Event "Microsoft-Windows-Security-Auditing" id 4798 & 4799:

  • https://learn.microsoft.com/fr-fr/windows/security/threat-protection/auditing/event-4798
  • https://learn.microsoft.com/fr-fr/windows/security/threat-protection/auditing/event-4799
  • https://resources.infosecinstitute.com/topic/advance-persistent-threat-lateral-movement-detection-windows-infrastructure-part/#:~:text=Event%20ID%20%E2%80%93%204799%3A%20Local%20group,is%20generated%20for%20the%20same.

• Event sysmon id 1 :

  • https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#event-id-1-process-creation

• Event "Microsoft-Windows-Application-Experience" ID 500 & 505:

<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
  <System>
    <Provider Name="Microsoft-Windows-Application-Experience" Guid="{}"/>
    <EventID>500</EventID>
    <Version>0</Version>
    <Level>4</Level>
    <Task>0</Task>
    <Opcode>0</Opcode>
    <Keywords>0x0800000000000000</Keywords>
    <TimeCreated SystemTime="2018-02-15T12:09:42.471850900Z"/>
    <EventRecordID>55</EventRecordID>
    <Correlation/>
    <Execution ProcessID="10352" ThreadID="9632"/>
    <Channel>Microsoft-Windows-Application-Experience/Program-Telemetry</Channel>
    <Computer>example</Computer>
    <Security UserID="S-1-5-20"/>
  </System>
  <UserData>
    <CompatibilityFixEvent xmlns="http://www.microsoft.com/Windows/Diagnosis/PCA/events">
      <ProcessId>10352</ProcessId>
      <StartTime>2018-02-15T12:09:42.466668000Z</StartTime>
      <FixID>{}</FixID>
      <Flags>0x00040102</Flags>
      <ExePath>C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\{}\MPSigStub.exe</ExePath>
      <FixName>RunAsInvoker</FixName>
    </CompatibilityFixEvent>
  </UserData>
</Event>

{"Event":{"System":{"Channel":"Microsoft-Windows-Application-Experience/Program-Telemetry","Computer":"example","Correlation":{},"EventID":"505","EventRecordID":"51","Execution":{"ProcessID":"4596","ThreadID":"5488"},"Keywords":"0x800000000000000","Level":"4","Opcode":"0","Provider":{"Guid":"","Name":"Microsoft-Windows-Application-Experience"},"Security":{"UserID":"S-1-5-18"},"Task":"0","TimeCreated":{"SystemTime":"2020-01-13T14:59:48.5438676Z"},"Version":"0"},"UserData":{"CompatibilityFixEvent":{"ExePath":"E:\\jdk1.6.0_18\\bin\\java.exe","FixID":","FixName":"010 Legacy Registry Entries (User Compat Flags)","Flags":"0x80010101","ProcessId":"4596","StartTime":"2020-01-13T14:59:48.4979961Z","xmlns":"http://www.microsoft.com/Windows/Diagnosis/PCA/events"}}}}

• Extracted by plaso parser in data_type: 'windows:srum:application_usage'

• Extracted by plaso parser in data_type: 'windows:registry:amcache'

• Extracted by plaso parser in data_type: 'windows:timeline:user_engaged'

• Registries path key:

  • '\Compatibility Assistant\Store' : https://techcommunity.microsoft.com/t5/ask-the-performance-team/the-program-compatibility-assistant-part-two/ba-p/372543
  • '\Explorer\FeatureUsage\AppSwitched' : https://www.crowdstrike.com/blog/how-to-employ-featureusage-for-windows-10-taskbar-forensics/
  • '\Explorer\FeatureUsage\AppLauch' : https://www.crowdstrike.com/blog/how-to-employ-featureusage-for-windows-10-taskbar-forensics/
  • '\Explorer\FeatureUsage\AppBadgeUpdated' : https://www.crowdstrike.com/blog/how-to-employ-featureusage-for-windows-10-taskbar-forensics/
  • '\Explorer\FeatureUsage\ShowJumpView' : https://www.crowdstrike.com/blog/how-to-employ-featureusage-for-windows-10-taskbar-forensics/
  • '\Search\RecentApps\': https://andreafortuna.org/2018/05/23/forensic-artifacts-evidences-of-program-execution-on-windows-systems/
  • '\Services\bam\UserSettings\' : https://andreafortuna.org/2018/05/23/forensic-artifacts-evidences-of-program-execution-on-windows-systems/
  • 'WinClient\SoftwareMonitoring\MonitorLog\': ivanti "Softmon.exe" is responsible for monitoring every executable that is launched and logs in the registry
  • 'Microsoft\RADAR\HeapLeakDetection\DiagnosedApplications\': http://windowsir.blogspot.com/2011/09/registry-stuff.html

Notes:

All contributions to Plaso undergo code
review. This makes sure
that the code has appropriate test coverage and conforms to the Plaso style
guide.

One of the maintainers will examine your code, and may request changes. Check off the items below in
order, and then a maintainer will review your code.

Checklist:

• Automated checks (Travis, Codecov, Codefactor )pass
• No new new dependencies are required or l2tdevtools has been updated
• Reviewer assigned

[joachimmetz]

@lprat FYI tests are failing due to an issue flagged by the linter

tests/data/tag_windows.py:275:171: E0001: (unicode error) 'unicodeescape' codec can't decode bytes in position 113-114: truncated \xXX escape (<unknown>, line 275) (syntax-error)

[joachimmetz]

Don't do it like this. Use the corresponding event data object instead.

The intent of these test are to catch issues when the event data objects change.

[codecov]

Codecov Report

Base: 85.77% // Head: 85.71% // Decreases project coverage by -0.05% ⚠️

Coverage data is based on head (737a960) compared to base (aa36de5).
Patch has no changes to coverable lines.

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #4376      +/-   ##
==========================================
- Coverage   85.77%   85.71%   -0.06%     
==========================================
  Files         413      413              
  Lines       35449    35430      -19     
==========================================
- Hits        30407    30370      -37     
- Misses       5042     5060      +18     

Impacted Files	Coverage Δ
plaso/parsers/text_plugins/ios_logd.py	88.33% <0.00%> (-3.34%)	⬇️
plaso/parsers/text_plugins/sophos_av.py	83.60% <0.00%> (-3.28%)	⬇️
plaso/parsers/text_plugins/selinux.py	89.06% <0.00%> (-3.13%)	⬇️
plaso/parsers/text_plugins/xchatscrollback.py	89.06% <0.00%> (-3.13%)	⬇️
plaso/parsers/text_plugins/dpkg.py	87.69% <0.00%> (-3.08%)	⬇️
plaso/single_process/extraction_engine.py	76.25% <0.00%> (-2.92%)	⬇️
plaso/parsers/text_plugins/aws_elb_access.py	95.26% <0.00%> (-2.70%)	⬇️
plaso/parsers/text_plugins/setupapi.py	93.50% <0.00%> (-2.60%)	⬇️
plaso/parsers/text_plugins/interface.py	85.71% <0.00%> (-2.53%)	⬇️
plaso/parsers/text_plugins/snort_fastlog.py	93.97% <0.00%> (-2.41%)	⬇️
... and 56 more

Help us with your feedback. Take ten seconds to tell us how you rate us. Have a feature suggestion? Share it here.

☔ View full report at Codecov.
📢 Do you have feedback about the report comment? Let us know in this issue.

[lprat]

Sorry for all the corrections! I hope it's good for you?

[joachimmetz]

@lprat no worries, take your time. I'll try to have a look tomorrow, when time permits.