neu5ron
commented
3 years ago are you certain events should be occuring? like replying logs with malicious data or things you know should be alerting?
Open PaulTheHelk opened 3 years ago
neu5ron
commented
3 years ago are you certain events should be occuring? like replying logs with malicious data or things you know should be alerting?
PaulTheHelk
commented
3 years ago yes it should allert for mimikatz usage. i used mimikatz on a test-client, i can see all the events about thatin discovery-mode, but no alerts coming up.
priamai
commented
3 years ago Yes this should work, I will try to replicate your setup since I have just started testing HELK. Now off the bat if you look at the elastalert rules: https://github.com/Cyb3rWard0g/HELK/tree/master/docker/helk-elastalert/rules I don't see one that specifically target Powershell Mimikaz detection. But there is here a script that pulls sigma rules to be converted: https://github.com/Cyb3rWard0g/HELK/blob/master/docker/helk-elastalert/scripts/pull-sigma.sh First check will be to inspect the docker container and check the converted rules to see if they contain the mimikatz detection. I will do that today as an exercise. BTW this is why I was suggesting to integrate Praeco so that we have visibility into what rules are enabled. Cheers!
neu5ron
commented
3 years ago @priamai I am open to praeco at this point, but I see this in the docs: https://github.com/johnsusek/praeco#can-i-import-my-current-elastalert-rules-into-praeco have you used it before with sigma converted elastalert rules?
Either way, the elastalert/sigma management is definitely on the table for a rewrite/re-engineering. So I am open for ideas that work or people have used.
priamai
commented
3 years ago @neu5ron I am going to use your converter script into their docker setup and see what happens. I will let you know here.
priamai
commented
3 years ago @PaulTheHelk looking at the Sigma rules there are two possible candidate matching your execution. Your index is: logs-endpoint-winevent-sysmon-
The first one based on logs-endpoint-winevent-sysmon-* should trigger:
alert:
- debug
buffer_time:
minutes: 5
description: Detects multiple suspicious process in a limited timeframe
doc_type: doc
filter:
- query:
query_string:
query: (event_id:"1" AND process_command_line:("arp.exe" OR "at.exe" OR "attrib.exe" OR "cscript.exe" OR "dsquery.exe" OR "hostname.exe" OR "ipconfig.exe" OR "mimikatz.exe" OR "nbtstat.exe" OR "net.exe" OR "netsh.exe" OR "nslookup.exe" OR "ping.exe" OR "quser.exe" OR "qwinsta.exe" OR "reg.exe" OR "runas.exe" OR "sc.exe" OR "schtasks.exe" OR "ssh.exe" OR "systeminfo.exe" OR "taskkill.exe" OR "telnet.exe" OR "tracert.exe" OR "wscript.exe" OR "xcopy.exe" OR "pscp.exe" OR "copy.exe" OR "robocopy.exe" OR "certutil.exe" OR "vssadmin.exe" OR "powershell.exe" OR "wevtutil.exe" OR "psexec.exe" OR "bcedit.exe" OR "wbadmin.exe" OR "icacls.exe" OR "diskpart.exe"))
index: logs-endpoint-winevent-sysmon-*
max_threshold: 5
metric_agg_key: _id
metric_agg_type: cardinality
name: Sysmon_61ab5496-748e-4818-a92f-de78e20fe7f1_0 Quick Execution of a Series of Suspicious Commands
priority: 4
query_key: host_name.keyword
realert:
minutes: 0
timestamp_field: etl_processed_time
type: metric_aggregationAnd the second one based on winevt logs-endpoint-winevent-* (should not trigger):
alert:
- debug
buffer_time:
minutes: 5
description: Detects multiple suspicious process in a limited timeframe
doc_type: doc
filter:
- query:
query_string:
