fix(ps): Make executable path assignation more robust

rabbitstack · rabbitstack · commit f8a2adceff43 · 2026-01-02T18:53:51.000+01:00
Introduce a new metadata attribute in the process state to
distinguish how the initial process state is created - either
from internal event or system logger.
This attribute is utilized in the state machine to set the
correct executable path.
diff --git a/pkg/ps/snapshotter_windows.go b/pkg/ps/snapshotter_windows.go
@@ -162,25 +162,25 @@ func (s *snapshotter) Write(e *event.Event) error {
 	if ps := s.procs[pid]; ps == nil && (e.IsCreateProcessInternal() || e.IsProcessRundownInternal()) {
 		// only modify the state if there is no process derived from the NT kernel logger process events
 		s.procs[pid] = proc
-	} else if ps, ok := s.procs[pid]; ok && (e.IsCreateProcessInternal() || e.IsProcessRundownInternal()) {
+	} else if ps, ok := s.procs[pid]; ok && (e.IsCreateProcessInternal() || e.IsProcessRundownInternal()) && ps.IsCreatedFromSystemLogger {
 		// process state derived from the core kernel events exists - enrich it
 		ps.TokenIntegrityLevel = proc.TokenIntegrityLevel
 		ps.TokenElevationType = proc.TokenElevationType
 		ps.IsTokenElevated = proc.IsTokenElevated
-		if len(proc.Exe) > len(ps.Exe) {
+		if strings.EqualFold(ps.Name, filepath.Base(proc.Exe)) && len(proc.Exe) > len(ps.Exe) {
 			// prefer full executable path
 			ps.Exe = proc.Exe
 		}
 		s.procs[pid] = ps
-	} else if ps, ok := s.procs[pid]; ok && (e.IsCreateProcess() || e.IsProcessRundown()) && ps.TokenIntegrityLevel != "" {
+	} else if ps, ok := s.procs[pid]; ok && (e.IsCreateProcess() || e.IsProcessRundown()) && !ps.IsCreatedFromSystemLogger {
 		// enrich the existing process state with the newly arrived NT kernel logger process events
 		// but obtain the integrity level and executable path from the previous proc state
 		processEnrichments.Add(1)
 		proc.TokenIntegrityLevel = ps.TokenIntegrityLevel
 		proc.TokenElevationType = ps.TokenElevationType
 		proc.IsTokenElevated = ps.IsTokenElevated
 
-		if len(ps.Exe) > len(proc.Exe) {
+		if strings.EqualFold(proc.Name, filepath.Base(ps.Exe)) && len(ps.Exe) > len(proc.Exe) {
 			// prefer full executable path
 			proc.Exe = ps.Exe
 			e.AppendParam(params.Exe, params.Path, ps.Exe)
@@ -393,6 +393,7 @@ func (s *snapshotter) newProcState(pid, ppid uint32, e *event.Event) (*pstypes.P
 	proc.IsWOW64 = (e.Params.MustGetUint32(params.ProcessFlags) & event.PsWOW64) != 0
 	proc.IsPackaged = (e.Params.MustGetUint32(params.ProcessFlags) & event.PsPackaged) != 0
 	proc.IsProtected = (e.Params.MustGetUint32(params.ProcessFlags) & event.PsProtected) != 0
+	proc.IsCreatedFromSystemLogger = true
 
