RegEx / RegExp NOT Condition Help


(t3chyphil) #1

Hi everyone,

I'm struggling to figure this out having spent many hours looking at it. Essentially, I have a winlogbeat.yml configuration to drop multiple events. This has been working fine for months. I wanted to add another condition to the list.

Drop all events with the event_id = 4688 AND event_data.CommandLine where it does NOT match [regex].

  • drop_event.when:
    and:
    - equals.event_id: '4688'
    - not.regexp.event_data.CommandLine : '.\powershell.exe.-[Ee^]{1,2}[NnCcOoDdEeMmAa^]\s[A-Za-z0-9+/=]{5,}'

Basically, events 4688 are created anytime a process is launched. I'm not interested in capturing every process launched. I'm only wanting to log suspicious processes. In my case, I've created a regexp to find "powershell.exe -EncodedCommand". (99% likely to be trying to launch a malicious payload).

For the life of me, I can't figure it out why it's not working. It's forwarding all events with 4688 regardless. Perhaps a fresh set of eyes could take a look at this for me, please? I'm certain the regex is working, it's probably a matter of where it sits in the yml file.

processors:
 - drop_event.when:
     or:
       - equals.event_data.Application : '-'
       - regexp.event_data.Application : '\\appidcertstorecheck\.exe$'
       - regexp.event_data.Application : '\\googleupdate\.exe$'
       - regexp.event_data.Application : '\\dropboxupdate\.exe$'
       - regexp.event_data.Application : '\\wifitask\.exe$'
       - equals.event_data.Application : 'windows\system32\installagentuserbroker.exe'
       - regexp.event_data.DestAddress : '^2(?:2[4-9]|3\d)(?:\.(?:25[0-5]|2[0-4]\d|1\d\d|[1-9]\d?|0)){3}$'
       - regexp.event_data.DestAddress : '^ff02::.*'
       - equals.event_data.DestAddress : '255.255.255.255'
       - equals.event_data.DestAddress : '10.4.3.255'
       - equals.event_data.DestAddress : '10.12.47.255'
       - equals.event_data.DestAddress : '10.12.51.255'
       - equals.event_data.DestAddress : '10.12.55.255'
       - equals.event_data.DestAddress : '169.254.255.255'
       - equals.event_data.DestAddress : '172.30.3.255'
       - regexp.event_data.DestAddress : '^192\.168\.[0-2]\.255$'
       - equals.event_data.SourcePort : '5355'
       - equals.user_data.FileHash : '6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B'
       - equals.user_data.FileHash : 'E8A9F9C558304D66782332598C350EE351A9F8E7601576D5841B7DBF3A08EC30'
       - regexp.user_data.FilePath : '^%OSDRIVE%\\USERS\\[a-zA-Z0-9]*(\.| )[a-zA-Z0-9]*(\.[a-zA-Z0-9]*)?\\APPDATA\\LOCAL\\TEMP\\{[a-zA-Z0-9]{8}-[a-zA-Z0-9]{4}-[a-zA-Z0-9]{4}-[a-zA-Z0-9]{4}-[a-zA-Z0-9]{12}}\.BAT$'
       - regexp.user_data.FilePath : '^%OSDRIVE%\\USERS\\[a-zA-Z0-9-'']*(\.| )?[a-zA-Z0-9-'']*(\.[a-zA-Z0-9-'']*)?(.[0-9]{3})?\\APPDATA\\LOCAL\\TEMP\\__PSSCRIPTPOLICYTEST_[a-zA-Z0-9]*\.[a-zA-Z0-9]*\.PS(M)?1$'
       - regexp.user_data.FilePath : '^%OSDRIVE%\\INTEL\\GFXCPLBATCHFILES\\{[a-zA-Z0-9]{8}-[a-zA-Z0-9]{4}-[a-zA-Z0-9]{4}-[a-zA-Z0-9]{4}-[a-zA-Z0-9]{12}}\.BAT$'
       - and:
         - regexp.event_data.Application : 'windows\\system32\\svchost\.exe$'
         - or:
           - equals.event_data.SourcePort : '53'
           - equals.event_data.DestPort : '53'
 # drop when ((event_id = '4688' AND !(CommandLine Powershell -encodedCommand )))
       - and:
         - equals.event_id: '4688'
         - not.regexp.event_data.CommandLine : '.*\\powershell\.exe.*\-[Ee^]{1,2}[NnCcOoDdEeMmAa^]*\s*[A-Za-z0-9+\/=]{5,}'

Here's a link to the regex I'm trying to pattern match. https://regex101.com/r/O5MHur/1
I'm only interested in forwarding events that match and drop the rest. Which is why I want to NOT regex match.

