search

CrowdStrike / psfalcon

PowerShell for CrowdStrike's OAuth2 APIs
The Unlicense
353 stars 66 forks source link

[ BUG ] `ConvertTo-FalconIoaExclusion` throws an error stating behaviors property is missing when it isn't. #260

Closed datorr2 closed 1 year ago

datorr2 commented 1 year ago

Describe the bug ConvertTo-FalconIoaExclusion throws an error stating behaviors property is missing when it isn't.

To Reproduce

> $Detects = Get-FalconDetection -All -Detailed -Filter "behaviors.filename:'benignfile'"
> $Detects[0] # Shows output

cid                      : deadbeef0000000000000000deadbeef
created_timestamp        : 2022-12-07T15:15:41.365029358Z
detection_id             : ldt:deadbeef0000000000000000deadbeef:4303243094
device                   : @{device_id=deadbeef0000000000000000deadbeef; cid=deadbeef0000000000000000deadbeef; agent_load_flags=0; agent_local_time=2022-12-07 09:43:24; agent_version=6.46.14306.0;
                           bios_manufacturer=CrowdStrike; bios_version=6.46.14306.0; config_id_base=65994761; config_id_build=14306; config_id_platform=8; external_ip=127.0.0.1; hostname=psfalcon;
                           first_seen=2022-12-07 14:41:12; last_seen=2022-12-07 15:13:25; local_ip=127.0.0.1; mac_address=0a-1b-2c-3d-4e-5f; major_version=6; minor_version=46; os_version=6.46;
                           platform_id=3; platform_name=Linux; product_type_desc=Server; status=normal; system_manufacturer=CrowdStrike; system_product_name=PSFalcon; groups=System.Object[];
                           modified_timestamp=2022-12-07 15:13:29}
behaviors                : {@{device_id=deadbeef0000000000000000deadbeef; timestamp=2022-12-07 15:15:37; template_instance_id=6466; behavior_id=30127; filename=benignfile; filepath=/usr/bin/benignfile;
                           alleged_filetype=; cmdline=benignfile innocuous-command-line; scenario=attacker_methodology; objective=Follow Through; tactic=Impact;
                           tactic_id=TA0040; technique=Data Encrypted for Impact; technique_id=T1486; display_name=LinProcRansomware; description=A process associated with ransomware was detected on your
                           host. Adversaries may deploy malware designed to encrypt files or render the system unusable until payment is made or other conditions are met. Please review the process tree.;
                           severity=70; confidence=80; ioc_type=; ioc_value=; ioc_source=; ioc_description=; user_name=; user_id=0; control_graph_id=ctg:deadbeef0000000000000000deadbeef:4303243094;
                           triggering_process_graph_id=pid:deadbeef0000000000000000deadbeef:12542622082; sha256=deadbeef0000000000000000deadbeefdeadbeef0000000000000000deadbeef;
                           md5=deadbeef0000000000000000deadbeef; parent_details=; pattern_disposition=272; pattern_disposition_details=}}
email_sent               : True
first_behavior           : 2022-12-07 15:15:37
last_behavior            : 2022-12-07 15:15:37
max_confidence           : 80
max_severity             : 70
max_severity_displayname : High
show_in_ui               : True
status                   : new
hostinfo                 : @{domain=}
seconds_to_triaged       : 0
seconds_to_resolved      : 0
behaviors_processed      : {pid:deadbeef0000000000000000deadbeef:12542622082:30127}
date_updated             : 2022-12-07 15:23:55

> ConvertTo-FalconIoaExclusion -Detection $Detects[0]
Exception: C:\Program Files\WindowsPowerShell\Modules\PSFalcon\2.2.3\Public\policy-ioa-exclusions.ps1:47
Line |
  47 |  …             throw "[ConvertTo-FalconMlExclusion] Missing required '$P …
     |                ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
     | [ConvertTo-FalconMlExclusion] Missing required 'behaviors' property.

Expected behavior Whatever ConvertTo-FalconIoaExclusion is intended to do :P (first time I've tried to use it).

Environment (please complete the following information):

Additional context Add any other context about the problem here.

