Merge pull request #13 from google/add-new-items

Add new DFIQ YAML files and update copyright header in existing ones.

data/approaches/Q1001.10.yaml

@@ -1,4 +1,4 @@
-# Copyright 2023 Google LLC
+# Copyright 2024 Google LLC
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.
@@ -38,7 +38,7 @@ description:
     - "[Web Browsers on ForensicArtifacts](https://github.com/ForensicArtifacts/artifacts/blob/main/data/webbrowser.yaml)"
 view:
   data:
-    - type: artifact
+    - type: ForensicArtifact
       value: BrowserHistory
     - type: description
       value: Collect local browser history artifacts. These are often in the
@@ -56,7 +56,7 @@ view:
       - Browsers installed in non-standard paths
       - Downloads made during Incognito sessions
   processors:
-    - name: plaso
+    - name: Plaso
       options:
         - type: parsers
           value: webhist
@@ -71,7 +71,7 @@ view:
             - description: *filter-desc
               type: pandas
               value: query('data_type in ("chrome:history:file_downloaded", "safari:downloads:entry")')
-    - name: hindsight
+    - name: Hindsight
       options:
         - type: format
           value: jsonl

data/approaches/Q1001.11.yaml

@@ -1,4 +1,4 @@
-# Copyright 2023 Google LLC
+# Copyright 2024 Google LLC
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.
@@ -43,7 +43,7 @@ description:
 
 view:
   data:
-    - type: artifact
+    - type: ForensicArtifact
       value: SantaLogs
     - type: description
       value: Santa logs stored on the local disk; they may also be centralized off-system,
@@ -58,7 +58,7 @@ view:
       - Downloads that occurred on macOS with Santa, but during a time period for which 
         there are no Santa logs (out of retention or Santa was disabled).
   processors:
-    - name: plaso
+    - name: Plaso
       options:
         - type: parsers
           value: santa

data/approaches/Q1001.12.yaml

@@ -1,4 +1,4 @@
-# Copyright 2023 Google LLC
+# Copyright 2024 Google LLC
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.
@@ -47,7 +47,7 @@ description:
     - "[Change Journals](https://learn.microsoft.com/en-gb/windows/win32/fileio/change-journals)"
 view:
   data:
-    - type: artifact
+    - type: ForensicArtifact
       value: NTFSUSNJournal
     - type: description
       value: The NTFS $UsnJnrl file system metadata file. This ForensicArtifact definition
@@ -63,7 +63,7 @@ view:
       - Downloads that would be covered, but happened long enough ago that the USN Journal
         records that would show it have been deleted.
   processors:
-    - name: plaso
+    - name: Plaso
       options:
         - type: parsers
           value: usnjrnl
@@ -77,5 +77,5 @@ view:
             - description: Select and search for the `file_reference` value for an event of interest
                 from the previous query. There should be one with the same timestamp as your
                 previous event and its `filename` value is the download's final name.
-              type: opensearch-query-variable
+              type: opensearch-query
               value: data_type:"fs:ntfs:usn_change" {file_reference value} "USN_REASON_RENAME_NEW_NAME"

data/approaches/Q1018.10.yaml

@@ -0,0 +1,49 @@
+# Copyright 2024 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# https://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+---
+display_name: Use Crowdstrike "Bulk Domains" to link source processes to DNS queries
+type: approach
+id: Q1018.10
+dfiq_version: 1.0.0
+tags:
+  - CrowdStrike
+  - DNS
+description:
+  summary: CrowdStrike records the source process ID (ContextProcessId) for DNSRequest event.
+  details: >
+    Crowdstrike is a detection platform, not a logging platform, so not all DNS requests are logged.
+    Content Filter needs to be enabled to capture DNS request queries.
+  references:
+    - https://www.crowdstrike.com/blog/hunt-threat-activity-falcon-host-endpoint-protection/bulk-domain-search-results/
+view:
+  data:
+    - type: CrowdStrike
+      value: DnsRequest
+  notes:
+    covered:
+      - Mac, Linux, and Windows hosts with a CrowdStrike Falcon agent
+    not_covered:
+      - Hosts with the Falcon agent, but where the Content Filter is not enabled
+  processors:
+    - name: Crowdstrike Investigate (UI)
+      analysis:
+        - name: Manual
+          steps:
+            - description: UI steps in Investigate Bulk domains
+              type: GUI
+              value: >
+                In the second table, `Process that looked up specified Domain(s)` the columns 
+                `PID`, `Process ID`, and `File Name` give the source process information for the 
+                DNS query.

