Elastic Endpoint Security - Testing detections - Whoami rule

Elastic Security Endpoint Security
1

Hi Folks,

I have installed elasticagent and enrolled my device via ingest manager. I have 3 integrations within my configuration:

  • System

  • Windows

  • Elastic Endpoint Security

I imported the Elastic Detection rules and activated these rules. When looking at the rules I noticed the following: "WhoAmI process activity" - Identifies use of whoami.exe which displays user, group, and privileges information for the user who is currently logged on to the local system. - I figured such rules are created to detect potential threat actor who are "living off the land" - using legitimate tools for information gathering and to accomplish their goals

I figured I would test this out by running a few whoami commands on my device (Windows 10) to see whether such activity would be registered within the detection dashboard in Kibana. Surprisingly nothing appeared! No detection. There are other detection appearing in Kiabana so unsure at this point whether its the rule itself which isn't picking up such activity.

Any ideas?

2

Hello @StephItUp!

Thanks for the question, and it's a good one.

I would assume that you're running Kibana 7.9.2, which doesn't have the updated Whoami Process Activity detection logic.

Currently, that rule uses the following detection logic for the winlogbeat-* index pattern:

process.name:whoami.exe and event.code:1

image
image2568×1542 312 KB

Since you're using the Endpoint, the index pattern would need to be updated to use logs-endpoint.events.* and the detection logic as follows:

event.category:process and event.type:(start or process_started) 
and process.name:whoami.exe

The above is reflected in our public Detection Rules repository for this rule and should be updated in the next release of Kibana.

Running this updated detection logic against the right index pattern returned the expected results:

image
image2758×1972 417 KB

In the event that you cannot wait for the update, you can clone the Detection Rules repository (linked above) and simply upload that rule using the upload-rules command for the detection_rules Python module.

3

Hi Andrew,

Correct on all fronts. I am running KIbana 7.9.2 and the detection rule applies to winlogbeat-.* index which explains why its not finding these events. Will try creating the rule in order to have it search through logs-endpoint.events.*

Thanks for the response! Very clear explanation!

1 Like
4

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.