 	if !s.capture {
 		if proc.Username != "" {
diff --git a/pkg/ps/snapshotter_windows_test.go b/pkg/ps/snapshotter_windows_test.go
@@ -224,6 +224,7 @@ func TestWriteInternalEventsEnrichment(t *testing.T) {
 						params.ProcessID:       {Name: params.ProcessID, Type: params.PID, Value: uint32(1024)},
 						params.ProcessParentID: {Name: params.ProcessParentID, Type: params.PID, Value: uint32(444)},
 						params.Exe:             {Name: params.Exe, Type: params.UnicodeString, Value: `svchost.exe`},
+						params.ProcessName:     {Name: params.ProcessName, Type: params.UnicodeString, Value: `svchost.exe`},
 						params.Cmdline:         {Name: params.Cmdline, Type: params.UnicodeString, Value: `svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService`},
 						params.UserSID:         {Name: params.UserSID, Type: params.WbemSID, Value: []byte{224, 8, 226, 31, 15, 167, 255, 255, 0, 0, 0, 0, 15, 167, 255, 255, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0}},
 						params.SessionID:       {Name: params.SessionID, Type: params.Uint32, Value: uint32(1)},
@@ -262,6 +263,7 @@ func TestWriteInternalEventsEnrichment(t *testing.T) {
 						params.ProcessID:                  {Name: params.ProcessID, Type: params.PID, Value: uint32(1024)},
 						params.ProcessParentID:            {Name: params.ProcessParentID, Type: params.PID, Value: uint32(444)},
 						params.Exe:                        {Name: params.Exe, Type: params.UnicodeString, Value: `C:\Windows\System32\svchost.exe`},
+						params.ProcessName:                {Name: params.ProcessName, Type: params.UnicodeString, Value: `svchost.exe`},
 						params.ProcessTokenIntegrityLevel: {Name: params.ProcessTokenIntegrityLevel, Type: params.AnsiString, Value: "HIGH"},
 						params.ProcessTokenIsElevated:     {Name: params.ProcessTokenIsElevated, Type: params.Bool, Value: true},
 						params.ProcessTokenElevationType:  {Name: params.ProcessTokenElevationType, Type: params.AnsiString, Value: "FULL"},
@@ -272,6 +274,7 @@ func TestWriteInternalEventsEnrichment(t *testing.T) {
 					Params: event.Params{
 						params.ProcessID:       {Name: params.ProcessID, Type: params.PID, Value: uint32(1024)},
 						params.ProcessParentID: {Name: params.ProcessParentID, Type: params.PID, Value: uint32(444)},
+						params.ProcessName:     {Name: params.ProcessName, Type: params.UnicodeString, Value: `svchost.exe`},
 						params.Exe:             {Name: params.Exe, Type: params.UnicodeString, Value: `svchost.exe`},
 						params.Cmdline:         {Name: params.Cmdline, Type: params.UnicodeString, Value: `svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService`},
 						params.UserSID:         {Name: params.UserSID, Type: params.WbemSID, Value: []byte{224, 8, 226, 31, 15, 167, 255, 255, 0, 0, 0, 0, 15, 167, 255, 255, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0}},
@@ -300,6 +303,7 @@ func TestWriteInternalEventsEnrichment(t *testing.T) {
 						params.ProcessID:       {Name: params.ProcessID, Type: params.PID, Value: uint32(os.Getpid())},
 						params.ProcessParentID: {Name: params.ProcessParentID, Type: params.PID, Value: uint32(444)},
 						params.Exe:             {Name: params.Exe, Type: params.UnicodeString, Value: `svchost.exe`},
+						params.ProcessName:     {Name: params.ProcessName, Type: params.UnicodeString, Value: `svchost.exe`},
 						params.Cmdline:         {Name: params.Cmdline, Type: params.UnicodeString, Value: `svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService`},
 						params.UserSID:         {Name: params.UserSID, Type: params.WbemSID, Value: []byte{224, 8, 226, 31, 15, 167, 255, 255, 0, 0, 0, 0, 15, 167, 255, 255, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0}},
 						params.SessionID:       {Name: params.SessionID, Type: params.Uint32, Value: uint32(1)},
diff --git a/pkg/ps/types/types_windows.go b/pkg/ps/types/types_windows.go
@@ -100,6 +100,9 @@ type PS struct {
 	TokenElevationType string `json:"token_elevation_type"`
 	// IsTokenElevated indicates if the process token is elevated.
 	IsTokenElevated bool `json:"is_token_elevated"`
+	// IsCreatedFromSystemLogger is the metadata attribute that indicates if the
+	// process state is created from the event published by the NT kernel logger.
+	IsCreatedFromSystemLogger bool `json:"-"`
 }
 
 // UUID is meant to offer a more robust version of process ID that

Original file line number	Diff line number	Diff line change
`@@ -100,6 +100,9 @@ type PS struct {`
`100`	`100`	TokenElevationType string `json:"token_elevation_type"`
`101`	`101`	`// IsTokenElevated indicates if the process token is elevated.`
`102`	`102`	IsTokenElevated bool `json:"is_token_elevated"`
	`103`	`+ // IsCreatedFromSystemLogger is the metadata attribute that indicates if the`
	`104`	`+ // process state is created from the event published by the NT kernel logger.`
	`105`	+ IsCreatedFromSystemLogger bool `json:"-"`
`103`	`106`	`}`
`104`	`107`
`105`	`108`	`// UUID is meant to offer a more robust version of process ID that`