feat(filter): Process token filter fields

Introduces the filter fields for the current, child, and
parent process token integrity level, elevation type, and
the elevation indicator (whether the process token was elevated or not).

Author: rabbitstack

pkg/event/param_windows.go

@@ -82,7 +82,7 @@ func (p Param) String() string {
 		if err != nil {
 			return ""
 		}
-		if p.Name == params.ProcessIntegrityLevel {
+		if p.Name == params.ProcessTokenIntegrityLevel {
 			return sys.RidToString(sid)
 		}
 		return sid.String()
@@ -312,7 +312,7 @@ func (e *Event) produceParams(evt *etw.EventRecord) {
 		e.AppendParam(params.ProcessFlags, params.Flags, flags, WithFlags(PsCreationFlags))
 		e.AppendParam(params.ProcessTokenElevationType, params.Enum, tokenElevationType, WithEnum(PsTokenElevationTypes))
 		e.AppendParam(params.ProcessTokenIsElevated, params.Bool, tokenIsElevated > 0)
-		e.AppendParam(params.ProcessIntegrityLevel, params.SID, tokenMandatoryLabel)
+		e.AppendParam(params.ProcessTokenIntegrityLevel, params.SID, tokenMandatoryLabel)
 		e.AppendParam(params.Exe, params.DOSPath, exe)
 	case OpenProcess:
 		processID := evt.ReadUint32(0)

pkg/event/params/params_windows.go

@@ -58,8 +58,8 @@ const (
 	ExitStatus = "exit_status"
 	// StartTime field denotes the process start time.
 	StartTime = "start_time"
-	// ProcessIntegrityLevel field denotes the process integrity level.
-	ProcessIntegrityLevel = "integrity_level"
+	// ProcessTokenIntegrityLevel field denotes the process integrity level.
+	ProcessTokenIntegrityLevel = "token_integrity_level"
 	// ProcessTokenElevationType field designates the process token elevation type.
 	ProcessTokenElevationType = "token_elevation_type"
 	// ProcessTokenIsElevated field designates if the process token is elevated.

pkg/filter/accessor_windows.go

@@ -430,11 +430,64 @@ func (ps *psAccessor) Get(f Field, e *event.Event) (params.Value, error) {
 			return nil, ErrPsNil
 		}
 		return ps.IsProtected, nil
+	case fields.PsChildTokenIntegrityLevel:
+		if e.Category != event.Process {
+			return nil, nil
+		}
+		return e.GetParamAsString(params.ProcessTokenIntegrityLevel), nil
+	case fields.PsChildTokenIsElevated:
+		if e.Category != event.Process {
+			return nil, nil
+		}
+		return e.Params.GetBool(params.ProcessTokenIsElevated)
+	case fields.PsChildTokenElevationType:
+		if e.Category != event.Process {
+			return nil, nil
+		}
+		return e.GetParamAsString(params.ProcessTokenElevationType), nil
+	case fields.PsTokenIntegrityLevel:
+		ps := e.PS
+		if ps == nil {
+			return nil, ErrPsNil
+		}
+		return ps.TokenIntegrityLevel, nil
+	case fields.PsTokenElevationType:
+		ps := e.PS
+		if ps == nil {
+			return nil, ErrPsNil
+		}
+		return ps.TokenElevationType, nil
+	case fields.PsTokenIsElevated:
+		ps := e.PS
+		if ps == nil {
+			return nil, ErrPsNil
+		}
+		return ps.IsTokenElevated, nil
+	case fields.PsParentTokenIntegrityLevel:
+		ps := getParentPs(e)
+		if ps == nil {
+			return nil, ErrPsNil
+		}
+		return ps.TokenIntegrityLevel, nil
+	case fields.PsParentTokenElevationType:
+		ps := getParentPs(e)
+		if ps == nil {
+			return nil, ErrPsNil
+		}
+		return ps.TokenElevationType, nil
+	case fields.PsParentTokenIsElevated:
+		ps := getParentPs(e)
+		if ps == nil {
+			return nil, ErrPsNil
+		}
+		return ps.IsTokenElevated, nil
 	case fields.PsAncestors:
 		if e.PS != nil {
 			ancestors := make([]*pstypes.PS, 0)
 			walk := func(proc *pstypes.PS) {
-				ancestors = append(ancestors, proc)
+				if proc != nil {
+					ancestors = append(ancestors, proc)
+				}
 			}
 			pstypes.Walk(walk, e.PS)
 
