Hi, I am having problems with the process.args and process.title field that Auditbeat pushes when using a reverse shell. E.g. let's say that I add the following auditd rule to the /etc/auditbeat/audit.rules.d/blueprint-energetic-bear.conf file:
-a exit,always -F arch=b64 -S execve -F path=/usr/bin/mkfifo -k test
Then I restart Auditbeat and set up a reverse shell to the machine: mkfifo test; /bin/bash -i -l 0<test 2>&1 | nc -l -p 4242 2>&1 >test. Once I connect to this reverse shell from another machine I can issue the command mkfifo /tmp/test. When I query Elasticsearch about this event I see that the command was indeed captured by Auditbeat. However, the document that is pushed (shown below) lists the process.args and process.title as /bin/bash -i -l but this is not the arguments I need. Rather, I would require the knowledge of the arguments passed to mkfifo (i.e /tmp/test).
Here is the pushed document:
{
"_index" : "auditbeat-7.8.1-2020.07.29-000001",
"_type" : "_doc",
"_id" : "z7KzvXMBoOZYadLU2Ynk",
"_score" : 0.0,
"_source" : {
"@timestamp" : "2020-08-05T08:19:07.359Z",
"user" : {
"group" : {
"id" : "0",
"name" : "root"
},
"filesystem" : {
"id" : "0",
"group" : {
"id" : "0",
"name" : "root"
},
"name" : "root"
},
"id" : "0",
"effective" : {
"name" : "root",
"group" : {
"name" : "root",
"id" : "0"
},
"id" : "0"
},
"saved" : {
"group" : {
"id" : "0",
"name" : "root"
},
"name" : "root",
"id" : "0"
},
"audit" : {
"id" : "0",
"name" : "root"
},
"name" : "root"
},
"host" : {
"name" : "blueprint-energetic-bear-auditbeat"
},
"world" : "blueprint",
"file" : {
"group" : "root",
"path" : "/usr/bin/mkfifo",
"device" : "00:00",
"inode" : "4098",
"mode" : "0755",
"uid" : "0",
"gid" : "0",
"owner" : "root"
},
"auditd" : {
"sequence" : 699893,
"result" : "success",
"data" : {
"syscall" : "execve",
"a2" : "563149b3a950",
"tty" : "pts1",
"argc" : "2",
"a1" : "5631499dc8f0",
"exit" : "0",
"arch" : "x86_64",
"a0" : "563149a117f0",
"a3" : "8"
},
"session" : "7613",
"summary" : {
"actor" : {
"secondary" : "root",
"primary" : "root"
},
"object" : {
"primary" : "/usr/bin/mkfifo",
"type" : "file"
},
"how" : "/usr/bin/mkfifo"
},
"paths" : [
{
"mode" : "0100755",
"name" : "/usr/bin/mkfifo",
"dev" : "08:01",
"cap_fe" : "0",
"cap_frootid" : "0",
"cap_fver" : "0",
"item" : "0",
"nametype" : "NORMAL",
"cap_fi" : "0",
"inode" : "4098",
"ogid" : "0",
"ouid" : "0",
"rdev" : "00:00",
"cap_fp" : "0"
},
{
"cap_fi" : "0",
"cap_fver" : "0",
"cap_fe" : "0",
"cap_fp" : "0",
"inode" : "2411",
"item" : "1",
"name" : "/lib64/ld-linux-x86-64.so.2",
"nametype" : "NORMAL",
"cap_frootid" : "0",
"dev" : "08:01",
"mode" : "0100755",
"ogid" : "0",
"ouid" : "0",
"rdev" : "00:00"
}
],
"message_type" : "syscall"
},
"service" : {
"type" : "auditd"
},
"agent" : {
"hostname" : "blueprint-energetic-bear",
"ephemeral_id" : "e15ee5e1-4a29-4f99-9caa-d583940cee55",
"id" : "3966fa21-f393-5aee-80b0-914283ba53c6",
"name" : "blueprint-energetic-bear-auditbeat",
"type" : "auditbeat",
"version" : "7.8.1"
},
"event" : {
"action" : "executed",
"outcome" : "success",
"module" : "auditd",
"timezone" : "+00:00",
"category" : "audit-rule"
},
"ecs" : {
"version" : "1.5.0"
},
"process" : {
"ppid" : 10106,
"executable" : "/bin/bash",
"env" : { },
"args" : [
"/bin/bash",
"-l",
"-i"
],
"pid" : 10386,
"working_directory" : "/root",
"start_time" : "2020-08-05T08:18:40.780Z",
"title" : "/bin/bash -l -i",
"name" : "bash"
},
"tags" : [
"test"
],
"container" : {
"id" : ""
},
"observer" : {
"hostname" : "blueprint-energetic-bear",
"ip" : [
"10.0.18.128",
"10.0.2.128",
"fe80::4001:aff:fe00:1280"
],
"mac" : [
"42:01:0a:00:12:80"
],
"geo" : {
"name" : "blueprint"
}
}
}
}
And here is my Auditbeat config file:
---
auditbeat:
modules:
- audit_rule_files:
- /etc/auditbeat/audit.rules.d/*.conf
module: auditd
include_warnings: true
resolve_ids: true
include_raw_message: true
http:
enabled: true
host: x.x.x.x
port: '5067'
logging:
level: debug
metrics:
enabled: false
to_eventlog: false
to_files: false
to_stderr: true
to_syslog: false
monitoring:
cluster_uuid: ZK15biAITP-jB5O8Y5XuQQ
enabled: false
name: blueprint-buckeye-auditbeat
output:
elasticsearch:
enabled: true
hosts:
- https://x.x.x.x:9200
- https://x.x.x.x:9200
- https://x.x.x.x:9200
password: ${OUTPUT_PASS}
ssl:
certificate: /etc/auditbeat/certs//beats.crt
certificate_authorities: /etc/auditbeat/certs//ca.crt
enabled: true
key: /etc/auditbeat/certs//beats.p1
key_passphrase: ${OUTPUT_CERT_KEY_PASSPHRASE}
verification_mode: none
username: ${OUTPUT_USER}
path:
config: /etc/auditbeat
data: /var/lib/auditbeat
home: /usr/share/auditbeat
logs: /var/log/auditbeat
processors:
- add_id: null
- add_locale: null
- community_id: null
- add_process_metadata:
match_pids:
- system.process.ppid
restricted_fields: true
- add_fields:
fields:
world: blueprint
target: ''
- add_observer_metadata:
geo:
name: blueprint
setup:
ilm:
check_exists: false
enabled: true
overwrite: false
pattern: '{now/d}-000001'
rollover_alias: auditbeat-%{[agent.version]}
template:
settings:
index:
number_of_shards: 1