Hi everyone,
I'm struggling to figure this out having spent many hours looking at it. Essentially, I have a winlogbeat.yml configuration to drop multiple events. This has been working fine for months. I wanted to add another condition to the list.
Drop all events with the event_id = 4688 AND event_data.CommandLine where it does NOT match [regex].
- drop_event.when:
and:
- equals.event_id: '4688'
- not.regexp.event_data.CommandLine : '.\powershell.exe.-[Ee^]{1,2}[NnCcOoDdEeMmAa^]\s[A-Za-z0-9+/=]{5,}'
Basically, events 4688 are created anytime a process is launched. I'm not interested in capturing every process launched. I'm only wanting to log suspicious processes. In my case, I've created a regexp to find "powershell.exe -EncodedCommand". (99% likely to be trying to launch a malicious payload).
For the life of me, I can't figure it out why it's not working. It's forwarding all events with 4688 regardless. Perhaps a fresh set of eyes could take a look at this for me, please? I'm certain the regex is working, it's probably a matter of where it sits in the yml file.
processors:
- drop_event.when:
or:
- equals.event_data.Application : '-'
- regexp.event_data.Application : '\\appidcertstorecheck\.exe$'
- regexp.event_data.Application : '\\googleupdate\.exe$'
- regexp.event_data.Application : '\\dropboxupdate\.exe$'
- regexp.event_data.Application : '\\wifitask\.exe$'
- equals.event_data.Application : 'windows\system32\installagentuserbroker.exe'
- regexp.event_data.DestAddress : '^2(?:2[4-9]|3\d)(?:\.(?:25[0-5]|2[0-4]\d|1\d\d|[1-9]\d?|0)){3}$'
- regexp.event_data.DestAddress : '^ff02::.*'
- equals.event_data.DestAddress : '255.255.255.255'
- equals.event_data.DestAddress : '10.4.3.255'
- equals.event_data.DestAddress : '10.12.47.255'
- equals.event_data.DestAddress : '10.12.51.255'
- equals.event_data.DestAddress : '10.12.55.255'
- equals.event_data.DestAddress : '169.254.255.255'
- equals.event_data.DestAddress : '172.30.3.255'
- regexp.event_data.DestAddress : '^192\.168\.[0-2]\.255$'
- equals.event_data.SourcePort : '5355'
- equals.user_data.FileHash : '6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B'
- equals.user_data.FileHash : 'E8A9F9C558304D66782332598C350EE351A9F8E7601576D5841B7DBF3A08EC30'
- regexp.user_data.FilePath : '^%OSDRIVE%\\USERS\\[a-zA-Z0-9]*(\.| )[a-zA-Z0-9]*(\.[a-zA-Z0-9]*)?\\APPDATA\\LOCAL\\TEMP\\{[a-zA-Z0-9]{8}-[a-zA-Z0-9]{4}-[a-zA-Z0-9]{4}-[a-zA-Z0-9]{4}-[a-zA-Z0-9]{12}}\.BAT$'
- regexp.user_data.FilePath : '^%OSDRIVE%\\USERS\\[a-zA-Z0-9-'']*(\.| )?[a-zA-Z0-9-'']*(\.[a-zA-Z0-9-'']*)?(.[0-9]{3})?\\APPDATA\\LOCAL\\TEMP\\__PSSCRIPTPOLICYTEST_[a-zA-Z0-9]*\.[a-zA-Z0-9]*\.PS(M)?1$'
- regexp.user_data.FilePath : '^%OSDRIVE%\\INTEL\\GFXCPLBATCHFILES\\{[a-zA-Z0-9]{8}-[a-zA-Z0-9]{4}-[a-zA-Z0-9]{4}-[a-zA-Z0-9]{4}-[a-zA-Z0-9]{12}}\.BAT$'
- and:
- regexp.event_data.Application : 'windows\\system32\\svchost\.exe$'
- or:
- equals.event_data.SourcePort : '53'
- equals.event_data.DestPort : '53'
# drop when ((event_id = '4688' AND !(CommandLine Powershell -encodedCommand )))
- and:
- equals.event_id: '4688'
- not.regexp.event_data.CommandLine : '.*\\powershell\.exe.*\-[Ee^]{1,2}[NnCcOoDdEeMmAa^]*\s*[A-Za-z0-9+\/=]{5,}'
Here's a link to the regex I'm trying to pattern match. https://regex101.com/r/O5MHur/1
I'm only interested in forwarding events that match and drop the rest. Which is why I want to NOT regex match.
Thank you