Skip to content

Commit

Permalink
Fix winlogbeat powershell event processing. (#18966)
Browse files Browse the repository at this point in the history
Fix winlogbeat powershell event processing.
- Fix event processing for different engine versions.
- Improve powershell dashboard
  • Loading branch information
marc-gr authored Jun 5, 2020
1 parent 7b9c535 commit d5fee98
Show file tree
Hide file tree
Showing 11 changed files with 181 additions and 8 deletions.
1 change: 1 addition & 0 deletions CHANGELOG.next.asciidoc
Original file line number Diff line number Diff line change
Expand Up @@ -71,6 +71,7 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d
- Improve ECS field mappings in Sysmon module. `file.name`, `file.directory`, and `file.extension` are now populated. {issue}18364[18364]
- Improve ECS field mappings in Sysmon module. `rule.name` is populated for all events when present. {issue}18364[18364]
- Add Powershell module. Support for event ID's: `400`, `403`, `600`, `800`, `4103`, `4014`, `4105`, `4106`. {issue}16262[16262] {pull}18526[18526]
- Fix Powershell processing of downgraded engine events. {pull}18966[18966]

*Functionbeat*

Expand Down
Binary file modified winlogbeat/docs/images/kibana-powershell.jpg
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Original file line number Diff line number Diff line change
Expand Up @@ -2317,11 +2317,13 @@
},
{
"attributes": {
"columns": [
"columns": [
"event.code",
"powershell.engine.version",
"powershell.runspace_id",
"powershell.pipeline_id",
"process.args",
"powershell.command.invocation_details"
"powershell.command.invocation_details",
"powershell.file.script_block_text"
],
"description": "",
"hits": 0,
Expand All @@ -2332,7 +2334,7 @@
"indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.index",
"query": {
"language": "kuery",
"query": "(winlog.provider_name : \"PowerShell\" or winlog.provider_name : \"Microsoft-Windows-PowerShell\" ) and (process.args : * or powershell.command.invocation_details.related_command: * )"
"query": "(winlog.provider_name : \"PowerShell\" or winlog.provider_name : \"Microsoft-Windows-PowerShell\" )"
},
"version": true
}
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -84,8 +84,21 @@ var powershell = (function () {
});
};

// countChunksDelimitedBy will return the number of chunks contained in a field
// that are delimited by the given delimiter.
var countChunksDelimitedBy = function(evt, fromField, delimiter) {
var str = evt.Get(fromField);
if (!str) {
return 0;
}
return str.split(delimiter).length-1;
};

var dissect4xxAnd600 = function (evt) {
dissectField("winlog.event_data.param3", "winlog.event_data", 15, "\t", "=").Run(evt);
var delimiter = "\t";
var chunks = countChunksDelimitedBy(evt, "winlog.event_data.param3", delimiter);

dissectField("winlog.event_data.param3", "winlog.event_data", chunks, delimiter, "=").Run(evt);

// these fields contain redundant information.
evt.Delete("winlog.event_data.param1");
Expand All @@ -94,15 +107,21 @@ var powershell = (function () {
};

var dissect800Detail = function (evt) {
dissectField("winlog.event_data.param2", "winlog.event_data", 13, "\t", "=").Run(evt);
var delimiter = "\t";
var chunks = countChunksDelimitedBy(evt, "winlog.event_data.param2", delimiter);

dissectField("winlog.event_data.param2", "winlog.event_data", chunks, "\t", "=").Run(evt);

// these fields contain redundant information.
evt.Delete("winlog.event_data.param1");
evt.Delete("winlog.event_data.param2");
};

var dissect4103 = function (evt) {
dissectField("winlog.event_data.ContextInfo", "winlog.event_data", 16, " ", " = ").Run(evt);
var delimiter = " ";
var chunks = countChunksDelimitedBy(evt, "winlog.event_data.ContextInfo", delimiter);

dissectField("winlog.event_data.ContextInfo", "winlog.event_data", chunks, delimiter, " = ").Run(evt);

