[Memory Protection] Add fields for trampoline detection. (#344)

* added new fields for memory_protection alerts

Author: calladoum-elastic

custom_schemas/custom_api.yml

@@ -18,5 +18,3 @@
       type: keyword
       description: >
         The name of the API, usually the name of the function or system call.
-
-

custom_schemas/custom_process.yml

@@ -62,7 +62,7 @@
       description: Parent process' pid.
       example: 4241
       default_field: false
-      
+
     - name: Ext
       level: custom
       type: object
@@ -95,7 +95,7 @@
       level: custom
       type: object
       description: Object for all custom defined fields to live in.
-      
+
     - name: thread.Ext.call_stack_contains_unbacked
       level: custom
       type: boolean
@@ -193,9 +193,9 @@
       type: boolean
       short: Whether a hardware breakpoint was set for the thread.
       description:  >
-        Whether a hardware breakpoint was set for the thread. 
-        This field is omitted if false. 
-      example: "true" 
+        Whether a hardware breakpoint was set for the thread.
+        This field is omitted if false.
+      example: "true"
 
     - name: thread.Ext.start
       level: custom
@@ -252,6 +252,54 @@
       description: >
         Additional information about the memory containing the thread start address.
 
+    - name: thread.Ext.original_start_address
+      level: custom
+      type: unsigned_long
+      example: 4194304
+      description: >
+        When a trampoline was detected, this indicates the original content for the thread start address in memory.
+
+    - name: thread.Ext.original_start_address_allocation_offset
+      level: custom
+      type: unsigned_long
+      example: 0
+      description: >
+        When a trampoline was detected, this indicates the original content for the offset of original_start_address to the allocation base.
+
+    - name: thread.Ext.original_start_address_bytes
+      level: custom
+      type: keyword
+      example: "48b84141414141414141ffe000ccccccccccccccccccccccccccccccccccccccc"
+      description: >
+        When a trampoline was detected, this holds the original content of the hex-encoded bytes at the original thread start address.
+
+    - name: thread.Ext.original_start_address_bytes_disasm
+      level: custom
+      type: keyword
+      example: "mov rax, 0x4141414141414141\\njmp rax"
+      description: >
+        When a trampoline was detected, this indicates the original content for the disassembled code pointed by the thread start address.
+
+    - name: thread.Ext.original_start_address_bytes_disasm_hash
+      level: custom
+      type: keyword
+      example: "aacb1c801f9030f799e2f7350f053ebb760d42cbe81cd65021063c1c4d1a9c9c"
+      description: >
+        When a trampoline was detected, this indicates the hash of original content for the disassembled code pointed by the thread start address.
+
+    - name: thread.Ext.original_start_address_module
+      level: custom
+      type: keyword
+      example: "C:\\Program Files\\VMware\\VMware Tools\\vmtoolsd.exe"
+      description: >
+        When a trampoline was detected, this indicates the original content for the dll/module where the thread began execution.
+
+    - name: thread.Ext.start_address_details
+      level: custom
+      type: object
+      description: >
+        Additional information about the memory containing the thread start address.
+
     - name: thread.Ext.service
       level: custom
       type: keyword
@@ -405,19 +453,19 @@
       type: keyword
       description: >
         Session logon type.  Examples include Interactive, Network, and Service.
-        
+
     - name: Ext.session_info.client_address
       level: custom
       type: keyword
       description: >
         Client's IPv4 or IPv6 address as a string, if available.
-        
+
     - name: Ext.session_info.id
       level: custom
       type: unsigned_long
       description: >
         Session ID
-        
+
     - name: Ext.session_info.authentication_package
       level: custom
       type: keyword
@@ -429,7 +477,7 @@
       type: double
       description: >
         Process creation time, relative to logon time, in seconds.
-        
+
     - name: Ext.session_info.relative_password_age
       level: custom
       type: double
@@ -656,14 +704,14 @@
 
     - name: io.total_bytes_captured
       level: extended
-      type: long 
+      type: long
       beta: This field is beta and subject to change.
       description: >
         The total number of bytes captured in this event.
 
     - name: io.total_bytes_skipped
       level: extended
-      type: long 
+      type: long
       beta: This field is beta and subject to change.
       short: The total number of bytes that were not captured due to implementation restrictions such as buffer size limits.
       description: >
@@ -687,14 +735,14 @@
 
     - name: io.bytes_skipped.offset
       level: extended
-      type: long 
+      type: long
       beta: This field is beta and subject to change.
       description: >
         The byte offset into this event's io.text (or io.bytes in the future) where length bytes were skipped.
 