Transcript content

**********************
PowerShell transcript start
Start time: 20221207125106
Username: GITHUB\datorr2
RunAs User: GITHUB\datorr2
Configuration Name: 
Machine: DATORR2 (Microsoft Windows NT 10.0.19044.0)
Host Application: C:\Program Files\PowerShell\7\pwsh.dll
Process ID: 27168
PSVersion: 7.2.7
PSEdition: Core
GitCommitId: 7.2.7
OS: Microsoft Windows 10.0.19044
Platform: Win32NT
PSCompatibleVersions: 1.0, 2.0, 3.0, 4.0, 5.0, 5.1.10032.0, 6.0.0, 6.1.0, 6.2.0, 7.0.0, 7.1.0, 7.2.7
PSRemotingProtocolVersion: 2.3
SerializationVersion: 127.0.0.1
WSManStackVersion: 3.0
**********************
Transcript started, output file is C:\Users\datorr2\Documents\PowerShell_transcript.DATORR2.DKt_sOpw.20221207125106.txt
┌─(Core@7.2.7)─[~] 
└─$
PS>$Detects = Get-FalconDetection -All -Detailed -Filter "behaviors.filename:'benignfile'"
VERBOSE: [ApiClient.Invoke] GET https://api.laggar.gcw.crowdstrike.com/detects/queries/detects/v1?filter=behaviors.filename:'benignfile'&limit=5000
VERBOSE: [ApiClient.Invoke] Accept=application/json, ContentType=application/json
VERBOSE: [ApiClient.Invoke] 200: OK
VERBOSE: [ApiClient.Invoke] Server=nginx, Date=Wed, 07 Dec 2022 17:51:22 GMT, Connection=keep-alive, Strict-Transport-Security=max-age=15724800; includeSubDomains, max-age=31536000; includeSubDomains, X-Cs-Region=us-gov-1, X-Cs-Traceid=78aece72-6574-4b7c-933d-68895f709cde, X-Ratelimit-Limit=6000, X-Ratelimit-Remaining=5999
VERBOSE: [Write-Result] meta.trace_id=78aece72-6574-4b7c-933d-68895f709cde, meta.query_time=0.0068382, meta.powered_by=legacy-detects, meta.pagination.limit=5000, meta.pagination.total=4, meta.pagination.offset=0
VERBOSE: [ApiClient.Invoke] POST https://api.laggar.gcw.crowdstrike.com/detects/entities/summaries/GET/v1
VERBOSE: [ApiClient.Invoke] Accept=application/json, ContentType=application/json
VERBOSE: [ApiClient.Invoke] {"ids":["ldt:deadbeef0000000000000000deadbeef:4299046152","ldt:deadbeef0000000000000000deadbeef:4301160490","ldt:deadbeef0000000000000000deadbeef:4303243094","ldt:deadbeef0000000000000000deadbeef:4298134678"]}
VERBOSE: [ApiClient.Invoke] 200: OK
VERBOSE: [ApiClient.Invoke] Server=nginx, Date=Wed, 07 Dec 2022 17:51:22 GMT, Transfer-Encoding=chunked, Connection=keep-alive, Strict-Transport-Security=max-age=15724800; includeSubDomains, max-age=31536000; includeSubDomains, X-Cs-Region=us-gov-1, X-Cs-Traceid=99efb8d5-b4cd-48c6-88e3-806b1cd4267a, X-Ratelimit-Limit=6000, X-Ratelimit-Remaining=5998
VERBOSE: [Write-Result] meta.query_time=0.008642656, meta.powered_by=legacy-detects, meta.trace_id=99efb8d5-b4cd-48c6-88e3-806b1cd4267a
┌─(Core@7.2.7)─[~] 
└─$
PS>$Detects[0]

