search

elastic / beats

:tropical_fish: Beats - Lightweight shippers for Elasticsearch & Logstash
https://www.elastic.co/products/beats
Other
12.18k stars 4.92k forks source link

MetricBeat is Triggering Avoidable Credential Dumping False Positives #41407

Open gabriellandau opened 3 days ago

gabriellandau commented 3 days ago

MetricBeat uses gosigar for ProcMem and ProcArgs. Both of these calls request PROCESS_QUERY_LIMITED_INFORMATION | PROCESS_VM_READ which can trigger credential dumping false positives in third-party security software. We can avoid this problem with two simple changes, reducing SDH, customer headache, and vulnerabilities/blindspots created through customer exceptions in their security software. As a benefit, we'll be able to collect some data that we couldn't collect previously.

ProcMem::Get()

ProcMem::Get() requests PROCESS_QUERY_LIMITED_INFORMATION | PROCESS_VM_READ here. The handle is for GetProcessMemoryInfo. The docs for GetProcessMemoryInfo state that PROCESS_VM_READ is only needed for XP and Server 2003. Agent no longer supports either of those platforms, so let's stop requesting/requiring PROCESS_VM_READ.

Another important point is that we will never successfully acquire a PROCESS_VM_READ handle on any Protected Process or PPL, meaning this function will always fail on those processes. Since it's unnecessary for GetProcessMemoryInfo, then this function is failing needlessly on such processes. As a simple test for this, check whether you are getting memory information for services.exe which always runs as PPL.

ProcArgs::Get()

ProcArgs::Get() requests PROCESS_QUERY_LIMITED_INFORMATION | PROCESS_VM_READ here. lsass.exe never has a meaningful command line (screenshot below), so can we skip calling ProcArgs::Get() on lsass.exe?

Its PID can be found in the registry. We can query that value once and cache the value because it will never change until reboot. This LSA exclusion logic may be better put outside of gosigar itself.

C:\>reg query HKLM\SYSTEM\CurrentControlSet\Control\Lsa /v LsaPid

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa
    LsaPid    REG_DWORD    0x5ac

Image

For confirmed bugs, please report:

elasticmachine commented 3 days ago

Pinging @elastic/elastic-agent-data-plane (Team:Elastic-Agent-Data-Plane)

gabriellandau commented 3 days ago

@andrewkroh said that go-sysinfo has similar code which can likely be improved: https://github.com/elastic/go-sysinfo/blob/323c852f7ef4e11d668f3eb99ecaf9c6baa967c9/providers/windows/process_windows.go#L266-L285

cmacknz commented 3 days ago

FYI @VihasMakwana since you have been addressing some of the other unnecessary sources of errors in the system module.