@@ -474,7 +527,9 @@ func (ps *psAccessor) Get(f Field, e *event.Event) (params.Value, error) {
 
 			ancestors := make([]string, 0)
 			walk := func(proc *pstypes.PS) {
-				ancestors = append(ancestors, proc.Name)
+				if proc != nil {
+					ancestors = append(ancestors, proc.Name)
+				}
 			}
 			pstypes.Walk(walk, e.PS)
 

pkg/filter/fields/fields_windows.go

@@ -109,21 +109,6 @@ func TestStringFields(t *testing.T) {
 }
 
 func TestProcFilter(t *testing.T) {
-	pars := event.Params{
-		params.Cmdline:         {Name: params.Cmdline, Type: params.UnicodeString, Value: "C:\\Windows\\system32\\svchost-fake.exe -k RPCSS"},
-		params.ProcessName:     {Name: params.ProcessName, Type: params.AnsiString, Value: "svchost-fake.exe"},
-		params.ProcessID:       {Name: params.ProcessID, Type: params.PID, Value: uint32(1234)},
-		params.ProcessParentID: {Name: params.ProcessParentID, Type: params.PID, Value: uint32(345)},
-		params.UserSID:         {Name: params.UserSID, Type: params.WbemSID, Value: []byte{224, 8, 226, 31, 15, 167, 255, 255, 0, 0, 0, 0, 15, 167, 255, 255, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0}},
-		params.Username:        {Name: params.Username, Type: params.UnicodeString, Value: "loki"},
-		params.Domain:          {Name: params.Domain, Type: params.UnicodeString, Value: "TITAN"},
-		params.ProcessFlags:    {Name: params.ProcessFlags, Type: params.Flags, Value: uint32(0x000000E)},
-	}
-
-	pars1 := event.Params{
-		params.DesiredAccess: {Name: params.DesiredAccess, Type: params.Flags, Value: uint32(0x1400), Flags: event.PsAccessRightFlags},
-	}
-
 	ps1 := &pstypes.PS{
 		Name:     "wininit.exe",
 		Username: "SYSTEM",
@@ -138,17 +123,32 @@ func TestProcFilter(t *testing.T) {
 				Name: "System",
 			},
 		},
-		IsWOW64:     false,
-		IsProtected: true,
-		IsPackaged:  false,
+		IsWOW64:             false,
+		IsProtected:         true,
+		IsPackaged:          false,
+		TokenIntegrityLevel: "SYSTEM",
+		IsTokenElevated:     false,
+		TokenElevationType:  "DEFAULT",
 	}
 
