Merge pull request #29 from kchoudhury-scwx/APICallEvent

API call event
secureworks · Oct 3, 2023 · 4343904 · 4343904
2 parents 7a97147 + 4d57220
commit 4343904
Show file tree

Hide file tree

Showing 2 changed files with 59 additions and 0 deletions.
diff --git a/cmd/harness/validate.go b/cmd/harness/validate.go
@@ -385,6 +385,50 @@ func CheckRegEvent(testRun *SingleTestRun, evt *types.SimpleEvent, nativeJsonStr
 
 }
 
+func CheckApiCallEvent(testRun *SingleTestRun, evt *types.SimpleEvent, nativeJsonStr string) bool {
+	retval := false
+
+	for _, exp := range testRun.criteria.ExpectedEvents {
+		if exp.EventType != "API" {
+			continue
+		}
+
+		numMatchingChecks := 0
+		for _, fc := range exp.FieldChecks {
+			isMatch := false
+			switch fc.FieldName {
+			case "function_called":
+				isMatch = CheckMatch(evt.APIFields.FunctionCalled, fc.Op, fc.Value)
+			case "was_operation_successful":
+				isMatch = CheckMatch(BoolAsString(evt.APIFields.WasOperationSuccessful), fc.Op, fc.Value)
+			case "parameter_names":
+				isMatch = CheckMatch(evt.APIFields.ParameterNames, fc.Op, fc.Value)
+			case "parameter_values":
+				isMatch = CheckMatch(evt.APIFields.ParameterValues, fc.Op, fc.Value)
+			default:
+				fmt.Println("ERROR: unknown FieldName", fc)
+			}
+			if isMatch {
+				if gDebug {
+					fmt.Printf("Field Match '%s' '%s'\n", fc.FieldName, fc.Value)
+				}
+				numMatchingChecks += 1
+			}
+		}
+		if numMatchingChecks == len(exp.FieldChecks) {
+			AddMatchingEvent(testRun, exp, evt)
+			retval = true
+		} else if numMatchingChecks > 0 {
+			if gDebug {
+				fmt.Printf("ONLY %d of %d FieldChecks satisfied\n%s\n", numMatchingChecks, len(exp.FieldChecks), nativeJsonStr)
+			}
+		}
+	}
+
+	return retval
+
+}
+
 func ValidateSimpleTelemetry(testRun *SingleTestRun, tool *TelemTool) {
 	gValidateState = ExtractState{}
 	gValidateState.StartTime = uint64(testRun.StartTime)
@@ -448,6 +492,8 @@ func ValidateSimpleTelemetry(testRun *SingleTestRun, tool *TelemTool) {
 			isMatch = CheckAMSIEvent(testRun, evt, rawEventStr)
 		case types.SimpleSchemaReg:
 			isMatch = CheckRegEvent(testRun, evt, rawEventStr)
+		case types.SimpleSchemaAPI:
+			isMatch = CheckApiCallEvent(testRun, evt, rawEventStr)
 		default:
 			fmt.Println("missing handling of type", line)
 		}
@@ -566,6 +612,8 @@ func GetTelemChar(exp *types.ExpectedEvent) string {
 		return "I"
 	case "REG":
 		return "R"
+	case "API":
+		return "H"
 	default:
 		break
 	}

diff --git a/pkg/types/harness_simple_telemetry.go b/pkg/types/harness_simple_telemetry.go
@@ -24,6 +24,7 @@ const (
 	SimpleSchemaETW         SimpleSchemaChar = "E"
 	SimpleSchemaAMSI        SimpleSchemaChar = "I"
 	SimpleSchemaReg         SimpleSchemaChar = "R"
+	SimpleSchemaAPI         SimpleSchemaChar = "H" // H represents Hooks used in API Calls
 )
 
 type SimpleProcessFields struct {
@@ -103,6 +104,15 @@ type SimpleRegFields struct {
 	ValueData string `json:"value_data,omitempty"` // if present, for SETVALUEKEY
 }
 
+type SimpleAPIFields struct {
+	Pid                    int64  `json:"pid,omitempty"`
+	UniquePid              string `json:"unique_pid,omitempty"`
+	FunctionCalled         string `json:"funcion_called,omitempty"`
+	WasOperationSuccessful bool   `json:"was_operation_successful,omitempty"`
+	ParameterNames         string `json:"parameter_names,omitempty"`
+	ParameterValues        string `json:"parameter_values,omitempty"`
+}
+
 type SimpleEvent struct {
 	EventType       SimpleSchemaChar `json:"evt_type"`
 	Timestamp       int64            `json:"ts,omitempty"`
@@ -116,4 +126,5 @@ type SimpleEvent struct {
 	ETWFields         *SimpleETWFields         `json:"evt_etw,omitempty"`
 	AMSIFields        *SimpleAMSIFields        `json:"evt_amsi,omitempty"`
 	RegFields         *SimpleRegFields         `json:"evt_reg,omitempty"`
+	APIFields         *SimpleAPIFields         `json:"evt_api,omitempty"`
 }