Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Winlogbeat] Add Powershell logging module #16262

Closed
1 of 6 tasks
andrewkroh opened this issue Feb 11, 2020 · 6 comments · Fixed by #18526
Closed
1 of 6 tasks

[Winlogbeat] Add Powershell logging module #16262

andrewkroh opened this issue Feb 11, 2020 · 6 comments · Fixed by #18526
Assignees
@marc-gr
Labels
enhancement Winlogbeat

Comments

@andrewkroh
Copy link
Member

andrewkroh commented Feb 11, 2020
edited
Loading

Add a new Winlogbeat module to collect logs from PowerShell. This will collect information about the scripts and modules that are being executed.

# The module will process events based on this config.
winlogbeat.event_logs:
- name: Microsoft-Windows-PowerShell/Operational
  event_ids: 4103, 4104

- name: Windows PowerShell
  event_id: 400, 800
  • 4103 - module logging
  • 4104 - script block logging (first time it runs)
  • 4105 - Command started (maybe handle this event?) (not on by default in windows)
  • 4106 - Command completed (maybe handle this event?) (not on by default in windows)

References:

Module Checklist

  • Supported versions are documented
  • Supported operating systems are documented (if applicable)
  • Automated checks that all fields are documented
  • Documentation
  • Fields follow ECS and naming conventions
  • Dashboards to show the data
@elasticmachine
Copy link
Collaborator

Pinging @elastic/siem (Team:SIEM)

@gwsales
Copy link

gwsales commented Feb 20, 2020

PowerShell module logging has been working well for me, and for parsing on 4103 and 800 you can pull apart the param fields, I'm currently doing this with a dissect parser.

example:

  - name: Microsoft-Windows-PowerShell/Operational
    event_id: 4103
    processors:
      - dissect:
          when:
            has_fields: ['winlog.event_data.ContextInfo']
          tokenizer: "        Severity = %{Severity}\n        Host Name = %{HostName}\n        Host Version = %{HostVersion}\n        Host ID = %{HostID}\n        Host Application = %{HostApplication}\n        Engine Version = %{EngineVersion}\n        Runspace ID = %{RunspaceID}\n        Pipeline ID = %{PipelineID}\n        Command Name = %{CommandName}\n        Command Type = %{CommandType}\n        Script Name = %{ScriptName}\n        Command Path = %{CommandPath}\n        Sequence Number = %{SequenceNumber}\n        User = %{User}\n        Connected User = %{ConnectedUser}\n        Shell ID = %{ShellID}"
          field: "winlog.event_data.ContextInfo"
          target_prefix: "winlog.event_data.powershell"

If you added an enhancement here, I'd recommend doing the key-value extraction more efficiently (if possible) and adding in an option to tail powershell transcript directories as a separate module.

Also please don't forget about "Windows PowerShell" event code 400 and 800, they are absolute gold.

  - name: Windows PowerShell
    event_id: 400, 800
    processors:
      - dissect:
          when:
            equals.winlog.event_id: 400
          tokenizer: "\tNewEngineState=%{NewEngineState}\n\tPreviousEngineState=%{PreviousEngineState}\n\n\tSequenceNumber=%{SequenceNumber}\n\n\tHostName=%{HostName}\n\tHostVersion=%{HostVersion}\n\tHostId=%{HostId}\n\tHostApplication=%{HostApplication}\n\tEngineVersion=%{EngineVersion}\n\tRunspaceId=%{RunspaceId}\n\tPipelineId=%{PipelineId}\n\tCommandName=%{CommandName}\n\tCommandType=%{CommandType}\n\tScriptName=%{ScriptName}\n\tCommandPath=%{CommandPath}\n\tCommandLine=%{CommandLine}"
          field: "winlog.event_data.param3"
          target_prefix: "winlog.event_data.powershell"
      - dissect:
          when:
            equals.winlog.event_id: 800
          tokenizer: "\tDetailSequence=%{DetailSequence}\n\tDetailTotal=%{DetailTotal}\n\n\tSequenceNumber=%{SequenceNumber}\n\n\tUserId=%{UserId}\n\tHostName=%{HostName}\n\tHostVersion=%{HostVersion}\n\tHostId=%{HostId}\n\tHostApplication=%{HostApplication}\n\tEngineVersion=%{EngineVersion}\n\tRunspaceId=%{RunspaceId}\n\tPipelineId=%{PipelineId}\n\tScriptName=%{ScriptName}\n\tCommandLine=%{CommandLine}"
          field: "winlog.event_data.param2"
          target_prefix: "winlog.event_data.powershell"

@andrewkroh
Copy link
Member Author

Also please don't forget about "Windows PowerShell" event code 400 and 800, they are absolute gold.