 	evt := &event.Event{
 		Type:     event.CreateProcess,
 		Category: event.Process,
-		Params:   pars,
-		Name:     "CreateProcess",
-		PID:      1023,
+		Params: event.Params{
+			params.Cmdline:                    {Name: params.Cmdline, Type: params.UnicodeString, Value: "C:\\Windows\\system32\\svchost-fake.exe -k RPCSS"},
+			params.ProcessName:                {Name: params.ProcessName, Type: params.AnsiString, Value: "svchost-fake.exe"},
+			params.ProcessID:                  {Name: params.ProcessID, Type: params.PID, Value: uint32(1234)},
+			params.ProcessParentID:            {Name: params.ProcessParentID, Type: params.PID, Value: uint32(345)},
+			params.UserSID:                    {Name: params.UserSID, Type: params.WbemSID, Value: []byte{224, 8, 226, 31, 15, 167, 255, 255, 0, 0, 0, 0, 15, 167, 255, 255, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0}},
+			params.Username:                   {Name: params.Username, Type: params.UnicodeString, Value: "loki"},
+			params.Domain:                     {Name: params.Domain, Type: params.UnicodeString, Value: "TITAN"},
+			params.ProcessFlags:               {Name: params.ProcessFlags, Type: params.Flags, Value: uint32(0x000000E)},
+			params.ProcessTokenIntegrityLevel: {Name: params.ProcessTokenIntegrityLevel, Type: params.AnsiString, Value: "SYSTEM"},
+			params.ProcessTokenIsElevated:     {Name: params.ProcessTokenIsElevated, Type: params.Bool, Value: true},
+			params.ProcessTokenElevationType:  {Name: params.ProcessTokenElevationType, Type: params.AnsiString, Value: "FULL"},
+		},
+		Name: "CreateProcess",
+		PID:  1023,
 		PS: &pstypes.PS{
 			Name:     "svchost.exe",
 			Cmdline:  "C:\\Windows\\System32\\svchost.exe",
@@ -171,19 +171,24 @@ func TestProcFilter(t *testing.T) {
 				{Size: 34545, BaseAddress: va.Address(144229524944769), Protection: 4653056, File: "C:\\Windows\\System32\\ucrtbase.dll", Type: "IMAGE"}, //EXECUTE_READWRITE|READONLY
 				{Size: 4096, BaseAddress: va.Address(145229445447666), Protection: 12845056, Type: "PAGEFILE"},                                           // READWRITE 12845056
 			},
-			IsProtected: false,
-			IsPackaged:  true,
-			IsWOW64:     false,
+			IsProtected:         false,
+			IsPackaged:          true,
+			IsWOW64:             false,
+			TokenIntegrityLevel: "SYSTEM",
+			IsTokenElevated:     false,
+			TokenElevationType:  "DEFAULT",
 		},
 	}
 	evt.Timestamp, _ = time.Parse(time.RFC3339, "2011-05-03T15:04:05.323Z")
 
 	evt1 := &event.Event{
 		Type:     event.OpenProcess,
 		Category: event.Process,
-		Params:   pars1,
-		Name:     "OpenProcess",
-		PID:      1023,
+		Params: event.Params{
+			params.DesiredAccess: {Name: params.DesiredAccess, Type: params.Flags, Value: uint32(0x1400), Flags: event.PsAccessRightFlags},
+		},
+		Name: "OpenProcess",
+		PID:  1023,
 		PS: &pstypes.PS{
 			Name:   "svchost.exe",
 			Parent: ps1,
@@ -240,6 +245,16 @@ func TestProcFilter(t *testing.T) {
 		{`ps.parent.is_wow64`, false},
 		{`ps.parent.is_packaged`, false},
 		{`ps.parent.is_protected`, true},
+		{`ps.token.integrity_level = 'SYSTEM'`, true},
+		{`ps.token.is_elevated = false`, true},
+		{`ps.token.elevation_type = 'DEFAULT'`, true},
+		{`ps.child.token.integrity_level = 'SYSTEM'`, true},
+		{`ps.child.token.is_elevated = true`, true},
+		{`ps.child.token.elevation_type = 'FULL'`, true},
+		{`ps.parent.token.integrity_level = 'SYSTEM'`, true},
+		{`ps.parent.token.is_elevated = false`, true},
+		{`ps.parent.token.elevation_type = 'DEFAULT'`, true},
+
 		{`evt.name = 'CreateProcess' and ps.name contains 'svchost'`, true},
 
 		{`ps.modules IN ('kernel32.dll')`, true},
@@ -262,6 +277,7 @@ func TestProcFilter(t *testing.T) {
 		{`foreach(ps._ancestors, $proc, $proc.username = 'SYSTEM')`, true},
 		{`foreach(ps._ancestors, $proc, $proc.domain = 'NT AUTHORITY')`, true},
 		{`foreach(ps._ancestors, $proc, $proc.username = upper('system'))`, true},
+		{`foreach(ps._ancestors, $proc, $proc.token.integrity_level = 'SYSTEM' and $proc.token.is_elevated = false and $proc.token.elevation_type = 'DEFAULT')`, true},
 
 		{`ps.args intersects ('-k', 'DcomLaunch')`, true},
 		{`ps.args intersects ('-w', 'DcomLaunch')`, false},

pkg/filter/filter_test.go

@@ -487,6 +487,12 @@ func (f *Foreach) procMapValuer(segments []*BoundSegmentLiteral, proc *pstypes.P
 			valuer[key] = proc.Username
 		case fields.DomainSegment:
 			valuer[key] = proc.Domain
+		case fields.TokenIntegrityLevelSegment:
+			valuer[key] = proc.TokenIntegrityLevel
+		case fields.TokenIsElevatedSegment:
+			valuer[key] = proc.IsTokenElevated
+		case fields.TokenElevationTypeSegment:
+			valuer[key] = proc.TokenElevationType
 		}
 	}
 	return valuer

pkg/filter/ql/function.go

@@ -185,7 +185,7 @@ func (s *snapshotter) Write(e *event.Event) error {
 			e.AppendParam(params.Exe, params.Path, ps.Exe)
 		}
 
-		e.AppendParam(params.ProcessIntegrityLevel, params.AnsiString, ps.TokenIntegrityLevel)
+		e.AppendParam(params.ProcessTokenIntegrityLevel, params.AnsiString, ps.TokenIntegrityLevel)
 		e.AppendParam(params.ProcessTokenElevationType, params.AnsiString, ps.TokenElevationType)
 		e.AppendParam(params.ProcessTokenIsElevated, params.Bool, ps.IsTokenElevated)
 
@@ -370,7 +370,7 @@ func (s *snapshotter) newProcState(pid, ppid uint32, e *event.Event) (*pstypes.P
 			Ppid:                ppid,
 			Exe:                 e.GetParamAsString(params.Exe),
 			Name:                filepath.Base(e.GetParamAsString(params.Exe)),
-			TokenIntegrityLevel: e.GetParamAsString(params.ProcessIntegrityLevel),
+			TokenIntegrityLevel: e.GetParamAsString(params.ProcessTokenIntegrityLevel),
 			TokenElevationType:  e.GetParamAsString(params.ProcessTokenElevationType),
 			IsTokenElevated:     e.Params.TryGetBool(params.ProcessTokenIsElevated),
 			Threads:             make(map[uint32]pstypes.Thread),
@@ -460,7 +460,7 @@ func (s *snapshotter) newProcState(pid, ppid uint32, e *event.Event) (*pstypes.P
 		proc.TokenIntegrityLevel = sys.RidToString(tokenMandatoryLabel.Label.Sid)
 		proc.IsTokenElevated = token.IsElevated()
 
-		e.AppendParam(params.ProcessIntegrityLevel, params.AnsiString, proc.TokenIntegrityLevel)
+		e.AppendParam(params.ProcessTokenIntegrityLevel, params.AnsiString, proc.TokenIntegrityLevel)
 		e.AppendParam(params.ProcessTokenIsElevated, params.Bool, proc.IsTokenElevated)
 	}
 