data/approaches/Q1018.11.yaml

@@ -0,0 +1,46 @@
+# Copyright 2024 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# https://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+---
+display_name: Use Crowdstrike event search to link source processes to DNS queries
+type: approach
+id: Q1018.11
+dfiq_version: 1.0.0
+tags:
+  - CrowdStrike
+  - DNS
+description:
+  summary: CrowdStrike records the source process ID (ContextProcessId) for DNSRequest event.
+  details: >
+    Crowdstrike is a detection platform, not a logging platform, so not all DNS requests are logged.
+    Content Filter needs to be enabled to capture DNS request queries.
+  references:
+    - https://www.crowdstrike.com/blog/hunt-threat-activity-falcon-host-endpoint-protection/bulk-domain-search-results/
+view:
+  data:
+    - type: CrowdStrike
+      value: DnsRequest
+  notes:
+    covered:
+      - Mac, Linux, and Windows hosts with a CrowdStrike Falcon agent
+    not_covered:
+      - Hosts with the Falcon agent, but where the Content Filter is not enabled
+  processors:
+    - name: Splunk
+      analysis:
+        - name: Splunk-Query
+          steps:
+            - description: Query joining DNS Request events and executions gives the source for each DNS query
+              type: splunk-query
+              value: ComputerName="{hostname}" event_simpleName=ProcessRollup* | rename TargetProcessId_decimal as ContextProcessId_decimal | join ContextProcessId_decimal [search ComputerName="{hostname}" event_simpleName=DnsRequest | fields ContextProcessId_decimal, DomainName] | table _time, DomainName, ImageFileName

data/approaches/Q1018.12.yaml

@@ -0,0 +1,73 @@
+# Copyright 2024 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# https://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+---
+display_name: Use Sysmon (Event ID 22) to link source processes to DNS queries 
+type: approach
+id: Q1018.12
+dfiq_version: 1.0.0
+tags:
+  - Sysmon
+  - DNS
+  - Windows
+description:
+  summary: Sysmon Event ID 22 DnsQuery stores source process ID
+  details: >
+    DNS Query, event ID 22, records a DNS query being issued by a specific host and the originating process.
+  references:
+    - https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=90022
+view:
+  data:
+    - type: ForensicArtifact
+      value: WindowsXMLEventLogSysmon
+  notes:
+    covered:
+      - Windows
+    not_covered:
+      - Windows hosts without Sysmon installed
+  processors:
+    - name: Splunk
+      analysis:
+        - name: Splunk-Query
+          steps:
+            - description: Query for Sysmon Event ID 22 and extracting the parent process ID and path.
+              type: splunk-query
+              value: source="xmlwineventlog:microsoft-windows-sysmon/operational" EventCode=22 | table _time, host, process_id, process_path
+    - name: Plaso
+      analysis:
+        - name: OpenSearch
+          steps:
+            - description: Query for Sysmon Event ID 22 events
+              type: opensearch-query
+              value: data_type:"windows:evtx:record" source_name:"Microsoft-Windows-Sysmon" event_identifier:22
+            - description: Determine the source process in relevant event(s)
+              type: manual
+              value: >
+                Plaso (as of v20230717) doesn't parse the `xml_string` into attributes. Examine the
+                `xml_string`; the value after `<Data Name="Image">` is the process that made the
+                DNS query.
+        - name: Python Notebook
+          steps:
+            - description: Query for Sysmon Event ID 22 events
+              type: pandas
+              value: df.query('data_type == "windows:evtx:record" and source_name == "Microsoft-Windows-Sysmon" and event_identifier == 22')
+            - description: Extract `Image` attribute
+              type: pandas
+              value: df['process'] = df['xml_string'].str.extract(r'<Data Name="Image">(.*?)</Data>')
+            - description: Extract `QueryName` attribute
+              type: pandas
+              value: df['query'] = df['xml_string'].str.extract(r'<Data Name="QueryName">(.*?)</Data>')
+            - description: Filter down to DNS query of interest
+              type: pandas
+              value: df[df.query.str.contains('<domain>')]