Thanks for the reminder. I had those two IDs in my notes about creating this issue but forgot to add them. We'll make sure to take a look at that log as well. The same dissect approach for those is probably what I'd use.

adding in an option to tail powershell transcript directories as a separate module

These are text files, right? That would take some effort to do in Winlogbeat. We'd need a mashup of Filebeat + Winlogbeat.

@gwsales
Copy link

gwsales commented Feb 21, 2020

Yes these are text files that are dropped in directories based on date. Really a filebeat agent is better for this so I'd exclude it for winlogbeat, I just wanted to mention it since it is in the link you had above and frequently talked about.

@marc-gr marc-gr mentioned this issue May 14, 2020
Merged
20 tasks
marc-gr added a commit to marc-gr/beats that referenced this issue May 27, 2020
@marc-gr
Add winlogbeat powershell module
873dbd0 
Initial support for event ids: 400, 403, 600, 800, 4103, 4014, 4105, 4106
Add fields documentation
Add powershell module dashboard

Closes elastic#16262
marc-gr added a commit that referenced this issue May 28, 2020
@marc-gr
Add winlogbeat powershell module (#18526)
f4019d5 
Initial support for event ids: 400, 403, 600, 800, 4103, 4014, 4105, 4106
Add fields documentation
Add powershell module dashboard

Closes #16262
marc-gr added a commit to marc-gr/beats that referenced this issue May 28, 2020
@marc-gr
Add winlogbeat powershell module (elastic#18526)
7cae739 
Initial support for event ids: 400, 403, 600, 800, 4103, 4014, 4105, 4106
Add fields documentation
Add powershell module dashboard

Closes elastic#16262

(cherry picked from commit f4019d5)
@marc-gr marc-gr mentioned this issue May 28, 2020
Merged
20 tasks
marc-gr added a commit that referenced this issue May 28, 2020
@marc-gr
Add winlogbeat powershell module (#18526) (#18819)
f4e97c5 
Initial support for event ids: 400, 403, 600, 800, 4103, 4014, 4105, 4106
Add fields documentation
Add powershell module dashboard

Closes #16262

(cherry picked from commit f4019d5)
@SwiftOnSecurity
Copy link

SwiftOnSecurity commented Dec 15, 2020
edited
Loading

Thanks for your work. For clarification for others - do the event ID's have to be hardcoded in the winlogbeat.yml for this to be picked up, or will simply ingesting the PowerShell log perform this work?

Also, what if the events are forwarded to a non-standard log like "Forwarded Events."

Basically my question is, how does it know to perform these actions? What's the criteria?

@andrewkroh
Copy link
Member Author

Also, what if the events are forwarded to a non-standard log like "Forwarded Events."

In that case you can apply the script processor to the ForwardedEvents log.

  • Docs - Winlogbeat - Modules - Usage with Forwarded Events
  • Example:

    beats/x-pack/winlogbeat/winlogbeat.yml

    Lines 57 to 79 in ff9e3e7

    - name: ForwardedEvents
    tags: [forwarded]
    processors:
    - script:
    when.equals.winlog.channel: Security
    lang: javascript
    id: security
    file: ${path.home}/module/security/config/winlogbeat-security.js
    - script:
    when.equals.winlog.channel: Microsoft-Windows-Sysmon/Operational
    lang: javascript
    id: sysmon
    file: ${path.home}/module/sysmon/config/winlogbeat-sysmon.js
    - script:
    when.equals.winlog.channel: Windows PowerShell
    lang: javascript
    id: powershell
    file: ${path.home}/module/powershell/config/winlogbeat-powershell.js
    - script:
    when.equals.winlog.channel: Microsoft-Windows-PowerShell/Operational
    lang: javascript
    id: powershell
    file: ${path.home}/module/powershell/config/winlogbeat-powershell.js

do the event ID's have to be hardcoded in the winlogbeat.yml for this to be picked up, or will simply ingesting the PowerShell log perform this work?

The event_ids filter is optional. The documentation lists what event IDs are processed by the module and the filters in the config examples reflect those same. IDs. If you omit the filter then any event IDs that are not handled by the module will simply pass through (source code) without any additional processing.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@marc-gr marc-gr

Labels
enhancement Winlogbeat
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

[Winlogbeat] Add Powershell logging module marc-gr/beats
5 participants
@andrewkroh @marc-gr @elasticmachine @SwiftOnSecurity @gwsales