cid                      : deadbeef0000000000000000deadbeef
created_timestamp        : 2022-12-07T15:15:41.365029358Z
detection_id             : ldt:deadbeef0000000000000000deadbeef:4303243094
device                   : @{device_id=deadbeef0000000000000000deadbeef; cid=deadbeef0000000000000000deadbeef; agent_load_flags=0; agent_local_time=2022-12-07 09:43:24; agent_version=6.46.14306.0;
                           bios_manufacturer=CrowdStrike; bios_version=6.46.14306.0; config_id_base=65994761; config_id_build=14306; config_id_platform=8; external_ip=127.0.0.1; hostname=psfalcon;
                           first_seen=2022-12-07 14:41:12; last_seen=2022-12-07 15:13:25; local_ip=127.0.0.1; mac_address=0a-1b-2c-3d-4e-5f; major_version=6; minor_version=46; os_version=6.46;
                           platform_id=3; platform_name=Linux; product_type_desc=Server; status=normal; system_manufacturer=CrowdStrike; system_product_name=PSFalcon; groups=System.Object[];
                           modified_timestamp=2022-12-07 15:13:29}
behaviors                : {@{device_id=deadbeef0000000000000000deadbeef; timestamp=2022-12-07 15:15:37; template_instance_id=6466; behavior_id=30127; filename=benignfile; filepath=/usr/bin/benignfile;
                           alleged_filetype=; cmdline=benignfile innocuous-command-line; scenario=attacker_methodology; objective=Follow Through; tactic=Impact;
                           tactic_id=TA0040; technique=Data Encrypted for Impact; technique_id=T1486; display_name=LinProcRansomware; description=A process associated with ransomware was detected on your
                           host. Adversaries may deploy malware designed to encrypt files or render the system unusable until payment is made or other conditions are met. Please review the process tree.;
                           severity=70; confidence=80; ioc_type=; ioc_value=; ioc_source=; ioc_description=; user_name=; user_id=0; control_graph_id=ctg:deadbeef0000000000000000deadbeef:4303243094;
                           triggering_process_graph_id=pid:deadbeef0000000000000000deadbeef:12542622082; sha256=deadbeef0000000000000000deadbeefdeadbeef0000000000000000deadbeef;
                           md5=deadbeef0000000000000000deadbeef; parent_details=; pattern_disposition=272; pattern_disposition_details=}}
email_sent               : True
first_behavior           : 2022-12-07 15:15:37
last_behavior            : 2022-12-07 15:15:37
max_confidence           : 80
max_severity             : 70
max_severity_displayname : High
show_in_ui               : True
status                   : new
hostinfo                 : @{domain=}
seconds_to_triaged       : 0
seconds_to_resolved      : 0
behaviors_processed      : {pid:deadbeef0000000000000000deadbeef:12542622082:30127}
date_updated             : 2022-12-07 15:23:55

┌─(Core@7.2.7)─[~] 
└─$
PS>ConvertTo-FalconIoaExclusion -Detection $Detects[0]
>> TerminatingError(): "[ConvertTo-FalconMlExclusion] Missing required 'behaviors' property."
>> TerminatingError(): "[ConvertTo-FalconMlExclusion] Missing required 'behaviors' property."
[ConvertTo-FalconMlExclusion] Missing required 'behaviors' property.

Exception: C:\Program Files\WindowsPowerShell\Modules\PSFalcon\2.2.3\Public\policy-ioa-exclusions.ps1:47
Line |
  47 |  …             throw "[ConvertTo-FalconMlExclusion] Missing required '$P …
     |                ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
     | [ConvertTo-FalconMlExclusion] Missing required 'behaviors' property.

┌─(Core@7.2.7)─[~] 
└─$
PS>Stop-Transcript
**********************
PowerShell transcript end
End time: 20221207125150
**********************
bk-cs commented 1 year ago

I couldn't reproduce this in any of these scenarios:

Here's a transcript from PowerShell 7.3.0 and v2.2.4:

**********************
PowerShell transcript start
Start time: 20221207153545
Username: DESKTOP-Q0FG0JT\brend
RunAs User: DESKTOP-Q0FG0JT\brend
Configuration Name: 
Machine: DESKTOP-Q0FG0JT (Microsoft Windows NT 10.0.22621.0)
Host Application: C:\Program Files\WindowsApps\Microsoft.PowerShell_7.3.0.0_x64__8wekyb3d8bbwe\pwsh.dll
Process ID: 6376
PSVersion: 7.3.0
PSEdition: Core
GitCommitId: 7.3.0
OS: Microsoft Windows 10.0.22621
Platform: Win32NT
PSCompatibleVersions: 1.0, 2.0, 3.0, 4.0, 5.0, 5.1.10032.0, 6.0.0, 6.1.0, 6.2.0, 7.0.0, 7.1.0, 7.2.0, 7.3.0
PSRemotingProtocolVersion: 2.3
SerializationVersion: 1.1.0.1
WSManStackVersion: 3.0
**********************
Transcript started, output file is C:\Users\brend\Documents\PowerShell_transcript.DESKTOP-Q0FG0JT.OIzBgdyh.20221207153545.txt
PS C:\Users\brend> $det = Get-FalconDetection -Limit 5 -Detailed
PS C:\Users\brend> $det[0] | ConvertTo-FalconIoaExclusion

pattern_id   : 10159
pattern_name : PShellBase64
cl_regex     : "C:\\Windows\\System32\\WindowsPowerShell\\v1\.0\\powershell\.exe"\s+-enc\s+UwB0AGEAcgB0AC0AUwBsAGUAZQBw
               ACAALQBTAGUAYwBvAG4AZABzACAAMQA1AA==
ifn_regex    : .*\\Windows\\SysWOW64\\WindowsPowerShell\\v1\.0\\powershell\.exe
groups       : {redacted, redacted, redacted, redacted…}
comment      : Created from ldt:redacted:12889016920 by crowdstrike-psfalcon/2.2.4.

pattern_id   : 10320
pattern_name : PowershellExecution
cl_regex     : "C:\\Windows\\System32\\WindowsPowerShell\\v1\.0\\powershell\.exe"\s+-enc\s+UwB0AGEAcgB0AC0AUwBsAGUAZQBw
               ACAALQBTAGUAYwBvAG4AZABzACAAMQA1AA==
ifn_regex    : .*\\Windows\\SysWOW64\\WindowsPowerShell\\v1\.0\\powershell\.exe
groups       : {redacted, redacted, redacted, redacted…}
comment      : Created from ldt:redacted:12889016920 by crowdstrike-psfalcon/2.2.4.

