sequence by process.entity_id with maxspan = 30s
[process where event.type in ("start", "process_started") and process.name:("powershell.exe", "pwsh.exe","cmd.exe","wmic.exe","excel.exe") and process.command_line:("HP", "Connect.Service", "hidden","LoadFile")]
[file where event.type != "deletion" and file.path :("C:\ProgramData\KPIPrinter1259.ico")]
This is the behavior of an office malicious program. There are 2 items in it. There is no problem with each individual test, but after using the sequence keyword, there is no alarm. I really don’t know what is going on. I ask the teacher for help.
Hi 
, hopefully I can help. You stated that each individual query successfully returns the respective event.
Have you verified that the events occur within 30s, per the defined maxspan? The other thing to verify would be the process.entity_id of the two events, ensuring they match.
Lastly, though this would be extremely rare, on occasion, the timestamp of the file event could mistakenly precede the process event, which would result in the sequence not matching.
Hope this helps. If not, you could share a sanitized version of the two docs to dig deeper.
1 Like
Thank you for your reply, I confirmed that this event can happen within a few seconds, I also tried to remove process.entity_id but it still doesn't work, they are generated by a process powershell, will the timestamp be the same and cause no alarm
Are you able to share the two target events (with all sensitive data sanitized)? It would help to assess the issue.
password:SAHAEXPO22
file creation
C:\ProgramData\KPIPrinter1259
12:43:54:420, powershell.exe, 8920:9180, 0, FILE_truncate, C:\Users\diguoji\AppData\Local\Temp\WindowsTemp.txt
reg msedge.exe
S-1-5-21-3207859999-3463009947-1583894364-1001\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
powershell
host && Powershell -WindowStyle hidden [Reflection.Assembly]::LoadFile('C:\ProgramData\KPIPrinter1259.ico');$Connect = New-Object HP.Program;$Connect.Service();
http network
get ip address
http://api.geoiplookup.net/?query
C2:
cloud.mofa-kpi-update.link
ip:
104.21.91.90
172.67.214.197
name server:
location:
REDACTED FOR PRIVACY, REDACTED FOR PRIVACY, AZ, REDACTED FOR PRIVACY, United States
username:
mofa-kpi-update
sec:
cloudflare
dll
sandbox
Are you able to provide the actual sanitized elasticsearch documents for the two events to better analyze your query.
(Please do not include any sensitive information. The main fields we need are those referenced in the query)
I'm sorry that I used elastic for too short time, and I still don't understand what you mean, but I still want to know if the command line of the same process performs multiple operations, it must be written as one item, or can write multiple items
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.