// these fields contain redundant information.
evt.Delete("winlog.event_data.ContextInfo");
Expand Down Expand Up @@ -170,7 +189,7 @@ var powershell = (function () {
var addProcessArgs = function (evt) {
splitCommandLine(evt, "process.command_line", "process.args");
var args = evt.Get("process.args");
if (args.length > 0) {
if (args && args.length > 0) {
evt.Put("process.args_count", args.length);
}
};
Expand Down
Binary file modified x-pack/winlogbeat/module/powershell/test/testdata/400.evtx
Binary file not shown.
Original file line number Diff line number Diff line change
Expand Up @@ -171,5 +171,56 @@
"record_id": 1579,
"task": "Engine Lifecycle"
}
},
{
"@timestamp": "2020-06-04T07:20:27.7472275Z",
"event": {
"action": "Engine Lifecycle",
"category": [
"process"
],
"code": 400,
"kind": "event",
"module": "powershell",
"provider": "PowerShell",
"sequence": 9,
"type": [
"start"
]
},
"host": {
"name": "vagrant"
},
"log": {
"level": "information"
},
"powershell": {
"engine": {
"new_state": "Available",
"previous_state": "None",
"version": "2.0"
},
"process": {
"executable_version": "2.0"
},
"runspace_id": "6ebeca05-d618-4c66-a0d8-4269d800d099"
},
"process": {
"entity_id": "7018c049-c75b-4e02-9c0f-6761b97e1657",
"title": "ConsoleHost"
},
"winlog": {
"api": "wineventlog",
"channel": "Windows PowerShell",
"computer_name": "vagrant",
"event_id": 400,
"keywords": [
"Classic"
],
"opcode": "Info",
"provider_name": "PowerShell",
"record_id": 18591,
"task": "Engine Lifecycle"
}
}
]
Binary file modified x-pack/winlogbeat/module/powershell/test/testdata/403.evtx
Binary file not shown.
Original file line number Diff line number Diff line change
Expand Up @@ -175,5 +175,56 @@
"record_id": 1766,
"task": "Engine Lifecycle"
}
},
{
"@timestamp": "2020-06-04T07:20:28.6861939Z",
"event": {
"action": "Engine Lifecycle",
"category": [
"process"
],
"code": 403,
"kind": "event",
"module": "powershell",
"provider": "PowerShell",
"sequence": 10,
"type": [
"end"
]
},
"host": {
"name": "vagrant"
},
"log": {
"level": "information"
},
"powershell": {
"engine": {
"new_state": "Stopped",
"previous_state": "Available",
"version": "2.0"
},
"process": {
"executable_version": "2.0"
},
"runspace_id": "6ebeca05-d618-4c66-a0d8-4269d800d099"
},
"process": {
"entity_id": "7018c049-c75b-4e02-9c0f-6761b97e1657",
"title": "ConsoleHost"
},
"winlog": {
"api": "wineventlog",
"channel": "Windows PowerShell",
"computer_name": "vagrant",
"event_id": 403,
"keywords": [
"Classic"
],
"opcode": "Info",
"provider_name": "PowerShell",
"record_id": 18592,
"task": "Engine Lifecycle"
}
}
]
Binary file modified x-pack/winlogbeat/module/powershell/test/testdata/600.evtx
Binary file not shown.
Original file line number Diff line number Diff line change
Expand Up @@ -115,5 +115,54 @@
"record_id": 1266,
"task": "Provider Lifecycle"
}
},
{
"@timestamp": "2020-06-04T07:25:04.8574302Z",
"event": {
"action": "Provider Lifecycle",
"category": [
"process"
],
"code": 600,
"kind": "event",
"module": "powershell",
"provider": "PowerShell",
"sequence": 8,
"type": [
"info"
]
},
"host": {
"name": "vagrant"
},
"log": {
"level": "information"
},
"powershell": {
"process": {
"executable_version": "2.0"
},
"provider": {
"name": "Certificate",
"new_state": "Started"
}
},
"process": {
"entity_id": "99a16837-7392-463d-afe5-5f3ed24bd358",
"title": "ConsoleHost"
},
"winlog": {
"api": "wineventlog",
"channel": "Windows PowerShell",
"computer_name": "vagrant",
"event_id": 600,
"keywords": [
"Classic"
],
"opcode": "Info",
"provider_name": "PowerShell",
"record_id": 18640,
"task": "Provider Lifecycle"
}
}
]

0 comments on commit d5fee98

Please sign in to comment.