Filter Windows Device Scanning from Direct Outbound SMB Connection rule

Thyrum · May 2, 2023, 10:06am

Hi,

We have been trying to filter out windows device scanning from our Direct Outbound SMB Connection rule logs. As is mentioned in the first note of Configure device discovery | Microsoft Learn, these SMB connections are to be expected and can safely be filtered out.

We are currently using the 7.17 version of the Direct Outbound SMB Connection rule.

How can we go about filtering any powershell calls which simply run the linked script? The first event of any such message can be seen below.

Using exceptions to check if process.args contains C:\ProgramData\Microsoft\Windows Defender Advanced Threat Protection\Downloads\*.ps1 proved ineffective since exceptions don't seem to support wildcards. Furthermore, updating the rule to

sequence by process.entity_id
  [process where event.type == "start" and process.pid != 4 and not process.args like "C:\\ProgramData\\Microsoft\\Windows Defender Advanced Threat Protection\\Downloads\\*.ps1" ]
  [network where destination.port == 445 and process.pid != 4 and
     not cidrmatch(destination.ip, "127.0.0.1", "::1")]

made the rule timeout. Any suggestions would be appreciated.

A relevant log entry:

{
  "_ignored": [
    "process.parent.args",
    "process.command_line",
    "process.parent.command_line",
    "process.args"
  ],
  "_source": {
    "related": {
      "hash": [
        "04029e121a0cfa5991749937dd22a1d9",
        "9f914d42706fe215501044acd85a32d58aaef1419d404fddfa5d3b48f66ccd9f",
        "7c955a0abc747f57ccc4324480737ef7"
      ],
      "user": "LOCAL SERVICE"
    },
    "winlog": {
      "event_data": {
        "FileVersion": "10.0.19041.546 (WinBuild.160101.0800)",
        "Description": "Windows PowerShell",
        "IntegrityLevel": "System",
        "Company": "Microsoft Corporation",
        "Product": "Microsoft® Windows® Operating System",
        "LogonGuid": "{baa1d99c-4f39-644f-0000-0020e5030000}",
        "TerminalSessionId": "0",
        "LogonId": "0x3e5"
      },
      "opcode": "Info",
      "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}",
      "channel": "Microsoft-Windows-Sysmon/Operational",
      "event_id": "1",
      "user": {
        "type": "User",
        "name": "SYSTEM",
        "identifier": "S-1-5-18",
        "domain": "NT AUTHORITY"
      },
      "version": 5,
      "computer_name": "<redacted>",
      "task": "Process Create (rule: ProcessCreate)",
      "process": {
        "thread": {
          "id": 5980
        },
        "pid": 4268
      },
      "record_id": 384757,
      "api": "wineventlog",
      "provider_name": "Microsoft-Windows-Sysmon"
    },
    "agent": {
      "type": "winlogbeat",
      "version": "7.17.6",
      <redacted>
    },
    "ecs": {
      "version": "1.12.0"
    },
    "fields": {
      "ul": {
        "ingest": {
          "node": "<redacted>",
          "pipeline": "indexer_genericbeat",
          "role": "indexer",
          "type": "logstash"
        },
        "service": {
          <redacted>
        }
      }
    },
    "event": {
      "created": "2023-05-01T22:48:59.382Z",
      "code": "1",
      "type": [
        "start",
        "process_start"
      ],
      "category": [
        "process"
      ],
      "kind": "signal",
      "provider": "Microsoft-Windows-Sysmon",
      "module": "sysmon",
      "action": "Process Create (rule: ProcessCreate)"
    },
    "@version": "1",
    "tags": [
      "beats",
      "beats_input_codec_plain_applied",
      "passed_genericbeat_filter_2_metadata",
      "workstation",
      "other_containerd_format",
      "other_dockerd_format"
    ],
    "log": {
      "level": "information"
    },
    "hash": {
      "sha256": "9f914d42706fe215501044acd85a32d58aaef1419d404fddfa5d3b48f66ccd9f",
      "md5": "04029e121a0cfa5991749937dd22a1d9",
      "imphash": "7c955a0abc747f57ccc4324480737ef7"
    },
    "user": {
      "name": "LOCAL SERVICE",
      "id": "S-1-5-18",
      "domain": "NT AUTHORITY"
    },
    "host": {
     <redacted>
    },
    "process": {
      "pid": 1740,
      "command_line": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe -ExecutionPolicy Bypass -NoProfile -NonInteractive -File \"C:\\ProgramData\\Microsoft\\Windows Defender Advanced Threat Protection\\Downloads\\PSScript_{D5066C9F-2476-4DE5-A1EC-74908582112A}.ps1\" -ParamsAsBase64 <redacted base64 string>",
      "hash": {
        "sha256": "9f914d42706fe215501044acd85a32d58aaef1419d404fddfa5d3b48f66ccd9f",
        "md5": "04029e121a0cfa5991749937dd22a1d9"
      },
      "parent": {
        "pid": 8876,