PS C:\Users\brend> $det[-1] | ConvertTo-FalconIoaExclusion

pattern_id   : 41011
pattern_name : CustomIOALinHigh
cl_regex     : curl\s+-v\s+--cookie\s+PHPSESSID=mn4rijv18jhh4dmetljjbcs5r5;\s+security=low\s+http://127\.0\.0\.1/hackab
               le/uploads/webshell\.php\?cmd=curl%20http://169\.254\.169\.254/latest/meta-data/iam/security-credentials
               /role-name
ifn_regex    : /usr/bin/curl
groups       : {redacted, redacted, redacted}
comment      : Created from ldt:redacted:30130264427 by crowdstrike-psfalcon/2.2.4.

**********************
PowerShell transcript end
End time: 20221207153609
**********************

Could you try fully restarting PowerShell and re-importing PSFalcon and let me know if it still happens?

datorr2 commented 1 year ago

Could you try fully restarting PowerShell and re-importing PSFalcon and let me know if it still happens?

I went an did a Uninstall-Module PSFalcon -AllVersions and restarted all PowerShell sessions and reinstalled from PSGallery using Install-Module PSFalcon -Scope AllUsers.

The issue still persists.

Right before I was about to post this reply, I re-read your transcript and see you're passing via pipeline. I was not.

My syntax:

ConvertTo-FalconIoaExclusion -Detection $Detects[0]

Your syntax:

$det[0] | ConvertTo-FalconIoaExclusion

Running Get-Help ConvertTo-FalconIoaExclusion:

NAME
    ConvertTo-FalconIoaExclusion

SYNOPSIS
    Output required fields to create an Indicator of Attack exclusion from a Falcon detection

SYNTAX
    ConvertTo-FalconIoaExclusion [-Detection] <Object> [<CommonParameters>]

DESCRIPTION
    Uses the 'behaviors' and 'device' properties of a detection to generate the necessary fields to create a new
    Indicator of Attack exclusion. Specfically, it maps the following properties these fields:

    behaviors.behavior_id  > pattern_id
    behaviors.display_name > pattern_name
    behaviors.cmdline      > cl_regex
    behaviors.filepath     > ifn_regex
    device.groups          > groups

    The 'cl_regex' and 'ifn_regex' fields are escaped using the [regex]::Escape() PowerShell accelerator. The
    'ifn_regex' output also replaces the NT device path ('Device/HarddiskVolume') with a wildcard.

    If the detection involves a device that is not in any groups, it uses 'all' to target all host groups.

    The resulting output can be passed to 'New-FalconIoaExclusion' to create an exclusion.

PARAMETERS
    -Detection <Object>
        Falcon detection content, including 'behaviors' and 'device'

        Required?                    true
        Position?                    2
        Default value
        Accept pipeline input?       true (ByValue)
        Accept wildcard characters?  false

    <CommonParameters>
        This cmdlet supports the common parameters: Verbose, Debug,
        ErrorAction, ErrorVariable, WarningAction, WarningVariable,
        OutBuffer, PipelineVariable, and OutVariable. For more information, see
        about_CommonParameters (https://go.microsoft.com/fwlink/?LinkID=113216).

INPUTS

OUTPUTS

RELATED LINKS
    https://github.com/crowdstrike/psfalcon/wiki/ConvertTo-FalconIoaExclusion
datorr2 commented 1 year ago

I was able to figure out the problem. I can initiate a pull request.

bk-cs commented 1 year ago

This issue has been fixed in the v2.2.4 release. To fix it in your local module, download the following files and replace your local copies of Public\policy-ioa-exclusions.ps1 and Public\policy-ml-exclusions.ps1.

https://raw.githubusercontent.com/CrowdStrike/psfalcon/2.2.4/Public/policy-ioa-exclusions.ps1 https://raw.githubusercontent.com/CrowdStrike/psfalcon/2.2.4/Public/policy-ml-exclusions.ps1

bk-cs commented 1 year ago

Solved in v2.2.4 release.