diff --git a/CHANGELOG.next.asciidoc b/CHANGELOG.next.asciidoc index 7d155d3ca72..5a32a6dc00e 100644 --- a/CHANGELOG.next.asciidoc +++ b/CHANGELOG.next.asciidoc @@ -71,6 +71,7 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d - Improve ECS field mappings in Sysmon module. `file.name`, `file.directory`, and `file.extension` are now populated. {issue}18364[18364] - Improve ECS field mappings in Sysmon module. `rule.name` is populated for all events when present. {issue}18364[18364] - Add Powershell module. Support for event ID's: `400`, `403`, `600`, `800`, `4103`, `4014`, `4105`, `4106`. {issue}16262[16262] {pull}18526[18526] +- Fix Powershell processing of downgraded engine events. {pull}18966[18966] *Functionbeat* diff --git a/winlogbeat/docs/images/kibana-powershell.jpg b/winlogbeat/docs/images/kibana-powershell.jpg index 29c13553eb4..3b0f2e4d9e6 100644 Binary files a/winlogbeat/docs/images/kibana-powershell.jpg and b/winlogbeat/docs/images/kibana-powershell.jpg differ diff --git a/x-pack/winlogbeat/module/powershell/_meta/images/kibana-powershell.jpg b/x-pack/winlogbeat/module/powershell/_meta/images/kibana-powershell.jpg index 29c13553eb4..3b0f2e4d9e6 100644 Binary files a/x-pack/winlogbeat/module/powershell/_meta/images/kibana-powershell.jpg and b/x-pack/winlogbeat/module/powershell/_meta/images/kibana-powershell.jpg differ diff --git a/x-pack/winlogbeat/module/powershell/_meta/kibana/7/dashboard/Powershell-Overview-Dashboard.json b/x-pack/winlogbeat/module/powershell/_meta/kibana/7/dashboard/Powershell-Overview-Dashboard.json index 29dcda9a181..7c784c58966 100644 --- a/x-pack/winlogbeat/module/powershell/_meta/kibana/7/dashboard/Powershell-Overview-Dashboard.json +++ b/x-pack/winlogbeat/module/powershell/_meta/kibana/7/dashboard/Powershell-Overview-Dashboard.json @@ -2317,11 +2317,13 @@ }, { "attributes": { - "columns": [ + "columns": [ + "event.code", + "powershell.engine.version", "powershell.runspace_id", - "powershell.pipeline_id", "process.args", - "powershell.command.invocation_details" + "powershell.command.invocation_details", + "powershell.file.script_block_text" ], "description": "", "hits": 0, @@ -2332,7 +2334,7 @@ "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.index", "query": { "language": "kuery", - "query": "(winlog.provider_name : \"PowerShell\" or winlog.provider_name : \"Microsoft-Windows-PowerShell\" ) and (process.args : * or powershell.command.invocation_details.related_command: * )" + "query": "(winlog.provider_name : \"PowerShell\" or winlog.provider_name : \"Microsoft-Windows-PowerShell\" )" }, "version": true } diff --git a/x-pack/winlogbeat/module/powershell/config/winlogbeat-powershell.js b/x-pack/winlogbeat/module/powershell/config/winlogbeat-powershell.js index 7bf8c6afd35..71ce567ccc7 100644 --- a/x-pack/winlogbeat/module/powershell/config/winlogbeat-powershell.js +++ b/x-pack/winlogbeat/module/powershell/config/winlogbeat-powershell.js @@ -84,8 +84,21 @@ var powershell = (function () { }); }; + // countChunksDelimitedBy will return the number of chunks contained in a field + // that are delimited by the given delimiter. + var countChunksDelimitedBy = function(evt, fromField, delimiter) { + var str = evt.Get(fromField); + if (!str) { + return 0; + } + return str.split(delimiter).length-1; + }; + var dissect4xxAnd600 = function (evt) { - dissectField("winlog.event_data.param3", "winlog.event_data", 15, "\t", "=").Run(evt); + var delimiter = "\t"; + var chunks = countChunksDelimitedBy(evt, "winlog.event_data.param3", delimiter); + + dissectField("winlog.event_data.param3", "winlog.event_data", chunks, delimiter, "=").Run(evt); // these fields contain redundant information. evt.Delete("winlog.event_data.param1"); @@ -94,7 +107,10 @@ var powershell = (function () { }; var dissect800Detail = function (evt) { - dissectField("winlog.event_data.param2", "winlog.event_data", 13, "\t", "=").Run(evt); + var delimiter = "\t"; + var chunks = countChunksDelimitedBy(evt, "winlog.event_data.param2", delimiter); + + dissectField("winlog.event_data.param2", "winlog.event_data", chunks, "\t", "=").Run(evt); // these fields contain redundant information. evt.Delete("winlog.event_data.param1"); @@ -102,7 +118,10 @@ var powershell = (function () { }; var dissect4103 = function (evt) { - dissectField("winlog.event_data.ContextInfo", "winlog.event_data", 16, " ", " = ").Run(evt); + var delimiter = " "; + var chunks = countChunksDelimitedBy(evt, "winlog.event_data.ContextInfo", delimiter); + + dissectField("winlog.event_data.ContextInfo", "winlog.event_data", chunks, delimiter, " = ").Run(evt); // these fields contain redundant information. evt.Delete("winlog.event_data.ContextInfo"); @@ -170,7 +189,7 @@ var powershell = (function () { var addProcessArgs = function (evt) { splitCommandLine(evt, "process.command_line", "process.args"); var args = evt.Get("process.args"); - if (args.length > 0) { + if (args && args.length > 0) { evt.Put("process.args_count", args.length); } }; diff --git a/x-pack/winlogbeat/module/powershell/test/testdata/400.evtx b/x-pack/winlogbeat/module/powershell/test/testdata/400.evtx index 7f3ed398d2d..dc4f66cd4c8 100644 Binary files a/x-pack/winlogbeat/module/powershell/test/testdata/400.evtx and b/x-pack/winlogbeat/module/powershell/test/testdata/400.evtx differ diff --git a/x-pack/winlogbeat/module/powershell/test/testdata/400.evtx.golden.json b/x-pack/winlogbeat/module/powershell/test/testdata/400.evtx.golden.json index fff87ba0efa..9d75f5aa04f 100644 --- a/x-pack/winlogbeat/module/powershell/test/testdata/400.evtx.golden.json +++ b/x-pack/winlogbeat/module/powershell/test/testdata/400.evtx.golden.json @@ -171,5 +171,56 @@ "record_id": 1579, "task": "Engine Lifecycle" } + }, + { + "@timestamp": "2020-06-04T07:20:27.7472275Z", + "event": { + "action": "Engine Lifecycle", + "category": [ + "process" + ], + "code": 400, + "kind": "event", + "module": "powershell", + "provider": "PowerShell", + "sequence": 9, + "type": [ + "start" + ] + }, + "host": { + "name": "vagrant" + }, + "log": { + "level": "information" + }, + "powershell": { + "engine": { + "new_state": "Available", + "previous_state": "None", + "version": "2.0" + }, + "process": { + "executable_version": "2.0" + }, + "runspace_id": "6ebeca05-d618-4c66-a0d8-4269d800d099" + }, + "process": { + "entity_id": "7018c049-c75b-4e02-9c0f-6761b97e1657", + "title": "ConsoleHost" + }, + "winlog": { + "api": "wineventlog", + "channel": "Windows PowerShell", + "computer_name": "vagrant", + "event_id": 400, + "keywords": [ + "Classic" + ], + "opcode": "Info", + "provider_name": "PowerShell", + "record_id": 18591, + "task": "Engine Lifecycle" + } } ] \ No newline at