Hello,
I have noticed a change in behavior of hash.imphash field between versions 7.7.1 and 7.8.0. In 7.7.1 when Event log has value IMPHASH=00000000000000000000000000000000
this is used then as a field value. Let's say for sysmon event.code: 15
log. This tells me that the file doesn't have an import table an is not an executable.
In 7.8.0 the field is missing instead, I guess I can use the absence of the field in the same manner, I'm just not sure if this is a bug or an intended change since I couldn't find any relevant Issues or Pull requests to this on Github.
To be honest, I'm not sure what is the correct way of doing this, just that it's a change in behavior that can break for example SIEM detection rule such as:
event.code: 15 and not hash.imphash: "00000000000000000000000000000000"
Example document 7.7.1
{
"_index": "winlogbeat-7.7.1-2020.07.13-000001",
"_type": "_doc",
"_id": "hXGfSXMB34bQp6WAOuUX",
"_version": 1,
"_score": null,
"_source": {
"@timestamp": "2020-07-13T19:20:36.803Z",
"agent": {
"ephemeral_id": "5d4b5a37-e202-41f7-84dc-85169f684dae",
"hostname": "MSEDGEWIN10",
"id": "507a63dc-6e48-4fb3-9820-f40c457d9656",
"version": "7.7.1",
"type": "winlogbeat"
},
"event": {
"module": "sysmon",
"kind": "event",
"code": 15,
"provider": "Microsoft-Windows-Sysmon",
"action": "File stream created (rule: FileCreateStreamHash)",
"created": "2020-07-13T19:20:37.675Z"
},
"process": {
"entity_id": "{fa9600f9-af70-5f0c-f600-000000000e00}",
"pid": 1796,
"executable": "C:\\Program Files (x86)\\Google\\Chrome\\Application\\chrome.exe",
"name": "chrome.exe"
},
"file": {
"path": "C:\\Users\\IEUser\\Downloads\\paul-carroll-Y-nyDv3TWm0-unsplash.jpg"
},
"log": {
"level": "information"
},
"hash": {
"sha1": "7bda7bec79ae559f05b247c68cd9065233970ad2",
"md5": "434fc93939abdef7d64274a411ad2994",
"sha256": "db94de97b4d3463ab2dd88ef5aba642cecd75eb1cc0e1c16badbfc2a840caca6",
"imphash": "00000000000000000000000000000000"
},
"ecs": {
"version": "1.5.0"
},
"message": "File stream created:\nRuleName: -\nUtcTime: 2020-07-13 19:20:36.803\nProcessGuid: {fa9600f9-af70-5f0c-f600-000000000e00}\nProcessId: 1796\nImage: C:\\Program Files (x86)\\Google\\Chrome\\Application\\chrome.exe\nTargetFilename: C:\\Users\\IEUser\\Downloads\\paul-carroll-Y-nyDv3TWm0-unsplash.jpg\nCreationUtcTime: 2020-07-13 19:20:36.379\nHash: SHA1=7BDA7BEC79AE559F05B247C68CD9065233970AD2,MD5=434FC93939ABDEF7D64274A411AD2994,SHA256=DB94DE97B4D3463AB2DD88EF5ABA642CECD75EB1CC0E1C16BADBFC2A840CACA6,IMPHASH=00000000000000000000000000000000\nContents: -",
"winlog": {
"channel": "Microsoft-Windows-Sysmon/Operational",
"task": "File stream created (rule: FileCreateStreamHash)",
"api": "wineventlog",
"opcode": "Info",
"process": {
"pid": 880,
"thread": {
"id": 8884
}
},
"version": 2,
"user": {
"identifier": "S-1-5-18",
"name": "SYSTEM",
"domain": "NT AUTHORITY",
"type": "User"
},
"event_data": {
"RuleName": "-",
"Contents": "-",
"CreationUtcTime": "2020-07-13 19:20:36.379"
},
"record_id": 642,
"provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}",
"event_id": 15,
"provider_name": "Microsoft-Windows-Sysmon",
"computer_name": "MSEDGEWIN10"
},
"host": {
"name": "MSEDGEWIN10",
"ip": [
"fe80::4178:d3d8:ef08:1e50",
"172.17.86.4"
],
"mac": [
"00:15:5d:be:31:03"
],
"hostname": "MSEDGEWIN10",
"architecture": "x86_64",
"os": {
"platform": "windows",
"version": "10.0",
"family": "windows",
"name": "Windows 10 Enterprise Evaluation",
"kernel": "10.0.17763.379 (WinBuild.160101.0800)",
"build": "17763.379"
},
"id": "fa9600f9-9960-4521-9883-cd17b2fe51db"
}
},
"fields": {
"file.created": [],
"process.parent.start": [],
"event.end": [],
"file.ctime": [],
"tls.client.not_after": [],
"event.ingested": [],
"@timestamp": [
"2020-07-13T19:20:36.803Z"
],
"file.mtime": [],
"event.created": [
"2020-07-13T19:20:37.675Z"
],
"file.accessed": [],
"tls.server.not_before": [],
"package.installed": [],
"tls.client.not_before": [],
"event.start": [],
"tls.server.not_after": [],
"process.start": []
},
"highlight": {
"event.code": [
"@kibana-highlighted-field@15@/kibana-highlighted-field@"
