HELK icon indicating copy to clipboard operation
HELK copied to clipboard

Published 20 hours ago verified publisher icon Cyb3rWard0g

Elastalert rules for sysmon event id 3 which filter on Image won't work

Open BarryStokes opened this issue 4 years ago • 3 comments

Describe the problem

The logstash pipeline for sysmon (pipeline/1531-winevent-sysmon-filter.conf) changes the name of the "Image" field to "process_path". As the sigma rules are looking for a field called "Image", any rules which filter by "Image" won't work as expected.

Provide the output of the following commands

Get operating system and version NAME="Ubuntu" VERSION="18.04.4 LTS (Bionic Beaver)" ID=ubuntu ID_LIKE=debian PRETTY_NAME="Ubuntu 18.04.4 LTS" VERSION_ID="18.04" HOME_URL="https://www.ubuntu.com/" SUPPORT_URL="https://help.ubuntu.com/" BUG_REPORT_URL="https://bugs.launchpad.net/ubuntu/" PRIVACY_POLICY_URL="https://www.ubuntu.com/legal/terms-and-policies/privacy-policy" VERSION_CODENAME=bionic UBUNTU_CODENAME=bionic

Get disk space, memory, processor cores, and docker storage
Docker Space: Filesystem Size Used Avail Use% Mounted on /dev/vda1 155G 11G 145G 7% /

Memory: total used free shared buff/cache available Mem: 7 6 0 0 0 1 Swap: 0 0 0

Cores: 4

Get output of the HELK docker containers:
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES fab275351ac0 confluentinc/cp-ksql-cli:5.1.3 "/bin/sh" 8 hours ago Up 8 hours helk-ksql-cli 8161fb54ea31 confluentinc/cp-ksql-server:5.1.3 "/etc/confluent/dock…" 8 hours ago Up 8 hours 0.0.0.0:8088->8088/tcp helk-ksql-server a3aedab6e8d2 otrf/helk-kafka-broker:2.4.0 "./kafka-entrypoint.…" 8 hours ago Up 8 hours 0.0.0.0:9092->9092/tcp helk-kafka-broker 2cbc709c2c26 otrf/helk-elastalert:0.4.0 "./elastalert-entryp…" 8 hours ago Up 2 minutes helk-elastalert fef923b44263 otrf/helk-zookeeper:2.4.0 "./zookeeper-entrypo…" 8 hours ago Up 8 hours 2181/tcp, 2888/tcp, 3888/tcp helk-zookeeper 75c0a2453d33 otrf/helk-nginx:0.3.0 "/opt/helk/scripts/n…" 8 hours ago Up 8 hours 0.0.0.0:80->80/tcp, 0.0.0.0:443->443/tcp helk-nginx abf8e3b576c3 otrf/helk-logstash:7.6.2.1 "/usr/share/logstash…" 8 hours ago Up 8 hours 0.0.0.0:3515->3515/tcp, 0.0.0.0:5044->5044/tcp, 0.0.0.0:5514->5514/tcp, 0.0.0.0:5514->5514/udp, 0.0.0.0:8515-8516->8515-8516/tcp, 0.0.0.0:8531->8531/tcp, 0.0.0.0:8515-8516->8515-8516/udp, 9600/tcp helk-logstash 31ff8e3c0f6d docker.elastic.co/kibana/kibana:7.6.2 "/usr/share/kibana/s…" 8 hours ago Up 8 hours 5601/tcp helk-kibana eb27a4383aac docker.elastic.co/elasticsearch/elasticsearch:7.6.2 "/usr/share/elastics…" 8 hours ago Up 8 hours 9200/tcp, 9300/tcp helk-elasticsearch

Place all output, from the above commands, here

Provide the HELK installation logs located at /var/log/helk-install.log if you are having install errors

Place the output here

What version of HELK are you using

220baae6b17617300f6f87b4c21f193d66ad52b6

2020-08-03

What version of Winlogbeat are you using if you are using Windows/WEF logs

N/A

What steps did you take trying to fix the issue

Modified /opt/sigma/rules/windows/sysmon/sysmon_suspicious_outbound_kerberos_connection.yml to reference process_name rather than Image. Couldn't use process_path directly in it's entirety whilst keeping the rule roughly the same as the '' characters don't appear to translate correctly in the resulting file in /etc/elastalert/rules (assuming issue with it adding an escaping '').

How could we replicate the issue

Fire up a default install of HELK and log from a windows machine where lsass.exe is communicating with a domain controller and see that the lsass.exe process is alerted on by elastalert despite not meeting the criteria of the sigma rule.

BarryStokes avatar Aug 04 '20 00:08 BarryStokes

Hey @BarryStokes

Out Sigma Config for sigmac actually translates that field to the right one: https://github.com/Cyb3rWard0g/HELK/blob/master/docker/helk-elastalert/sigmac/sigmac-config.yml#L122

Am I missing something? Can you share a screenshot of the rule that is looking for Image? Thank you in advance!

Cyb3rWard0g avatar Aug 11 '20 06:08 Cyb3rWard0g

ahh I see what you mean

elastalertuserÉ57378b97d853:ü$ cat /etc/elastalert/rules/sigma_sysmon_suspicious_outbound_kerberos_connection.yml
alert:
- debug
description: Detects suspicious outbound network activity via kerberos default port
  indicating possible lateral movement or first stage PrivEsc via delegation.
filter:
- query:
    query_string:
      query: ((event_id:"3" AND dst_port:"88" AND network_initiated:"true") AND NOT
        (Imageöendswith:("ÖÖlsass.exe" "ÖÖopera.exe" "ÖÖchrome.exe" "ÖÖfirefox.exe")))
index: logs-endpoint-winevent-sysmon-*
name: Suspicious-Outbound-Kerberos-Connection-02_0
priority: 2
realert:
  minutes: 0
type: any
elastalertuserÉ57378b97d853:ü$

Cyb3rWard0g avatar Aug 11 '20 07:08 Cyb3rWard0g

We need to update the sigmac tool to latest. Thank you for letting us know.

Cyb3rWard0g avatar Aug 11 '20 08:08 Cyb3rWard0g