pkg/ps/snapshotter_windows.go

@@ -200,12 +200,12 @@ func TestWriteInternalEventsEnrichment(t *testing.T) {
 				{
 					Type: event.CreateProcessInternal,
 					Params: event.Params{
-						params.ProcessID:                 {Name: params.ProcessID, Type: params.PID, Value: uint32(1024)},
-						params.ProcessParentID:           {Name: params.ProcessParentID, Type: params.PID, Value: uint32(444)},
-						params.Exe:                       {Name: params.Exe, Type: params.UnicodeString, Value: `C:\Windows\System32\svchost.exe`},
-						params.ProcessIntegrityLevel:     {Name: params.ProcessIntegrityLevel, Type: params.AnsiString, Value: "HIGH"},
-						params.ProcessTokenIsElevated:    {Name: params.ProcessTokenIsElevated, Type: params.Bool, Value: true},
-						params.ProcessTokenElevationType: {Name: params.ProcessTokenElevationType, Type: params.AnsiString, Value: "FULL"},
+						params.ProcessID:                  {Name: params.ProcessID, Type: params.PID, Value: uint32(1024)},
+						params.ProcessParentID:            {Name: params.ProcessParentID, Type: params.PID, Value: uint32(444)},
+						params.Exe:                        {Name: params.Exe, Type: params.UnicodeString, Value: `C:\Windows\System32\svchost.exe`},
+						params.ProcessTokenIntegrityLevel: {Name: params.ProcessTokenIntegrityLevel, Type: params.AnsiString, Value: "HIGH"},
+						params.ProcessTokenIsElevated:     {Name: params.ProcessTokenIsElevated, Type: params.Bool, Value: true},
+						params.ProcessTokenElevationType:  {Name: params.ProcessTokenElevationType, Type: params.AnsiString, Value: "FULL"},
 					},
 				},
 			},
@@ -236,12 +236,12 @@ func TestWriteInternalEventsEnrichment(t *testing.T) {
 				{
 					Type: event.CreateProcessInternal,
 					Params: event.Params{
-						params.ProcessID:                 {Name: params.ProcessID, Type: params.PID, Value: uint32(1024)},
-						params.ProcessParentID:           {Name: params.ProcessParentID, Type: params.PID, Value: uint32(444)},
-						params.Exe:                       {Name: params.Exe, Type: params.UnicodeString, Value: `C:\Windows\System32\svchost.exe`},
-						params.ProcessIntegrityLevel:     {Name: params.ProcessIntegrityLevel, Type: params.AnsiString, Value: "HIGH"},
-						params.ProcessTokenIsElevated:    {Name: params.ProcessTokenIsElevated, Type: params.Bool, Value: true},
-						params.ProcessTokenElevationType: {Name: params.ProcessTokenElevationType, Type: params.AnsiString, Value: "FULL"},
+						params.ProcessID:                  {Name: params.ProcessID, Type: params.PID, Value: uint32(1024)},
+						params.ProcessParentID:            {Name: params.ProcessParentID, Type: params.PID, Value: uint32(444)},
+						params.Exe:                        {Name: params.Exe, Type: params.UnicodeString, Value: `C:\Windows\System32\svchost.exe`},
+						params.ProcessTokenIntegrityLevel: {Name: params.ProcessTokenIntegrityLevel, Type: params.AnsiString, Value: "HIGH"},
+						params.ProcessTokenIsElevated:     {Name: params.ProcessTokenIsElevated, Type: params.Bool, Value: true},
+						params.ProcessTokenElevationType:  {Name: params.ProcessTokenElevationType, Type: params.AnsiString, Value: "FULL"},
 					},
 				},
 			},
@@ -262,12 +262,12 @@ func TestWriteInternalEventsEnrichment(t *testing.T) {
 				{
 					Type: event.CreateProcessInternal,
 					Params: event.Params{
-						params.ProcessID:                 {Name: params.ProcessID, Type: params.PID, Value: uint32(1024)},
-						params.ProcessParentID:           {Name: params.ProcessParentID, Type: params.PID, Value: uint32(444)},
-						params.Exe:                       {Name: params.Exe, Type: params.UnicodeString, Value: `C:\Windows\System32\svchost.exe`},
-						params.ProcessIntegrityLevel:     {Name: params.ProcessIntegrityLevel, Type: params.AnsiString, Value: "HIGH"},
-						params.ProcessTokenIsElevated:    {Name: params.ProcessTokenIsElevated, Type: params.Bool, Value: true},
-						params.ProcessTokenElevationType: {Name: params.ProcessTokenElevationType, Type: params.AnsiString, Value: "FULL"},
+						params.ProcessID:                  {Name: params.ProcessID, Type: params.PID, Value: uint32(1024)},
+						params.ProcessParentID:            {Name: params.ProcessParentID, Type: params.PID, Value: uint32(444)},
+						params.Exe:                        {Name: params.Exe, Type: params.UnicodeString, Value: `C:\Windows\System32\svchost.exe`},
+						params.ProcessTokenIntegrityLevel: {Name: params.ProcessTokenIntegrityLevel, Type: params.AnsiString, Value: "HIGH"},
+						params.ProcessTokenIsElevated:     {Name: params.ProcessTokenIsElevated, Type: params.Bool, Value: true},
+						params.ProcessTokenElevationType:  {Name: params.ProcessTokenElevationType, Type: params.AnsiString, Value: "FULL"},
 					},
 				},
 				{