],
"winlog.channel": [
"@kibana-highlighted-field@Microsoft-Windows-Sysmon/Operational@/kibana-highlighted-field@"
]
},
"sort": [
1594668036803
]
}
Example document 7.8.0:
{
"_index": "winlogbeat-7.8.0-2020.07.13-000001",
"_type": "_doc",
"_id": "b3GkSXMB34bQp6WAJug6",
"_version": 1,
"_score": null,
"_source": {
"@timestamp": "2020-07-13T19:25:59.257Z",
"message": "File stream created:\nRuleName: -\nUtcTime: 2020-07-13 19:25:59.257\nProcessGuid: {fa9600f9-af70-5f0c-f600-000000000e00}\nProcessId: 1796\nImage: C:\\Program Files (x86)\\Google\\Chrome\\Application\\chrome.exe\nTargetFilename: C:\\Users\\IEUser\\Downloads\\paul-carroll-Y-nyDv3TWm0-unsplash.jpg\nCreationUtcTime: 2020-07-13 19:25:58.926\nHash: SHA1=7BDA7BEC79AE559F05B247C68CD9065233970AD2,MD5=434FC93939ABDEF7D64274A411AD2994,SHA256=DB94DE97B4D3463AB2DD88EF5ABA642CECD75EB1CC0E1C16BADBFC2A840CACA6,IMPHASH=00000000000000000000000000000000\nContents: -",
"process": {
"entity_id": "{fa9600f9-af70-5f0c-f600-000000000e00}",
"pid": 1796,
"executable": "C:\\Program Files (x86)\\Google\\Chrome\\Application\\chrome.exe",
"name": "chrome.exe"
},
"hash": {
"sha256": "db94de97b4d3463ab2dd88ef5aba642cecd75eb1cc0e1c16badbfc2a840caca6",
"sha1": "7bda7bec79ae559f05b247c68cd9065233970ad2",
"md5": "434fc93939abdef7d64274a411ad2994"
},
"ecs": {
"version": "1.5.0"
},
"agent": {
"ephemeral_id": "c9046ddf-896a-432f-9b78-cd28db49c38d",
"id": "507a63dc-6e48-4fb3-9820-f40c457d9656",
"name": "MSEDGEWIN10",
"type": "winlogbeat",
"version": "7.8.0",
"hostname": "MSEDGEWIN10"
},
"winlog": {
"event_data": {
"RuleName": "-",
"CreationUtcTime": "2020-07-13 19:25:58.926",
"Contents": "-"
},
"provider_name": "Microsoft-Windows-Sysmon",
"record_id": 1188,
"task": "File stream created (rule: FileCreateStreamHash)",
"opcode": "Info",
"event_id": 15,
"computer_name": "MSEDGEWIN10",
"provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}",
"version": 2,
"process": {
"pid": 880,
"thread": {
"id": 8884
}
},
"user": {
"identifier": "S-1-5-18",
"name": "SYSTEM",
"domain": "NT AUTHORITY",
"type": "User"
},
"channel": "Microsoft-Windows-Sysmon/Operational",
"api": "wineventlog"
},
"event": {
"action": "File stream created (rule: FileCreateStreamHash)",
"module": "sysmon",
"category": [
"file"
],
"type": [
"access"
],
"created": "2020-07-13T19:26:00.260Z",
"kind": "event",
"code": 15,
"provider": "Microsoft-Windows-Sysmon"
},
"log": {
"level": "information"
},
"host": {
"ip": [
"fe80::4178:d3d8:ef08:1e50",
"172.17.86.4"
],
"mac": [
"00:15:5d:be:31:03"
],
"name": "MSEDGEWIN10",
"hostname": "MSEDGEWIN10",
"architecture": "x86_64",
"os": {
"version": "10.0",
"family": "windows",
"name": "Windows 10 Enterprise Evaluation",
"kernel": "10.0.17763.379 (WinBuild.160101.0800)",
"build": "17763.379",
"platform": "windows"
},
"id": "fa9600f9-9960-4521-9883-cd17b2fe51db"
},
"file": {
"path": "C:\\Users\\IEUser\\Downloads\\paul-carroll-Y-nyDv3TWm0-unsplash.jpg",
"name": "paul-carroll-Y-nyDv3TWm0-unsplash.jpg",
"directory": "C:\\Users\\IEUser\\Downloads",
"extension": "jpg",
"hash": {
"sha1": "7bda7bec79ae559f05b247c68cd9065233970ad2",
"md5": "434fc93939abdef7d64274a411ad2994",
"sha256": "db94de97b4d3463ab2dd88ef5aba642cecd75eb1cc0e1c16badbfc2a840caca6"
}
},
"related": {
"hash": [
"7bda7bec79ae559f05b247c68cd9065233970ad2",
"434fc93939abdef7d64274a411ad2994",
"db94de97b4d3463ab2dd88ef5aba642cecd75eb1cc0e1c16badbfc2a840caca6"
]
}
},
"fields": {
"file.created": [],
"process.parent.start": [],
"event.end": [],
"file.ctime": [],
"tls.client.not_after": [],
"event.ingested": [],
"@timestamp": [
"2020-07-13T19:25:59.257Z"
],
"file.mtime": [],
"event.created": [
"2020-07-13T19:26:00.260Z"
],
"file.accessed": [],
"tls.server.not_before": [],
"package.installed": [],
"tls.client.not_before": [],
"event.start": [],
"tls.server.not_after": [],
"process.start": []
},
"highlight": {
"event.code": [
"@kibana-highlighted-field@15@/kibana-highlighted-field@"
],
"winlog.channel": [
"@kibana-highlighted-field@Microsoft-Windows-Sysmon/Operational@/kibana-highlighted-field@"
]
},
"sort": [
1594668359257
]
}