        "command_line": "C:\\WINDOWS\\system32\\WindowsPowerShell\\v1.0\\powershell.exe -ExecutionPolicy Bypass -NoProfile -NonInteractive -Command \"& {$OutputEncoding = [Console]::OutputEncoding =[System.Text.Encoding]::UTF8;$scriptFileStream = [System.IO.File]::Open('C:\\ProgramData\\Microsoft\\Windows Defender Advanced Threat Protection\\Downloads\\PSScript_{D5066C9F-2476-4DE5-A1EC-74908582112A}.ps1', [System.IO.FileMode]::Open, [System.IO.FileAccess]::Read, [System.IO.FileShare]::Read);$calculatedHash = Get-FileHash 'C:\\ProgramData\\Microsoft\\Windows Defender Advanced Threat Protection\\Downloads\\PSScript_{D5066C9F-2476-4DE5-A1EC-74908582112A}.ps1' -Algorithm SHA256;if (!($calculatedHash.Hash -eq 'b35dd85ce5afb0e3a633edd0ffb76e824fc74ed20abb6a9aedb6c9d2d430b1e3')) { exit 323;};Start-Transcript -Path 'C:\\ProgramData\\Microsoft\\Windows Defender Advanced Threat Protection\\Temp\\PSScriptOutputs\\PSScript_Transcript_{D5066C9F-2476-4DE5-A1EC-74908582112A}.txt'; . 'C:\\ProgramData\\Microsoft\\Windows Defender Advanced Threat Protection\\Downloads\\PSScript_{D5066C9F-2476-4DE5-A1EC-74908582112A}.ps1' -ParamsAsBase64 <redacted base64 string> -IsCompressed True}\"",
        "entity_id": "{baa1d99c-41d4-6450-0000-0010dd9c1908}",
        "name": "powershell.exe",
        "executable": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe",
        "args": [
          "C:\\WINDOWS\\system32\\WindowsPowerShell\\v1.0\\powershell.exe",
          "-ExecutionPolicy",
          "Bypass",
          "-NoProfile",
          "-NonInteractive",
          "-Command",
          "& {$OutputEncoding = [Console]::OutputEncoding =[System.Text.Encoding]::UTF8;$scriptFileStream = [System.IO.File]::Open('C:\\ProgramData\\Microsoft\\Windows Defender Advanced Threat Protection\\Downloads\\PSScript_{D5066C9F-2476-4DE5-A1EC-74908582112A}.ps1', [System.IO.FileMode]::Open, [System.IO.FileAccess]::Read, [System.IO.FileShare]::Read);$calculatedHash = Get-FileHash 'C:\\ProgramData\\Microsoft\\Windows Defender Advanced Threat Protection\\Downloads\\PSScript_{D5066C9F-2476-4DE5-A1EC-74908582112A}.ps1' -Algorithm SHA256;if (!($calculatedHash.Hash -eq 'b35dd85ce5afb0e3a633edd0ffb76e824fc74ed20abb6a9aedb6c9d2d430b1e3')) { exit 323;};Start-Transcript -Path 'C:\\ProgramData\\Microsoft\\Windows Defender Advanced Threat Protection\\Temp\\PSScriptOutputs\\PSScript_Transcript_{D5066C9F-2476-4DE5-A1EC-74908582112A}.txt'; . 'C:\\ProgramData\\Microsoft\\Windows Defender Advanced Threat Protection\\Downloads\\PSScript_{D5066C9F-2476-4DE5-A1EC-74908582112A}.ps1' -ParamsAsBase64 <redacted base64 string> -IsCompressed True}"
        ]
      },
      "name": "powershell.exe",
      "pe": {
        "original_file_name": "PowerShell.EXE",
        "description": "Windows PowerShell",
        "file_version": "10.0.19041.546 (WinBuild.160101.0800)",
        "company": "Microsoft Corporation",
        "product": "Microsoft® Windows® Operating System",
        "imphash": "7c955a0abc747f57ccc4324480737ef7"
      },
      "working_directory": "C:\\WINDOWS\\ServiceProfiles\\LocalService\\",
      "entity_id": "{baa1d99c-41d9-6450-0000-001033bf1b08}",
      "executable": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe",
      "args": [
        "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe",
        "-ExecutionPolicy",
        "Bypass",
        "-NoProfile",
        "-NonInteractive",
        "-File",
        "C:\\ProgramData\\Microsoft\\Windows Defender Advanced Threat Protection\\Downloads\\PSScript_{D5066C9F-2476-4DE5-A1EC-74908582112A}.ps1",
        "-ParamsAsBase64",
        "<redacted base64 string>"
      ]
    },
    "message": "<redacted>",
    "signal": {
      "status": "open",
      "original_event": {
        "created": "2023-05-01T22:48:59.382Z",
        "code": "1",
        "type": [
          "start",
          "process_start"
        ],
        "category": [
          "process"
        ],
        "kind": "event",
        "provider": "Microsoft-Windows-Sysmon",
        "module": "sysmon",
        "action": "Process Create (rule: ProcessCreate)"
      },
      "group": {
        "id": "1b551367d351f4c08e73d6607115a9f4c11692753d8e8f7e824ca18e20552eff",
        "index": 0
      }
    }
  }
}

Michael_Olorunnisola · May 11, 2023, 10:11pm

Hi @Thyrum ! Thank you for reaching out and apologies for the delayed response.

I'll have to follow up with our rules team to confirm, but based on the documentation around eql, array lookups aren't currently supported, so the update to process.args like "C:\\ProgramData\\Microsoft\\Windows Defender Advanced Threat Protection\\Downloads\\*.ps1" wouldn't currently work. You can find more information around that here: EQL syntax reference | Elasticsearch Guide [8.7] | Elastic. For educational purposes, if it were supported, you would want to use arrayContains on process.args as it is an array type.

Doing some digging it looks like wildcard support was added in 8.4 as evidenced by this PR here: [Security Solution][Alerts] Detection engine wildcard exceptions by marshallmain · Pull Request #136147 · elastic/kibana · GitHub if you are able to upgrade to that version.

In the meantime, I'll look to connect with a member of our rules team to see if they may have thoughts on a workaround for you in 7.17.

system · June 8, 2023, 10:12pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.