Thank you


(t3chyphil) #2

Hey all,

Don't worry I've resolved it. Here's the working code below in case anybody else comes across this post.

I had to alter the Regexp and shuffled the indenting around. It's working as expected. It'll basically drop any launched process on a computer that doesnt have "powershell.exe -enc/encodedcommand etc"

You have to enable more auditing options using GPO of the workstations you wish to monitor. Credit and more information can be found > https://www.splunk.com/blog/2017/07/06/hellsbells-lets-hunt-powershells.html

Thank you

processors:
 - drop_event.when:
     or:
       - equals.event_data.Application : '-'
       - regexp.event_data.Application : '\\appidcertstorecheck\.exe$'
       - regexp.event_data.Application : '\\googleupdate\.exe$'
       - regexp.event_data.Application : '\\dropboxupdate\.exe$'
       - regexp.event_data.Application : '\\wifitask\.exe$'
       - equals.event_data.Application : 'windows\system32\installagentuserbroker.exe'
       - regexp.event_data.DestAddress : '^2(?:2[4-9]|3\d)(?:\.(?:25[0-5]|2[0-4]\d|1\d\d|[1-9]\d?|0)){3}$'
       - regexp.event_data.DestAddress : '^ff02::.*'
       - equals.event_data.DestAddress : '255.255.255.255'
       - equals.event_data.DestAddress : '10.4.3.255'
       - equals.event_data.DestAddress : '10.12.47.255'
       - equals.event_data.DestAddress : '10.12.51.255'
       - equals.event_data.DestAddress : '10.12.55.255'
       - equals.event_data.DestAddress : '169.254.255.255'
       - equals.event_data.DestAddress : '172.30.3.255'
       - regexp.event_data.DestAddress : '^192\.168\.[0-2]\.255$'
       - equals.event_data.SourcePort : '5355'
       - equals.user_data.FileHash : '6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B'
       - equals.user_data.FileHash : 'E8A9F9C558304D66782332598C350EE351A9F8E7601576D5841B7DBF3A08EC30'
       - regexp.user_data.FilePath : '^%OSDRIVE%\\USERS\\[a-zA-Z0-9]*(\.| )[a-zA-Z0-9]*(\.[a-zA-Z0-9]*)?\\APPDATA\\LOCAL\\TEMP\\{[a-zA-Z0-9]{8}-[a-zA-Z0-9]{4}-[a-zA-Z0-9]{4}-[a-zA-Z0-9]{4}-[a-zA-Z0-9]{12}}\.BAT$'
       - regexp.user_data.FilePath : '^%OSDRIVE%\\USERS\\[a-zA-Z0-9-'']*(\.| )?[a-zA-Z0-9-'']*(\.[a-zA-Z0-9-'']*)?(.[0-9]{3})?\\APPDATA\\LOCAL\\TEMP\\__PSSCRIPTPOLICYTEST_[a-zA-Z0-9]*\.[a-zA-Z0-9]*\.PS(M)?1$'
       - regexp.user_data.FilePath : '^%OSDRIVE%\\INTEL\\GFXCPLBATCHFILES\\{[a-zA-Z0-9]{8}-[a-zA-Z0-9]{4}-[a-zA-Z0-9]{4}-[a-zA-Z0-9]{4}-[a-zA-Z0-9]{12}}\.BAT$'
       - and:
         - regexp.event_data.Application : 'windows\\system32\\svchost\.exe$'
         - or:
           - equals.event_data.SourcePort : '53'
           - equals.event_data.DestPort : '53'
       - and:
         - equals.event_id : 4688
         - not.regexp.event_data.CommandLine : '(?i)^.*Powershell\.exe.*\-[Ee^]{1,2}[NnCcOoDdEeMmAa^]*\s*[A-Za-z0-9+\/=]{5,}'


(system) #3

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.