data/approaches/Q1019.10.yaml

@@ -0,0 +1,47 @@
+# Copyright 2024 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# https://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+---
+display_name: Collect process executions in Crowdstrike event search
+type: approach
+id: Q1019.10
+dfiq_version: 1.0.0
+tags:
+  - CrowdStrike
+  - Process Execution
+description:
+  summary: CrowdStrike records process executions in ProcessRollup event.
+  details: >
+    CrowdStrike is a detection platform, not a logging platform, so not all ProcessRollup events might be logged.
+  references:
+    - https://www.crowdstrike.com/blog/understanding-indicators-attack-ioas-power-event-stream-processing-crowdstrike-falcon/
+view:
+  data:
+    - type: CrowdStrike
+      value: ProcessRollup
+  notes:
+    covered:
+      - Mac, Linux and Windows systems with the Falcon Agent
+      - Chrome, Firefox, Safari, and Edge web browsers
+    not_covered:
+      - Other browsers (including Chromium)
+      - One of those four browsers, but have had their process name changed
+  processors:
+    - name: Splunk
+      analysis:
+        - name: Splunk-Query
+          steps:
+            - description: Query filtering the known browsers in execution event logs.
+              type: splunk-query
+              value: ComputerName="{hostname}" event_simpleName=ProcessRollup* ImageFileName IN ("*chrome*", "*firefox*", "*safari*", "*edge*") | table _time, CommandLine, ImageFileName

data/approaches/Q1020.10.yaml

@@ -1,4 +1,4 @@
-# Copyright 2023 Google LLC
+# Copyright 2024 Google LLC
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.
@@ -40,7 +40,7 @@ description:
     - "[Web Browsers on ForensicArtifacts](https://github.com/ForensicArtifacts/artifacts/blob/main/data/webbrowser.yaml)"
 view:
   data:
-    - type: artifact
+    - type: ForensicArtifact
       value: BrowserHistory
     - type: description
       value: Collect local browser history artifacts. These are often in the
@@ -59,7 +59,7 @@ view:
       - Browsers installed in non-standard paths
       - Visits made in Incognito/Private sessions
   processors:
-    - name: plaso
+    - name: Plaso
       options:
         - type: parsers
           value: webhist
@@ -74,7 +74,7 @@ view:
             - description: *filter-desc
               type: pandas
               value: query('data_type in ("chrome:history:page_visited", "firefox:places:page_visited", "safari:history:visit_sqlite")')
-    - name: hindsight
+    - name: Hindsight
       options:
         - type: format
           value: jsonl

data/approaches/Q1024.10.yaml

@@ -0,0 +1,50 @@
+# Copyright 2024 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# https://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+---
+display_name: Search CrowdStrike logs for Incognito Chrome processes
+type: approach
+id: Q1024.10
+dfiq_version: 1.0.0
+tags:
+  - CrowdStrike
+  - Process Execution
+  - Web Browser
+description:
+  summary: CrowdStrike records the source process ID (ContextProcessId) for ProcessRollup events.
+  details: >
+    Crowdstrike is a detection platform, not a logging platform, so not all executions are logged.
+    We cannot always connect a running browser process with observed DNS requests. When we do see
+    DNS requests coming from a browser process, yet we don't see browsing history, there are 
+    several possible explanations, including browser extensions or private browsing.
+  references:
+    - https://www.crowdstrike.com/blog/tech-center/hunt-threat-activity-falcon-endpoint-protection/
+view:
+  data:
+    - type: CrowdStrike
+      value: ProcessRollup
+  notes:
+    covered:
+      - Chrome on Mac, Linux, and Windows hosts with a CrowdStrike Falcon agent
+    not_covered:
+      - Chrome instances with a renamed process
+      - Other Chromium-based browsers
+  processors:
+    - name: Splunk
+      analysis:
+        - name: Splunk-Query
+          steps:
+            - description: Query searching for browser processes executed in private mode
+              type: splunk-query
+              value: ComputerName="{hostname}" event_simpleName=ProcessRollup* CommandLine IN ("*chrome*") CommandLine IN (*disable-databases*) | table _time, DomainName, CommandLine