[Winlogbeat] Add Powershell logging module

[andrewkroh]

Add a new Winlogbeat module to collect logs from PowerShell. This will collect information about the scripts and modules that are being executed.

# The module will process events based on this config.
winlogbeat.event_logs:
- name: Microsoft-Windows-PowerShell/Operational
  event_ids: 4103, 4104

- name: Windows PowerShell
  event_id: 400, 800

• 4103 - module logging
• 4104 - script block logging (first time it runs)
• 4105 - Command started (maybe handle this event?) (not on by default in windows)
• 4106 - Command completed (maybe handle this event?) (not on by default in windows)

References:

• https://devblogs.microsoft.com/powershell/powershell-the-blue-team/

Module Checklist

• Supported versions are documented
• Supported operating systems are documented (if applicable)
• Automated checks that all fields are documented
• Documentation
• Fields follow ECS and naming conventions
• Dashboards to show the data

[elasticmachine]

Pinging @elastic/siem (Team:SIEM)

[gwsales]

PowerShell module logging has been working well for me, and for parsing on 4103 and 800 you can pull apart the param fields, I'm currently doing this with a dissect parser.

example:

  - name: Microsoft-Windows-PowerShell/Operational
    event_id: 4103
    processors:
      - dissect:
          when:
            has_fields: ['winlog.event_data.ContextInfo']
          tokenizer: "        Severity = %{Severity}\n        Host Name = %{HostName}\n        Host Version = %{HostVersion}\n        Host ID = %{HostID}\n        Host Application = %{HostApplication}\n        Engine Version = %{EngineVersion}\n        Runspace ID = %{RunspaceID}\n        Pipeline ID = %{PipelineID}\n        Command Name = %{CommandName}\n        Command Type = %{CommandType}\n        Script Name = %{ScriptName}\n        Command Path = %{CommandPath}\n        Sequence Number = %{SequenceNumber}\n        User = %{User}\n        Connected User = %{ConnectedUser}\n        Shell ID = %{ShellID}"
          field: "winlog.event_data.ContextInfo"
          target_prefix: "winlog.event_data.powershell"

If you added an enhancement here, I'd recommend doing the key-value extraction more efficiently (if possible) and adding in an option to tail powershell transcript directories as a separate module.

Also please don't forget about "Windows PowerShell" event code 400 and 800, they are absolute gold.

  - name: Windows PowerShell
    event_id: 400, 800
    processors:
      - dissect:
          when:
            equals.winlog.event_id: 400
          tokenizer: "\tNewEngineState=%{NewEngineState}\n\tPreviousEngineState=%{PreviousEngineState}\n\n\tSequenceNumber=%{SequenceNumber}\n\n\tHostName=%{HostName}\n\tHostVersion=%{HostVersion}\n\tHostId=%{HostId}\n\tHostApplication=%{HostApplication}\n\tEngineVersion=%{EngineVersion}\n\tRunspaceId=%{RunspaceId}\n\tPipelineId=%{PipelineId}\n\tCommandName=%{CommandName}\n\tCommandType=%{CommandType}\n\tScriptName=%{ScriptName}\n\tCommandPath=%{CommandPath}\n\tCommandLine=%{CommandLine}"
          field: "winlog.event_data.param3"
          target_prefix: "winlog.event_data.powershell"
      - dissect:
          when:
            equals.winlog.event_id: 800
          tokenizer: "\tDetailSequence=%{DetailSequence}\n\tDetailTotal=%{DetailTotal}\n\n\tSequenceNumber=%{SequenceNumber}\n\n\tUserId=%{UserId}\n\tHostName=%{HostName}\n\tHostVersion=%{HostVersion}\n\tHostId=%{HostId}\n\tHostApplication=%{HostApplication}\n\tEngineVersion=%{EngineVersion}\n\tRunspaceId=%{RunspaceId}\n\tPipelineId=%{PipelineId}\n\tScriptName=%{ScriptName}\n\tCommandLine=%{CommandLine}"
          field: "winlog.event_data.param2"
          target_prefix: "winlog.event_data.powershell"

[andrewkroh]

Also please don't forget about "Windows PowerShell" event code 400 and 800, they are absolute gold.

Thanks for the reminder. I had those two IDs in my notes about creating this issue but forgot to add them. We'll make sure to take a look at that log as well. The same dissect approach for those is probably what I'd use.

adding in an option to tail powershell transcript directories as a separate module

These are text files, right? That would take some effort to do in Winlogbeat. We'd need a mashup of Filebeat + Winlogbeat.

[gwsales]

Yes these are text files that are dropped in directories based on date. Really a filebeat agent is better for this so I'd exclude it for winlogbeat, I just wanted to mention it since it is in the link you had above and frequently talked about.

[SwiftOnSecurity]

Thanks for your work. For clarification for others - do the event ID's have to be hardcoded in the winlogbeat.yml for this to be picked up, or will simply ingesting the PowerShell log perform this work?

Also, what if the events are forwarded to a non-standard log like "Forwarded Events."

Basically my question is, how does it know to perform these actions? What's the criteria?

[andrewkroh]

Also, what if the events are forwarded to a non-standard log like "Forwarded Events."

In that case you can apply the script processor to the ForwardedEvents log.

• Docs - Winlogbeat - Modules - Usage with Forwarded Events
• Example:

  beats/x-pack/winlogbeat/winlogbeat.yml

  Lines 57 to 79 in ff9e3e7

  	- name: ForwardedEvents
  	tags: [forwarded]
  	processors:
  	- script:
  	when.equals.winlog.channel: Security
  	lang: javascript
  	id: security
  	file: ${path.home}/module/security/config/winlogbeat-security.js
  	- script:
  	when.equals.winlog.channel: Microsoft-Windows-Sysmon/Operational
  	lang: javascript
  	id: sysmon
  	file: ${path.home}/module/sysmon/config/winlogbeat-sysmon.js
  	- script:
  	when.equals.winlog.channel: Windows PowerShell
  	lang: javascript
  	id: powershell
  	file: ${path.home}/module/powershell/config/winlogbeat-powershell.js
  	- script:
  	when.equals.winlog.channel: Microsoft-Windows-PowerShell/Operational
  	lang: javascript
  	id: powershell
  	file: ${path.home}/module/powershell/config/winlogbeat-powershell.js

do the event ID's have to be hardcoded in the winlogbeat.yml for this to be picked up, or will simply ingesting the PowerShell log perform this work?

The event_ids filter is optional. The documentation lists what event IDs are processed by the module and the filters in the config examples reflect those same. IDs. If you omit the filter then any event IDs that are not handled by the module will simply pass through (source code) without any additional processing.