Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Address gaps in Process Activity and Memory Activity wrt process injection. #1042

Closed
wants to merge 8 commits into from
Closed

Address gaps in Process Activity and Memory Activity wrt process injection. #1042

wants to merge 8 commits into from

Conversation

davemcatcisco
Copy link
Contributor

@davemcatcisco davemcatcisco commented Apr 15, 2024
edited
Loading

Related Issue:

#1041: Process Activity and Memory Activity cannot adequately describe common injection-related behaviours

Description of changes:

  • Added entry to injection_type_id enum in dictionary.json to cover queueing of an asynchronous procedure call (APC).
  • Added entry to activity_id enum in events/system/memory.json to cover mapping of shared memory object.

floydtree and others added 8 commits April 12, 2024 14:31
@floydtree
Update version.json for 1.2.0 branch
ba299a3 
Setting the version to v1.2.0-rc.1

Signed-off-by: Rajas <[email protected]>
@mikeradka
Update ext versions, add siblings
7200cb5 
Signed-off-by: Michael Radka <[email protected]>
@mikeradka
Correct version since forked from main
6712485 
Signed-off-by: Michael Radka <[email protected]>
@mikeradka
Remove protocol_id from dictionary and tunnel class
ac23647 
Signed-off-by: Michael Radka <[email protected]>
@mikeradka
Update desc with removal of protocol_id
9e38346 
Signed-off-by: Michael Radka <[email protected]>
@Aniak5
Merge pull request #1040 from mikeradka/update_ext_1.2.0
55c7adf
@davemcatcisco
Address gaps in Process Activity and Memory Activity wrt process inje…
6b0fb0c 
…ction.

Signed-off-by: Dave McCormack <[email protected]>
@davemcatcisco
Updated CHANGELOG.md per submission guidelines.
bb7eb71 
Signed-off-by: Dave McCormack <[email protected]>
@davemcatcisco davemcatcisco marked this pull request as ready for review April 15, 2024 14:00
@davemcatcisco
Copy link
Contributor Author

It says that I should put labels on this but the ability to do that seems to be disabled for me. The labels I would use if I could would be process_activity, memory_activity, non_breaking, and v1.2.0_and_later.

@mikeradka
Copy link
Contributor

mikeradka commented Apr 16, 2024
edited
Loading

This is a great catch, @davemcatcisco. One minor thing, could you change the branch to be merged to as main instead of ocsf:v1.2.0?

EDIT: This is TBD based on how things go with the 1.2.0 RC

@mikeradka mikeradka added system_activity Issues related to System Activity Category non_breaking Non Breaking, backwards compatible changes v1.3.0 Changes marked for v1.3.0 of OCSF labels Apr 16, 2024
pagbabian-splunk
pagbabian-splunk previously approved these changes Apr 19, 2024
View reviewed changes
Copy link
Contributor

@pagbabian-splunk pagbabian-splunk left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

For process_activity we are adding an additional injection type, is this the more specific way people think of process injection via memory activity? In other words, is the same situation representable as both process activity or memory activity?

@davemcatcisco
Copy link
Contributor Author

For process_activity we are adding an additional injection type, is this the more specific way people think of process injection via memory activity? In other words, is the same situation representable as both process activity or memory activity?

Thanks, Paul. I'm not sure I fully understand your question but I'll just say this in case it helps. Process injection broadly speaking requires two distinct things to happen:

  1. Memory pages containing the code that the attacker process wishes to execute and/or the data upon which that code will operate must be present in the virtual memory space of the victim process with the appropriate page protections. There are various ways to achieve this, represented in OCSF by a Memory Activity event.

  2. The attacker process must initiate execution of that code by a thread running within the context of the victim process. This can be achieved either by re-purposing an existing thread (temporarily or permanently) or by creating an entirely new thread for this purpose. In OCSF, this type of activity is represented by a Process Activity event.

It is important, I think, that these continue to be treated as two distinct activities because each can be used in isolation for other purposes, some benign and some not.

@davemcatcisco davemcatcisco changed the base branch from v1.2.0 to main April 23, 2024 15:48
@davemcatcisco davemcatcisco dismissed pagbabian-splunk’s stale review April 23, 2024 15:48

The base branch was changed.

@davemcatcisco davemcatcisco mentioned this pull request Apr 23, 2024
Merged
@davemcatcisco
Copy link
Contributor Author

Closing as this PR has now been superseded by #1060.

@davemcatcisco davemcatcisco deleted the v1.2.0 branch April 23, 2024 16:37
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@pagbabian-splunk pagbabian-splunk pagbabian-splunk left review comments

@floydtree floydtree Awaiting requested review from floydtree floydtree is a code owner

@Aniak5 Aniak5 Awaiting requested review from Aniak5 Aniak5 is a code owner

@mikeradka mikeradka Awaiting requested review from mikeradka mikeradka is a code owner

@zschmerber zschmerber Awaiting requested review from zschmerber zschmerber is a code owner

Assignees
No one assigned
Labels
non_breaking Non Breaking, backwards compatible changes system_activity Issues related to System Activity Category v1.3.0 Changes marked for v1.3.0 of OCSF
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
5 participants
@davemcatcisco @mikeradka @pagbabian-splunk @floydtree @Aniak5