Problem with PowerShell security rules that use process.args

The Problem

Rules that are based off powershell like Disabling Windows Defender Security Settings via PowerShell and Windows Firewall Disabled via PowerShell are not giving alerts back.

Windows Firewall Disabled via PowerShell | Elastic Security Solution [8.6] | Elastic

Disabling Windows Defender Security Settings via PowerShell | Elastic Security Solution [8.6] | Elastic

These are the query's those rules filter on they use the process.args field to filter on commands

process where event.type == "start" and (process.name :
("powershell.exe", "pwsh.exe", "powershell_ise.exe") or
process.pe.original_file_name in ("powershell.exe", "pwsh.dll",
"powershell_ise.exe")) and process.args : "Set-MpPreference" and
process.args : ("-Disable*", "Disabled", "NeverSend", "-Exclusion*")
process where event.action == "start" and (process.name :
("powershell.exe", "pwsh.exe", "powershell_ise.exe") or
process.pe.original_file_name == "PowerShell.EXE") and process.args
: "*Set-NetFirewallProfile*" and (process.args : "*-Enabled*" and
process.args : "*False*") and (process.args : "*-All*" or
process.args : ("*Public*", "*Domain*", "*Private*"))

Most of the powershell.exe args are empty and the rules check on the args.

The operational logs of powershell seem to have the data I need

To grab this data into elastic I will need a custom windows log integration

Does not use the process.args field

Anyone that has an idea what I am doing wrong here?

I could edit the rule to filter on winlog.event_data.ScriptBlockText but I would like to know why the process.args field isn't working

Hey @Maretti ,

is there a reason why you don't use the windows or defend integration?
If you want to use the Custom Windows event integration you need to set up a pipeline under advanced options to normalize your data. Have a look at the windows integration.

Regards,

Sebastian

Hi,

I did use the windows and defend integration. I tested it the wrong way

In the first log entry we do get the arguments and the process is ran like this:

powershell.exe Set-NetFirewallProfile -Enabled True

In the second one we do not get the arguments and the process is ran like this:

Set-NetFirewallProfile -Enabled False

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.