EQL rules are wrong, God help me


sequence by process.entity_id with maxspan = 30s
[process where event.type in ("start", "process_started") and process.name:("powershell.exe", "pwsh.exe","cmd.exe","wmic.exe","excel.exe") and process.command_line:("HP", "Connect.Service", "hidden","LoadFile")]
[file where event.type != "deletion" and file.path :("C:\ProgramData\KPIPrinter1259.ico")]
This is the behavior of an office malicious program. There are 2 items in it. There is no problem with each individual test, but after using the sequence keyword, there is no alarm. I really don’t know what is going on. I ask the teacher for help.

Hi :wave: , hopefully I can help. You stated that each individual query successfully returns the respective event.

Have you verified that the events occur within 30s, per the defined maxspan? The other thing to verify would be the process.entity_id of the two events, ensuring they match.

Lastly, though this would be extremely rare, on occasion, the timestamp of the file event could mistakenly precede the process event, which would result in the sequence not matching.

Hope this helps. If not, you could share a sanitized version of the two docs to dig deeper.

1 Like

Thank you for your reply, I confirmed that this event can happen within a few seconds, I also tried to remove process.entity_id but it still doesn't work, they are generated by a process powershell, will the timestamp be the same and cause no alarm

Are you able to share the two target events (with all sensitive data sanitized)? It would help to assess the issue.

password:SAHAEXPO22

file creation
C:\ProgramData\KPIPrinter1259
12:43:54:420, powershell.exe, 8920:9180, 0, FILE_truncate, C:\Users\diguoji\AppData\Local\Temp\WindowsTemp.txt

reg msedge.exe
S-1-5-21-3207859999-3463009947-1583894364-1001\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

powershell
host && Powershell -WindowStyle hidden [Reflection.Assembly]::LoadFile('C:\ProgramData\KPIPrinter1259.ico');$Connect = New-Object HP.Program;$Connect.Service();

http network
get ip address
http://api.geoiplookup.net/?query

C2:
cloud.mofa-kpi-update.link
ip:
104.21.91.90
172.67.214.197
name server:
ace.ns.cloudflare.com
bella.ns.cloudflare.com
location:
REDACTED FOR PRIVACY, REDACTED FOR PRIVACY, AZ, REDACTED FOR PRIVACY, United States
username:
mofa-kpi-update
sec:
cloudflare

dll

sandbox

Are you able to provide the actual sanitized elasticsearch documents for the two events to better analyze your query.

(Please do not include any sensitive information. The main fields we need are those referenced in the query)

I'm sorry that I used elastic for too short time, and I still don't understand what you mean, but I still want to know if the command line of the same process performs multiple operations, it must be written as one item, or can write multiple items