end of file diff --git a/x-pack/winlogbeat/module/powershell/test/testdata/403.evtx b/x-pack/winlogbeat/module/powershell/test/testdata/403.evtx index 4129d245b10..42757c86658 100644 Binary files a/x-pack/winlogbeat/module/powershell/test/testdata/403.evtx and b/x-pack/winlogbeat/module/powershell/test/testdata/403.evtx differ diff --git a/x-pack/winlogbeat/module/powershell/test/testdata/403.evtx.golden.json b/x-pack/winlogbeat/module/powershell/test/testdata/403.evtx.golden.json index 12d2723b596..0d1795bda3f 100644 --- a/x-pack/winlogbeat/module/powershell/test/testdata/403.evtx.golden.json +++ b/x-pack/winlogbeat/module/powershell/test/testdata/403.evtx.golden.json @@ -175,5 +175,56 @@ "record_id": 1766, "task": "Engine Lifecycle" } + }, + { + "@timestamp": "2020-06-04T07:20:28.6861939Z", + "event": { + "action": "Engine Lifecycle", + "category": [ + "process" + ], + "code": 403, + "kind": "event", + "module": "powershell", + "provider": "PowerShell", + "sequence": 10, + "type": [ + "end" + ] + }, + "host": { + "name": "vagrant" + }, + "log": { + "level": "information" + }, + "powershell": { + "engine": { + "new_state": "Stopped", + "previous_state": "Available", + "version": "2.0" + }, + "process": { + "executable_version": "2.0" + }, + "runspace_id": "6ebeca05-d618-4c66-a0d8-4269d800d099" + }, + "process": { + "entity_id": "7018c049-c75b-4e02-9c0f-6761b97e1657", + "title": "ConsoleHost" + }, + "winlog": { + "api": "wineventlog", + "channel": "Windows PowerShell", + "computer_name": "vagrant", + "event_id": 403, + "keywords": [ + "Classic" + ], + "opcode": "Info", + "provider_name": "PowerShell", + "record_id": 18592, + "task": "Engine Lifecycle" + } } ] \ No newline at end of file diff --git a/x-pack/winlogbeat/module/powershell/test/testdata/600.evtx b/x-pack/winlogbeat/module/powershell/test/testdata/600.evtx index d45dd627aea..c204d708e10 100644 Binary files a/x-pack/winlogbeat/module/powershell/test/testdata/600.evtx and b/x-pack/winlogbeat/module/powershell/test/testdata/600.evtx differ diff --git a/x-pack/winlogbeat/module/powershell/test/testdata/600.evtx.golden.json b/x-pack/winlogbeat/module/powershell/test/testdata/600.evtx.golden.json index 10682faa9c2..9a008ac3b2d 100644 --- a/x-pack/winlogbeat/module/powershell/test/testdata/600.evtx.golden.json +++ b/x-pack/winlogbeat/module/powershell/test/testdata/600.evtx.golden.json @@ -115,5 +115,54 @@ "record_id": 1266, "task": "Provider Lifecycle" } + }, + { + "@timestamp": "2020-06-04T07:25:04.8574302Z", + "event": { + "action": "Provider Lifecycle", + "category": [ + "process" + ], + "code": 600, + "kind": "event", + "module": "powershell", + "provider": "PowerShell", + "sequence": 8, + "type": [ + "info" + ] + }, + "host": { + "name": "vagrant" + }, + "log": { + "level": "information" + }, + "powershell": { + "process": { + "executable_version": "2.0" + }, + "provider": { + "name": "Certificate", + "new_state": "Started" + } + }, + "process": { + "entity_id": "99a16837-7392-463d-afe5-5f3ed24bd358", + "title": "ConsoleHost" + }, + "winlog": { + "api": "wineventlog", + "channel": "Windows PowerShell", + "computer_name": "vagrant", + "event_id": 600, + "keywords": [ + "Classic" + ], + "opcode": "Info", + "provider_name": "PowerShell", + "record_id": 18640, + "task": "Provider Lifecycle" + } } ] \ No newline at end of file