I am having troubles working with Auditbeat under certain conditions. My team is using Auditbeat and Elasticsearch to monitor students while they are performing a project that involves hacking networks that are set up on the cloud. To that end, we need to be able to view specific commands that the students execute and especially their arguments. This is all fine and well under normal circumstances but Auditbeat seems unable to discern the arguments of commands when a reverse shell is used.
E.g. This is my Auditbeat config:
---
auditbeat:
modules:
- audit_rule_files:
- /etc/auditbeat/audit.rules.d/*.conf
module: auditd
include_warnings: true
resolve_ids: true
include_raw_message: true
http:
enabled: true
host: x.x.x.x
port: '5067'
logging:
level: debug
metrics:
enabled: false
to_eventlog: false
to_files: false
to_stderr: true
to_syslog: false
monitoring:
cluster_uuid: ZK15biAITP-jB5O8Y5XuQQ
enabled: false
name: blueprint-buckeye-auditbeat
output:
elasticsearch:
enabled: true
hosts:
- https://x.x.x.x:9200
- https://x.x.x.x:9200
- https://x.x.x.x:9200
password: ${OUTPUT_PASS}
ssl:
certificate: /etc/auditbeat/certs//beats.crt
certificate_authorities: /etc/auditbeat/certs//ca.crt
enabled: true
key: /etc/auditbeat/certs//beats.p1
key_passphrase: ${OUTPUT_CERT_KEY_PASSPHRASE}
verification_mode: none
username: ${OUTPUT_USER}
path:
config: /etc/auditbeat
data: /var/lib/auditbeat
home: /usr/share/auditbeat
logs: /var/log/auditbeat
processors:
- add_id: null
- add_locale: null
- community_id: null
- add_process_metadata:
match_pids:
- system.process.ppid
restricted_fields: true
- add_fields:
fields:
world: blueprint
target: ''
- add_observer_metadata:
geo:
name: blueprint
setup:
ilm:
check_exists: false
enabled: true
overwrite: false
pattern: '{now/d}-000001'
rollover_alias: auditbeat-%{[agent.version]}
template:
settings:
index:
number_of_shards: 1
Let's say I add the following auditctl rule to the audit.rules.d directory -a exit,always -F arch=b64 -S execve -F path=/usr/bin/mkfifo -k test. Let us now set up a reverse shell on this machine using e.g. mkfifo test; /bin/bash -i -l 0<test 2>&1 | nc -l -p 4242 2>&1 >test. Once we connect to port 4242 from another instance we can execute the command mkfifo /tmp/test. Auditbeat then captures and pushes a document with this execution. However, the document that is pushed (shown below) lists the arguments and process.title as /bin/bash -i -l but it is not these arguments I need. Rather, I would require the knowledge of what the arguments to mkfifo are (e.g. what file was created using mkfifo). This is just a toy example, other commands than mkfifo would be more useful to monitor.
Here is the pushed document:
{
"_index" : "auditbeat-7.8.1-2020.07.29-000001",
"_type" : "_doc",
"_id" : "z7KzvXMBoOZYadLU2Ynk",
"_score" : 0.0,
"_source" : {
"@timestamp" : "2020-08-05T08:19:07.359Z",
"user" : {
"group" : {
"id" : "0",
"name" : "root"
},
"filesystem" : {
"id" : "0",
"group" : {
"id" : "0",
"name" : "root"
},
"name" : "root"
},
"id" : "0",
"effective" : {
"name" : "root",
"group" : {
"name" : "root",
"id" : "0"
},
"id" : "0"
},
"saved" : {
"group" : {
"id" : "0",
"name" : "root"
},
"name" : "root",
"id" : "0"
},
"audit" : {
"id" : "0",
"name" : "root"
},
"name" : "root"
},
"host" : {
"name" : "blueprint-energetic-bear-auditbeat"
},
"world" : "blueprint",
"file" : {
"group" : "root",
"path" : "/usr/bin/mkfifo",
"device" : "00:00",
"inode" : "4098",
"mode" : "0755",
"uid" : "0",
"gid" : "0",
"owner" : "root"
},
"auditd" : {
"sequence" : 699893,
"result" : "success",
"data" : {
"syscall" : "execve",
"a2" : "563149b3a950",
"tty" : "pts1",
"argc" : "2",
"a1" : "5631499dc8f0",
"exit" : "0",
"arch" : "x86_64",
"a0" : "563149a117f0",
"a3" : "8"
},
"session" : "7613",
"summary" : {
"actor" : {
"secondary" : "root",
"primary" : "root"
},
"object" : {
"primary" : "/usr/bin/mkfifo",
"type" : "file"
},
"how" : "/usr/bin/mkfifo"
},
"paths" : [
{
"mode" : "0100755",
"name" : "/usr/bin/mkfifo",
"dev" : "08:01",
"cap_fe" : "0",
"cap_frootid" : "0",
"cap_fver" : "0",
"item" : "0",
"nametype" : "NORMAL",
"cap_fi" : "0",
"inode" : "4098",
"ogid" : "0",
"ouid" : "0",
"rdev" : "00:00",
"cap_fp" : "0"
},
{
"cap_fi" : "0",
"cap_fver" : "0",
"cap_fe" : "0",
"cap_fp" : "0",
"inode" : "2411",
"item" : "1",
"name" : "/lib64/ld-linux-x86-64.so.2",
"nametype" : "NORMAL",
"cap_frootid" : "0",
"dev" : "08:01",
"mode" : "0100755",
"ogid" : "0",
"ouid" : "0",
"rdev" : "00:00"
}
],
"message_type" : "syscall"
},
"service" : {
"type" : "auditd"
},
"agent" : {
"hostname" : "blueprint-energetic-bear",
"ephemeral_id" : "e15ee5e1-4a29-4f99-9caa-d583940cee55",
"id" : "3966fa21-f393-5aee-80b0-914283ba53c6",
"name" : "blueprint-energetic-bear-auditbeat",
"type" : "auditbeat",
"version" : "7.8.1"
},
"event" : {
"action" : "executed",
"outcome" : "success",
"module" : "auditd",
"timezone" : "+00:00",
"category" : "audit-rule"
},
"ecs" : {
"version" : "1.5.0"
},
"process" : {
"ppid" : 10106,
"executable" : "/bin/bash",
"env" : { },
"args" : [
"/bin/bash",
"-l",
"-i"
],
"pid" : 10386,
"working_directory" : "/root",
"start_time" : "2020-08-05T08:18:40.780Z",
"title" : "/bin/bash -l -i",
"name" : "bash"
},
"tags" : [
"test"
],
"container" : {
"id" : ""
},
"observer" : {
"hostname" : "blueprint-energetic-bear",
"ip" : [
"10.0.18.128",
"10.0.2.128",
"fe80::4001:aff:fe00:1280"
],
"mac" : [
"42:01:0a:00:12:80"
],
"geo" : {
"name" : "blueprint"
}
}
}
}