Giters

elastic / detection-rules

Home Page:https://www.elastic.co/guide/en/security/current/detection-engine-overview.html

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

[Rule Tuning] PowerShell Script with Discovery Capabilities

ar3diu opened this issue · comments

commented

Link to rule

https://github.com/elastic/detection-rules/blob/main/rules_building_block/discovery_posh_generic.toml

Description

KQL doesn't support the ? one character wildcard matching as per the docs.
* should be used instead: https://www.elastic.co/guide/en/kibana/current/kuery-query.html#_filter_for_documents_using_wildcards

Backslashes should be escaped once, e.g.: C:\Windows\TEMP\SDIAG --> C\:\\Windows\\TEMP\\SDIAG
https://www.elastic.co/guide/en/kibana/current/kuery-query.html#_filter_for_documents_that_match_a_value

Example Data

{ "_index": ".ds-logs-windows.powershell_operational-default-2024.02.08-000009", "_id": "Xox-Eo4BjPxBmbalmAex", "_version": 1, "_seq_no": 1051, "_primary_term": 3, "found": true, "_source": { "agent": { "name": "DESKTOP-REDACTED", "id": "855a3f2f-dd75-4e53-ba43-ne74kn20444k", "type": "filebeat", "ephemeral_id": "4b271810-486f-46e4-8dc4-551de384be84", "version": "8.12.2" }, "winlog": { "computer_name": "DESKTOP-REDACTED", "process": { "pid": 10092, "thread": { "id": 10224 } }, "channel": "Microsoft-Windows-PowerShell/Operational", "opcode": "On create calls", "version": 1, "record_id": "4289", "task": "Execute a Remote Command", "event_id": "4104", "provider_guid": "{a0c1853b-5c40-4b15-8766-3cf1c58f985a}", "activity_id": "{4191105a-6a13-0007-81a8-0942136ada01}", "api": "wineventlog", "provider_name": "Microsoft-Windows-PowerShell", "user": { "identifier": "S-1-5-21-REDACTED", "domain": "DESKTOP-REDACTED", "name": "REDACTED", "type": "REDACTED" } }, "log": { "level": "warning" }, "elastic_agent": { "id": "855a3f2f-dd75-4e53-ba43-ne74kn20444k", "version": "8.12.2", "snapshot": false }, "input": { "type": "winlog" }, "@timestamp": "2024-03-06T06:40:59.733Z", "file": { "path": """C:\Windows\TEMP\SDIAG_dc0efa60-22b8-440c-9e7a-9870cc33b7f5\CL_Utility.ps1""", "extension": "ps1", "name": "CL_Utility.ps1", "directory": """C:\Windows\TEMP\SDIAG_dc0efa60-22b8-440c-9e7a-9870cc33b7f5""" }, "ecs": { "version": "8.0.0" }, "data_stream": { "namespace": "default", "type": "logs", "dataset": "windows.powershell_operational" }, "powershell": { "sequence": 1, "total": 1, "file": {}}, "host": { "hostname": "desktop-REDACTED", "os": { "build": "22631.3155", "kernel": "10.0.22621.3155 (WinBuild.160101.0800)", "name": "Windows 11 Pro", "type": "windows", "family": "windows", "version": "10.0", "platform": "windows" }, "ip": [], "name": "desktop-REDACTED", "id": "91111b19-4b23-4203-bd23-83cn30c3n350", "mac": [], "architecture": "x86_64" }, "event": { "agent_id_status": "verified", "ingested": "2024-03-06T06:41:10Z", "code": "4104", "provider": "Microsoft-Windows-PowerShell", "created": "2024-03-06T06:41:00.851Z", "kind": "event", "action": "Execute a Remote Command", "category": "process", "type": "info", "dataset": "windows.powershell_operational" }, "user": { "id": "S-1-5-21-REDACTED" } } }

So not file.path: ?\:\\\\*\\\\TEMP\\\\SDIAG* and file.name: "CL_Utility.ps1" won't work in this case. It needs to be changed to not file.path: *\:\\*\\TEMP\\SDIAG* and file.name: "CL_Utility.ps1"

commented

Hey @ar3diu, thanks for bringing this to our attention, but I don't think any of those are actually issues:

The syntax returns the results as intended:

image

The suggested syntax doesn't match any documents:

image

Do you have different results in your environment?

commented

That's odd... In my case, file.path is mapped as a keyword field. Is this the same for you?
Four backslashes don't make sense to me since everywhere else you need to escape a \ only once 🤔

commented

file.path is mapped as a keyword field. Is this the same for you?

Yup, file.path is also a keyword in my env

our backslashes don't make sense to me since everywhere else you need to escape a \ only once 🤔

This is more like a language limitation, in EQL we don't need to escape twice, here we are "escaping the escape char" 😅

commented

I'll close this one, but if you have any issues, let me know, and we can reopen it to investigate further.

commented

I encounter the same issue with this rule where all those exceptions are actually triggering in my environment:

detection-rules/rules/windows/discovery_privileged_localgroup_membership.toml

Line 44 in 83abf8d

name = "Enumeration of Privileged Local Groups Membership"

I've also noticed someone else reported the same issue on slack: https://elasticstack.slack.com/archives/C016E72DWDS/p1709331973805989