Field case sensitivity and detection rules not triggering 'clear-eventlog'

Elastic Security SIEM
1

I have an new on-prem deployment of ELK 7.6.2, and have been working the the SIEM tool and like in another post about not seeing a signal get triggered when clearing logs I had the same issue. I worked through the winlogbeats configuration and installed and deployed sysmon on the windows server I am testing with. After everything and seeing the proper fields get populated, I still could not see the signal get triggered when I ran "powershell.exe clear-eventlog -logname security" on the test system.

The fields that were indexed were:

process.name => powershell.exe
event.action => Process Create (rule: ProcessCreate)
process.args => powershell.exe, clear-eventlog, -logname, application

Below is the default detection rule for "Clearing Windows Event Logs":

event.action:"Process Create (rule: ProcessCreate)" and (process.name:"wevtutil.exe" and process.args:"cl") or (process.name:"powershell.exe" and process.args:"Clear-EventLog")

It seems the when the field process.args is queried it is case sensitive, and it would not trigger if I used lower case. I made a duplicate of the default detection rule with the process.args query in lower case, and it of course triggered.

Is there a way to make the query case-insensitive like it would be on a windows system when the command is run? I did see some posts in other areas about this, but I didn't seem to find an answer.

2

Hey there Jim, thanks for the detailed writeup!

In this situation (since the process.args field is mapped as a keyword), to catch both permutations the query will need to be updated with an additional OR clause as shown below. There is also the regex query string syntax, but in testing I was unable to get it to work for this instance.

event.action:"Process Create (rule: ProcessCreate)" and
 (process.name:"wevtutil.exe" and process.args:"cl") or
 (process.name:"powershell.exe" and (process.args:"Clear-EventLog" or process.args:"clear-eventlog")

While that's not too different from your duplicate rule workaround, ECS also has the process.command_line.text field, which will be case-insensitive when queried, and support for this will field will be coming to the sysmon module in a future release.

Hopefully this was able to provide some context -- cheers! :slight_smile:

3

Hello Garrett, thank you for the explanation. I think for this particular Detection Rule (Clear Logs), I will have to wait for the update for process.command_line.text support in the sysmon module. Otherwise, I would have to create a query with every permutation of the string "clear-eventlog".

Something to look forward to. :slight_smile:

4

Hey again Jim,

So I chatted with a few folks on the rules team and the regex query string will indeed work here. Just be aware of possible performance implications.

Something like the below should work in this instance -- just be sure Lucene is selected at the right of the query bar:

image
image1966×222 29.5 KB

event.action:"Process Create (rule: ProcessCreate)" AND ((process.name:wevtutil.exe AND process.args:cl) OR (process.name:powershell.exe AND process.args:/[Cc][Ll][Ee][Aa][Rr]-[Ee][Vv][Ee][Nn][Tt][Ll][Oo][Gg]/))

Best!
Garrett

5

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.