     - name: io.bytes_skipped.length
       level: extended
-      type: long 
+      type: long
       beta: This field is beta and subject to change.
       description: >
         The length of bytes skipped.

custom_subsets/elastic_endpoint/alerts/memory_protection_event.yaml

@@ -610,6 +610,12 @@ fields:
               start_address_bytes: {}
               start_address_bytes_disasm: {}
               start_address_bytes_disasm_hash: {}
+              original_start_address: {}
+              original_start_address_module: {}
+              original_start_address_allocation_offset: {}
+              original_start_address_bytes: {}
+              original_start_address_bytes_disasm: {}
+              original_start_address_bytes_disasm_hash: {}
               service: {}
               token:
                 fields:

package/endpoint/data_stream/alerts/fields/fields.yml

@@ -2411,9 +2411,49 @@
     - name: process.thread.Ext.hardware_breakpoint_set
       level: custom
       type: boolean
-      description: Whether a hardware breakpoint was set for the thread.  This field is omitted if false.
+      description: Whether a hardware breakpoint was set for the thread. This field is omitted if false.
       example: 'true'
       default_field: false
+    - name: process.thread.Ext.original_start_address
+      level: custom
+      type: unsigned_long
+      description: When a trampoline was detected, this indicates the original content for the thread start address in memory.
+      example: 4194304
+      default_field: false
+    - name: process.thread.Ext.original_start_address_allocation_offset
+      level: custom
+      type: unsigned_long
+      description: When a trampoline was detected, this indicates the original content for the offset of original_start_address to the allocation base.
+      example: 0
+      default_field: false
+    - name: process.thread.Ext.original_start_address_bytes
+      level: custom
+      type: keyword
+      ignore_above: 1024
+      description: When a trampoline was detected, this holds the original content of the hex-encoded bytes at the original thread start address.
+      example: 48b84141414141414141ffe000ccccccccccccccccccccccccccccccccccccccc
+      default_field: false
+    - name: process.thread.Ext.original_start_address_bytes_disasm
+      level: custom
+      type: keyword
+      ignore_above: 1024
+      description: When a trampoline was detected, this indicates the original content for the disassembled code pointed by the thread start address.
+      example: mov rax, 0x4141414141414141\njmp rax
+      default_field: false
+    - name: process.thread.Ext.original_start_address_bytes_disasm_hash
+      level: custom
+      type: keyword
+      ignore_above: 1024
+      description: When a trampoline was detected, this indicates the hash of original content for the disassembled code pointed by the thread start address.
+      example: aacb1c801f9030f799e2f7350f053ebb760d42cbe81cd65021063c1c4d1a9c9c
+      default_field: false
+    - name: process.thread.Ext.original_start_address_module
+      level: custom
+      type: keyword
+      ignore_above: 1024
+      description: When a trampoline was detected, this indicates the original content for the dll/module where the thread began execution.
+      example: C:\Program Files\VMware\VMware Tools\vmtoolsd.exe
+      default_field: false
     - name: process.thread.Ext.parameter
       level: custom
       type: unsigned_long
@@ -7208,9 +7248,49 @@
     - name: thread.Ext.hardware_breakpoint_set
       level: custom
       type: boolean
-      description: Whether a hardware breakpoint was set for the thread.  This field is omitted if false.
+      description: Whether a hardware breakpoint was set for the thread. This field is omitted if false.
       example: 'true'
       default_field: false
+    - name: thread.Ext.original_start_address
+      level: custom
+      type: unsigned_long
+      description: When a trampoline was detected, this indicates the original content for the thread start address in memory.
+      example: 4194304
+      default_field: false
+    - name: thread.Ext.original_start_address_allocation_offset
+      level: custom
+      type: unsigned_long
+      description: When a trampoline was detected, this indicates the original content for the offset of original_start_address to the allocation base.
+      example: 0
+      default_field: false
+    - name: thread.Ext.original_start_address_bytes
+      level: custom
+      type: keyword
+      ignore_above: 1024
+      description: When a trampoline was detected, this holds the original content of the hex-encoded bytes at the original thread start address.
+      example: 48b84141414141414141ffe000ccccccccccccccccccccccccccccccccccccccc
+      default_field: false
+    - name: thread.Ext.original_start_address_bytes_disasm
+      level: custom
+      type: keyword
+      ignore_above: 1024
+      description: When a trampoline was detected, this indicates the original content for the disassembled code pointed by the thread start address.
+      example: mov rax, 0x4141414141414141\njmp rax
+      default_field: false
+    - name: thread.Ext.original_start_address_bytes_disasm_hash
+      level: custom
+      type: keyword
+      ignore_above: 1024
+      description: When a trampoline was detected, this indicates the hash of original content for the disassembled code pointed by the thread start address.
+      example: aacb1c801f9030f799e2f7350f053ebb760d42cbe81cd65021063c1c4d1a9c9c
+      default_field: false
+    - name: thread.Ext.original_start_address_module
+      level: custom
+      type: keyword
+      ignore_above: 1024
+      description: When a trampoline was detected, this indicates the original content for the dll/module where the thread began execution.
+      example: C:\Program Files\VMware\VMware Tools\vmtoolsd.exe
+      default_field: false
     - name: thread.Ext.parameter
       level: custom
       type: unsigned_long

