[Security Solution]Empty Timeline result for **process.args** field with value `C:\WINDOWS\system32\notepad.exe`

[ghost]

Describe the bug Empty Timeline result for process.args field with value C:\WINDOWS\system32\notepad.exe

Build Details:

Version: 7.14.0-SNAPSHOT
commit: 9838db392e7fcfc12f004b68fb1b09739f131148
Build Hash:41559
Artifact : https://artifacts-api.elastic.co/v1/search/7.14.0-SNAPSHOT

Browser Details: N/A

Browser Details All

Preconditions

1. Kibana user should be logged in.
2. Notepad process should be runing on the machine.

Steps to Reproduce 1.Go to Case Tab. 2.Create Timeline. 3.Enter process.name : "notepad.exe" in timeline search bar. 4.Result will be returned for above query. 5.drag the process.arg field and drop to timeline search bar.

6. Observed that zero timeline result is returned even data is present for filter.

Note: This issue is occurring only with notepad application.

Actual Result Empty Timeline result for specific field value C:\WINDOWS\system32\notepad.exe as process.args

Expected Result Correct Timeline result should be returned for process.args field with value C:\WINDOWS\system32\notepad.exe

Whats Working

• Issue not occurring with other application like chrome , mimikatz, power shell

Whats Not Working

• N/A

Screen-Shoot

• drag and drop

https://user-images.githubusercontent.com/59917825/122206026-8bd48180-cebe-11eb-95c2-2ecc9fe59fb5.mp4

• Manually adding process.args filed for notepad in timeline drop area

https://user-images.githubusercontent.com/59917825/122206042-8f680880-cebe-11eb-94e3-c9daa130e78e.mp4

logs Exported Timeline : timelines_export.zip

[elasticmachine]

Pinging @elastic/security-solution (Team: SecuritySolution)

[manishgupta-qasource]

Reviewed & Assigned to @MadameSheema

[elasticmachine]

Pinging @elastic/security-threat-hunting (Team:Threat Hunting)

[MadameSheema]

@karanbirsingh-qasource can you please try to reproduce this on 7.13.2? Do you happen to share in private the instance details to connect to it?

[ghost]

Hi @MadameSheema

we have validated this issue on 7.13.2 with same field and value that is process.args: C:\Windows\system32\notepad.exe and found that issue is occuring there too.

Moreover as stated earlier issue is occuring only for this specific value and not occuring for other process mimikatz,power shell.

Build Details:

Version: 7.13.2 BC1
Commit:288dada92621719c3e812310124f12e7824ee571
Build:288dada92621719c3e812310124f12e7824ee571

Screen-Cast https://user-images.githubusercontent.com/59917825/122343377-41f1a700-cf63-11eb-86a6-de3f6133990a.mp4

Logs:

Exported Timeline : timelines_export.zip

Additionally we have shared the Instance details over mail with you.

Thanks

[ghost]

Hi @MadameSheema

we have validated this issue on 7.15.0-SNAPSHOT and found it is still occuring . Timeline result got zero on adding the process.args in timeline drop bar.

Note: This issue is only for the process.name: "notepad.exe" in timeline search bar.

Build Details:

Version:7.15.0-SNAPSHOT
commit:00fcc2cd00d309f4c17db4ec7d552bc54fbd1b81
Build:43271

Snap-Shoot:

[cybersecdiva]

Tested in 8.11.0 BC9

Build Details:
VERSION: 8.11.0 BC9
BUILD: 68160
COMMIT: f2ea0c43ec0d854259d63d926b97e5c556b5f6b2

Preconditions:

• Elastic Agent should be installed to capture Windows Events
• Notepad application should be running
  • To reproduce and capture the exact field value that is showing as an Empty Timeline In Windows follow next steps below
  • Navigate to This PC —> Windows (C:) —> Windows —> System32
  • In Search 🔍 field icon on right search for notepad application
  • Select notepad application and Open (Note: before selecting open to copy the path to clipboard right click and select
  • Show more options --> select copy as path to the clipboard
• Alerts generated on Kibana

Describe the bug: Empty Timeline result forprocess.args field with value C:\WINDOWS\system32\notepad.exe

Steps to reproduce:

1. Navigate to Security -> Timelines-> Create New Timeline
2. In the Timeline Filter KQL search box enter `process.name: Notepad.exe" to filter Notepad events
3. In my example I entered process.name.caseless:notepad.exe
4. Drag and Drop an event with the process.args: C:\WINDOWS\system32\notepad.exe in the Timeline Query
5. Observe the Timeline field is empty and does not populate
6. As a secondary test, remove process.args: C:|WINDOWS\system32\notepad.exe in the Timeline Query and drag and drop a different process.args field value containing Notepad.exe In my case, I selected the process.args field value process.args: "C:\Program Files\WindowsApps\Microsoft.WindowsNotepad_11.2309.28.0_x64__8wekyb3d8bbwe\Notepad\Notepad.exe"
7. Click on the filtered out namekibana.alert.rule.name: Malware Detection Alert under the Search bar at the top
8. Select Edit filter from the pop under menu list selection
9. ObserveData View and Select a field field options show
10. Observe that the filtered field value does not show in the Additional filter in `Edit filter``

Current behavior process.args field with value C:\WINDOWS\system32\notepad.exe shows empty timeline result

Expected behavior:

process.args field with value C:\WINDOWS\system32\notepad.exe should show timeline result

Observations:

• I have tested in 8.11 BC9 and the behavior is still showing and occurring for the specific value C:\WINDOWS\system32\notepad.exe
• However, if the user opens the Notepad App from the Desktop Apps or from Windows Program Files and not as an application with System32, then there is no issue and the Timeline populates forprocess.args for Notepad.exe
• I performed both tests with Program Files and using System32 and have provided details of the observed behavior in the screenshots and recording.

Screenshots of behavior:

**Screenshot showing behavior of process.args field value C:\WINDOWS\system32\notepad.exe empty timeline

Screenshot showing filtering of process.name.caseless: notepad.exe to filter events containg notepad.exe regardless of string case. Also, shows the process.args: C:\WINDOWS\system32\notepad.exe that displayed from the filtered results:

Screenshot showing behavior of a process.args containing Notepad.exe running with a different field value: process.args: "C:\Program Files\WindowsApps\Microsoft.WindowsNotepad_11.2309.28.0_x64__8wekyb3d8bbwe\Notepad\Notepad.exe"timeline population:

Screen share recording:

https://github.com/elastic/kibana/assets/35679937/fdfa03ec-8e64-4fde-84ac-39380127ef1e

Conclusion:

Behavior is still occurring in 8.11.0 BC9 latest release for System 32 Notepad.exe application value: C:\IWNDOWS\system32\notepad.exe. The behavior is associated only with this process.args and does not display empty timeline for any other process.args value that are not opened in Systems32.

@MadameSheema and @XavierM FYI Updated Observations