query: (event_id:"4688" AND process_command_line:("arp.exe" OR "at.exe" OR "attrib.exe" OR "cscript.exe" OR "dsquery.exe" OR "hostname.exe" OR "ipconfig.exe" OR "mimikatz.exe" OR "nbtstat.exe" OR "net.exe" OR "netsh.exe" OR "nslookup.exe" OR "ping.exe" OR "quser.exe" OR "qwinsta.exe" OR "reg.exe" OR "runas.exe" OR "sc.exe" OR "schtasks.exe" OR "ssh.exe" OR "systeminfo.exe" OR "taskkill.exe" OR "telnet.exe" OR "tracert.exe" OR "wscript.exe" OR "xcopy.exe" OR "pscp.exe" OR "copy.exe" OR "robocopy.exe" OR "certutil.exe" OR "vssadmin.exe" OR "powershell.exe" OR "wevtutil.exe" OR "psexec.exe" OR "bcedit.exe" OR "wbadmin.exe" OR "icacls.exe" OR "diskpart.exe"))
index: logs-endpoint-winevent-*
max_threshold: 5
metric_agg_key: _id
metric_agg_type: cardinality
name: 61ab5496-748e-4818-a92f-de78e20fe7f1_0 Quick Execution of a Series of Suspicious Commands
priority: 4
query_key: host_name.keyword
realert:
minutes: 0
timestamp_field: etl_processed_time
type: metric_aggregationNow correct if I am wrong but I do not see in your event the process_command_line field indicating that in your windows setup you did enable the command line logging (needs to be done explicitly).
My suggestion is to create another simple rule to at least catch the binary name or file hash which is frankly quite embarrassing to miss....
priamai
commented
3 years ago So just as an example a new rule should be added into the docker config such as this:
alert:
- debug
buffer_time:
minutes: 5
description: Detects multiple suspicious process in a limited timeframe
doc_type: doc
filter:
- query:
query_string:
query: (event_id:"10" AND process_name:("arp.exe" OR "at.exe" OR "attrib.exe" OR "cscript.exe" OR "dsquery.exe" OR "hostname.exe" OR "ipconfig.exe" OR "mimikatz.exe" OR "nbtstat.exe" OR "net.exe" OR "netsh.exe" OR "nslookup.exe" OR "ping.exe" OR "quser.exe" OR "qwinsta.exe" OR "reg.exe" OR "runas.exe" OR "sc.exe" OR "schtasks.exe" OR "ssh.exe" OR "systeminfo.exe" OR "taskkill.exe" OR "telnet.exe" OR "tracert.exe" OR "wscript.exe" OR "xcopy.exe" OR "pscp.exe" OR "copy.exe" OR "robocopy.exe" OR "certutil.exe" OR "vssadmin.exe" OR "powershell.exe" OR "wevtutil.exe" OR "psexec.exe" OR "bcedit.exe" OR "wbadmin.exe" OR "icacls.exe" OR "diskpart.exe"))
index: logs-endpoint-winevent-sysmon-*
max_threshold: 5
metric_agg_key: _id
metric_agg_type: cardinality
name: Sysmon_61ab5496-748e-4818-a92f-de78e20fe7f1_0 Quick Execution of a Series of Suspicious Commands
priority: 4
query_key: host_name.keyword
realert:
minutes: 0
timestamp_field: etl_processed_time
type: metric_aggregationPlease notice also that event_id should be set to 10 which refers to process access.
Describe the problem
I've installed the HELK with the provided Documentation from here: https://thehelk.com/installation.html using option 2 in the install dialog with no know or seen error during that. I've created a test-machine (Windows box) with sysmon and winlogbeat 7.8.1 which seems to work fine and delivers some data. BUT, there are no elastevents here. Even when i set the filter to elastalert_status.
Provide the output of the following commands
Get output of the HELK docker containers:
Provide the HELK installation logs located at /var/log/helk-install.log if you are having install errors
What version of HELK are you using
run the command from within the HELK root directory
cat .git/refs/heads/masterand include what date you cloned the HELK repoWhat version of Winlogbeat are you using if you are using Windows/WEF logs
What steps did you take trying to fix the issue
How could we replicate the issue
Simply create some events with mimikatz
Any additionally code or log context you would like to provide
Any additional context or input you have
All other fields are filled. i can see the mimikatz-events in discovery-window: