Closed datorr2 closed 1 year ago
I couldn't reproduce this in any of these scenarios:
Here's a transcript from PowerShell 7.3.0 and v2.2.4:
**********************
PowerShell transcript start
Start time: 20221207153545
Username: DESKTOP-Q0FG0JT\brend
RunAs User: DESKTOP-Q0FG0JT\brend
Configuration Name:
Machine: DESKTOP-Q0FG0JT (Microsoft Windows NT 10.0.22621.0)
Host Application: C:\Program Files\WindowsApps\Microsoft.PowerShell_7.3.0.0_x64__8wekyb3d8bbwe\pwsh.dll
Process ID: 6376
PSVersion: 7.3.0
PSEdition: Core
GitCommitId: 7.3.0
OS: Microsoft Windows 10.0.22621
Platform: Win32NT
PSCompatibleVersions: 1.0, 2.0, 3.0, 4.0, 5.0, 5.1.10032.0, 6.0.0, 6.1.0, 6.2.0, 7.0.0, 7.1.0, 7.2.0, 7.3.0
PSRemotingProtocolVersion: 2.3
SerializationVersion: 1.1.0.1
WSManStackVersion: 3.0
**********************
Transcript started, output file is C:\Users\brend\Documents\PowerShell_transcript.DESKTOP-Q0FG0JT.OIzBgdyh.20221207153545.txt
PS C:\Users\brend> $det = Get-FalconDetection -Limit 5 -Detailed
PS C:\Users\brend> $det[0] | ConvertTo-FalconIoaExclusion
pattern_id : 10159
pattern_name : PShellBase64
cl_regex : "C:\\Windows\\System32\\WindowsPowerShell\\v1\.0\\powershell\.exe"\s+-enc\s+UwB0AGEAcgB0AC0AUwBsAGUAZQBw
ACAALQBTAGUAYwBvAG4AZABzACAAMQA1AA==
ifn_regex : .*\\Windows\\SysWOW64\\WindowsPowerShell\\v1\.0\\powershell\.exe
groups : {redacted, redacted, redacted, redacted…}
comment : Created from ldt:redacted:12889016920 by crowdstrike-psfalcon/2.2.4.
pattern_id : 10320
pattern_name : PowershellExecution
cl_regex : "C:\\Windows\\System32\\WindowsPowerShell\\v1\.0\\powershell\.exe"\s+-enc\s+UwB0AGEAcgB0AC0AUwBsAGUAZQBw
ACAALQBTAGUAYwBvAG4AZABzACAAMQA1AA==
ifn_regex : .*\\Windows\\SysWOW64\\WindowsPowerShell\\v1\.0\\powershell\.exe
groups : {redacted, redacted, redacted, redacted…}
comment : Created from ldt:redacted:12889016920 by crowdstrike-psfalcon/2.2.4.
PS C:\Users\brend> $det[-1] | ConvertTo-FalconIoaExclusion
pattern_id : 41011
pattern_name : CustomIOALinHigh
cl_regex : curl\s+-v\s+--cookie\s+PHPSESSID=mn4rijv18jhh4dmetljjbcs5r5;\s+security=low\s+http://127\.0\.0\.1/hackab
le/uploads/webshell\.php\?cmd=curl%20http://169\.254\.169\.254/latest/meta-data/iam/security-credentials
/role-name
ifn_regex : /usr/bin/curl
groups : {redacted, redacted, redacted}
comment : Created from ldt:redacted:30130264427 by crowdstrike-psfalcon/2.2.4.
**********************
PowerShell transcript end
End time: 20221207153609
**********************
Could you try fully restarting PowerShell and re-importing PSFalcon and let me know if it still happens?
Could you try fully restarting PowerShell and re-importing PSFalcon and let me know if it still happens?
I went an did a Uninstall-Module PSFalcon -AllVersions
and restarted all PowerShell sessions and reinstalled from PSGallery using Install-Module PSFalcon -Scope AllUsers
.
The issue still persists.
Right before I was about to post this reply, I re-read your transcript and see you're passing via pipeline. I was not.
My syntax:
ConvertTo-FalconIoaExclusion -Detection $Detects[0]
Your syntax:
$det[0] | ConvertTo-FalconIoaExclusion
Running Get-Help ConvertTo-FalconIoaExclusion
:
NAME
ConvertTo-FalconIoaExclusion
SYNOPSIS
Output required fields to create an Indicator of Attack exclusion from a Falcon detection
SYNTAX
ConvertTo-FalconIoaExclusion [-Detection] <Object> [<CommonParameters>]
DESCRIPTION
Uses the 'behaviors' and 'device' properties of a detection to generate the necessary fields to create a new
Indicator of Attack exclusion. Specfically, it maps the following properties these fields:
behaviors.behavior_id > pattern_id
behaviors.display_name > pattern_name
behaviors.cmdline > cl_regex
behaviors.filepath > ifn_regex
device.groups > groups
The 'cl_regex' and 'ifn_regex' fields are escaped using the [regex]::Escape() PowerShell accelerator. The
'ifn_regex' output also replaces the NT device path ('Device/HarddiskVolume') with a wildcard.
If the detection involves a device that is not in any groups, it uses 'all' to target all host groups.
The resulting output can be passed to 'New-FalconIoaExclusion' to create an exclusion.
PARAMETERS
-Detection <Object>
Falcon detection content, including 'behaviors' and 'device'
Required? true
Position? 2
Default value
Accept pipeline input? true (ByValue)
Accept wildcard characters? false
<CommonParameters>
This cmdlet supports the common parameters: Verbose, Debug,
ErrorAction, ErrorVariable, WarningAction, WarningVariable,
OutBuffer, PipelineVariable, and OutVariable. For more information, see
about_CommonParameters (https://go.microsoft.com/fwlink/?LinkID=113216).
INPUTS
OUTPUTS
RELATED LINKS
https://github.com/crowdstrike/psfalcon/wiki/ConvertTo-FalconIoaExclusion
I was able to figure out the problem. I can initiate a pull request.
This issue has been fixed in the v2.2.4 release. To fix it in your local module, download the following files and replace your local copies of Public\policy-ioa-exclusions.ps1
and Public\policy-ml-exclusions.ps1
.
https://raw.githubusercontent.com/CrowdStrike/psfalcon/2.2.4/Public/policy-ioa-exclusions.ps1 https://raw.githubusercontent.com/CrowdStrike/psfalcon/2.2.4/Public/policy-ml-exclusions.ps1
Solved in v2.2.4 release.
Describe the bug
ConvertTo-FalconIoaExclusion
throws an error stating behaviors property is missing when it isn't.To Reproduce
Expected behavior Whatever
ConvertTo-FalconIoaExclusion
is intended to do :P (first time I've tried to use it).Environment (please complete the following information):
Additional context Add any other context about the problem here.
Transcript content