[Rule Tuning] Searching for Saved Credentials via VaultCmd

Question

[Rule Tuning] Searching for Saved Credentials via VaultCmd

hack-1m opened this issue 4 months ago · comments

Link to rule

Searching for Saved Credentials via VaultCmd :

The rule detection refers only to process.name: "vaultcmd.exe" but during the test with rta I received logs of process.name: "VaultCmd.exe".

Description

There are several ways to change this behaviour:

Solution 1 Change the rule from process.name: "vaultcmd.exe" to process.name: "vaultcmd.exe" or process.name: "VaultCmd.exe".

Solution 2 in the winlogbeat pipeline we force all processes to lowercase to make sure that this kind of behaviour is caught on rules looking for exact patterns. However, this will make rendering less comfortable.

Solution 3 Deport the lowercase directly into the winlogbeat process.

We could do this in a logstash but we can't be sure that this middleware will be used to retrieve logs.

Example Data

Ruben Groenewoud · Answer 1 · Mon Feb 05 2024 17:19:12 GMT+0800 (China Standard Time)

Hi @hack-1m, thanks for contacting us.

FYI, EQL queries using the ":" symbol are case-insensitive, meaning that the EQL query provided above will trigger on both of your examples. KQL, the query language you used to query Discover, is case-sensitive, and therefore you will be required to specify the exact matching name when querying the Discover tab.

Feel free to try-out the EQL query provided in the rule, within the security timelines feature and LMK if this solved your issue!

Thanks.

ref: EQL case sensitivity docs.

hack-1m · Answer 2 · Mon Feb 05 2024 19:28:01 GMT+0800 (China Standard Time)

My bad, Indeed, after investigation, the rule works correctly. Sincerly De : Ruben Groenewoud ***@***.***> Date : lundi, 5 février 2024 à 10:19 À : elastic/detection-rules ***@***.***> Cc : Hakim DJELILI ***@***.***>, Mention ***@***.***> Objet : Re: [elastic/detection-rules] [Rule Tuning] Searching for Saved Credentials via VaultCmd (Issue #3424) Hi @hack-1m<https://github.com/hack-1m>, thanks for contacting us. FYI, EQL queries using the ":" symbol are case-insensitive, meaning that the EQL query provided above will trigger on both of your examples. KQL, the query language you used to query Discover, is case-sensitive, and therefore you will be required to specify the exact matching name when querying the Discover tab. Feel free to try-out the EQL query provided in the rule, within the security timelines feature and LMK if this solved your issue! Thanks. ref: EQL case sensitivity docs<https://www.elastic.co/guide/en/elasticsearch/reference/current/eql-syntax.html#:~:text=For%20case%2Dinsensitive%20matching%2C%20use%20in~%20.&text=Returns%20true%20if%20the%20value%20is%20not%20contained%20in%20the,matching%2C%20use%20not%20in~%20.&text=Returns%20true%20if%20the%20string%20is%20contained%20in%20the%20provided%20list>. — Reply to this email directly, view it on GitHub<#3424 (comment)>, or unsubscribe<https://github.com/notifications/unsubscribe-auth/BBPQ6GO3I64AJO7IDIDT7FTYSCPZZAVCNFSM6AAAAABCY4XIZ2VHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMYTSMRWGUZTOMJTGA>. You are receiving this because you were mentioned.Message ID: ***@***.***>

Ruben Groenewoud · Answer 3 · Mon Feb 05 2024 20:49:34 GMT+0800 (China Standard Time)

Good to hear! I will then close out the issue.

hack-1m · Answer 4 · Mon Feb 05 2024 20:51:46 GMT+0800 (China Standard Time)

thanks De : Ruben Groenewoud ***@***.***> Date : lundi, 5 février 2024 à 13:49 À : elastic/detection-rules ***@***.***> Cc : Hakim DJELILI ***@***.***>, Mention ***@***.***> Objet : Re: [elastic/detection-rules] [Rule Tuning] Searching for Saved Credentials via VaultCmd (Issue #3424) Closed #3424<#3424> as completed. — Reply to this email directly, view it on GitHub<#3424 (comment)>, or unsubscribe<https://github.com/notifications/unsubscribe-auth/BBPQ6GIGXEIFETGKDUCEAK3YSDIOTAVCNFSM6AAAAABCY4XIZ2VHI2DSMVQWIX3LMV45UABCJFZXG5LFIV3GK3TUJZXXI2LGNFRWC5DJN5XDWMJRG4YDGNJWGM4DANA>. You are receiving this because you were mentioned.Message ID: ***@***.***>