package/endpoint/docs/README.md

@@ -337,7 +337,13 @@ sent by the endpoint.
 | Target.process.ppid | Parent process' pid. | long |
 | Target.process.start | The time the process started. | date |
 | Target.process.thread.Ext | Object for all custom defined fields to live in. | object |
-| Target.process.thread.Ext.hardware_breakpoint_set | Whether a hardware breakpoint was set for the thread.  This field is omitted if false. | boolean |
+| Target.process.thread.Ext.hardware_breakpoint_set | Whether a hardware breakpoint was set for the thread. This field is omitted if false. | boolean |
+| Target.process.thread.Ext.original_start_address | When a trampoline was detected, this indicates the original content for the thread start address in memory. | unsigned_long |
+| Target.process.thread.Ext.original_start_address_allocation_offset | When a trampoline was detected, this indicates the original content for the offset of original_start_address to the allocation base. | unsigned_long |
+| Target.process.thread.Ext.original_start_address_bytes | When a trampoline was detected, this holds the original content of the hex-encoded bytes at the original thread start address. | keyword |
+| Target.process.thread.Ext.original_start_address_bytes_disasm | When a trampoline was detected, this indicates the original content for the disassembled code pointed by the thread start address. | keyword |
+| Target.process.thread.Ext.original_start_address_bytes_disasm_hash | When a trampoline was detected, this indicates the hash of original content for the disassembled code pointed by the thread start address. | keyword |
+| Target.process.thread.Ext.original_start_address_module | When a trampoline was detected, this indicates the original content for the dll/module where the thread began execution. | keyword |
 | Target.process.thread.Ext.parameter | When a thread is created, this is the raw numerical value of its parameter. | unsigned_long |
 | Target.process.thread.Ext.parameter_bytes_compressed | Up to 512KB of raw data from the thread parameter, if it is a valid pointer. This is compressed with zlib. To reduce data volume, this is de-duplicated on the endpoint, and may be missing from many alerts if the same data would be sent multiple times. | keyword |
 | Target.process.thread.Ext.parameter_bytes_compressed_present | Whether parameter_bytes_compressed is present in this event. | boolean |
@@ -960,7 +966,13 @@ sent by the endpoint.
 | process.supplemental_groups.id | Unique identifier for the group on the system/platform. | keyword |
 | process.supplemental_groups.name | Name of the group. | keyword |
 | process.thread.Ext | Object for all custom defined fields to live in. | object |
-| process.thread.Ext.hardware_breakpoint_set | Whether a hardware breakpoint was set for the thread.  This field is omitted if false. | boolean |
+| process.thread.Ext.hardware_breakpoint_set | Whether a hardware breakpoint was set for the thread. This field is omitted if false. | boolean |
+| process.thread.Ext.original_start_address | When a trampoline was detected, this indicates the original content for the thread start address in memory. | unsigned_long |
+| process.thread.Ext.original_start_address_allocation_offset | When a trampoline was detected, this indicates the original content for the offset of original_start_address to the allocation base. | unsigned_long |
+| process.thread.Ext.original_start_address_bytes | When a trampoline was detected, this holds the original content of the hex-encoded bytes at the original thread start address. | keyword |
+| process.thread.Ext.original_start_address_bytes_disasm | When a trampoline was detected, this indicates the original content for the disassembled code pointed by the thread start address. | keyword |
+| process.thread.Ext.original_start_address_bytes_disasm_hash | When a trampoline was detected, this indicates the hash of original content for the disassembled code pointed by the thread start address. | keyword |
+| process.thread.Ext.original_start_address_module | When a trampoline was detected, this indicates the original content for the dll/module where the thread began execution. | keyword |
 | process.thread.Ext.parameter | When a thread is created, this is the raw numerical value of its parameter. | unsigned_long |
 | process.thread.Ext.parameter_bytes_compressed | Up to 512KB of raw data from the thread parameter, if it is a valid pointer. This is compressed with zlib. To reduce data volume, this is de-duplicated on the endpoint, and may be missing from many alerts if the same data would be sent multiple times. | keyword |
 | process.thread.Ext.parameter_bytes_compressed_present | Whether parameter_bytes_compressed is present in this event. | boolean |