[Security Solution] No details and process.executable information is displaying for mimikatz.exe prevention alert

[ghost]

Description No details and process.executable information is displaying for mimikatz.exe when events are 0.

Build Details:

Platform: Staging
Version: 7.11.0
Commit: f3abc08ac648f8b302733c5c22a39048314a027c
Build number: 37399
Artifact: https://staging.elastic.co/7.11.0-710164a0/summary-7.11.0.html

Browser Details: All

Preconditions:

1. Elastic stack should be up and running
2. Audit beat should be installed and running.
3. Alert mimikatz should be generated.

Steps to Reproduce:

1. Navigate to Detection tab of security.
2. Scroll down to Alert table.
3. Click on analyzer events where mimikatz alert is triggered with 0 events
4. observe that no details and process.executable information is displaying for mimikatz.exe when events are 0.

Impacted Test case: N/A

Actual Result: No details and process.executable information is displaying for mimikatz.exe when events are 0.

Expected Result: Details and process.executable information should be displayed for mimikatz.exe when events are 0.

What's working: This is not occurring for cmd.exe when events are 0

What's not working: N/A

Screenshot: Mimikatz.exe

Cmd.exe

[ghost]

@manishgupta-qasource Please review

[manishgupta-qasource]

Reviewed & Assigend to @MadameSheema

[MadameSheema]

@XavierM can you please help to prioritise this? thanks

[kqualters-elastic]

@deepikakeshav-qasource @manishgupta-qasource the event in the screenshot on the left has a different timestamp than the event on the right, I think that executable information may just not be present in the event on the left for any variety of reasons. Do you have a link to an environment you are seeing this on to verify if that is the case by chance?

[ghost]

Hi @kqualters-elastic

We have shared the environment credentials through email. Subject: [Environments Details for: #87456]

Please let us know if anything else is required from our end.

Thanks!!

[ghost]

Hi @MadameSheema,

We have validated this ticket on 7.13.0 BC4 build and observed that issue is Fixed. Details and process.executable information is displayed for mimikatz.exe when events are 0.

Build Details:

Version:7.13.0 BC4
Commit:5a6bad454ffe263aafed54cbd3f764253694bf37
Build:40749

Screenshot:

Hence, We are closing this ticket and adding the label as "QA Validated".

Thanks!!

[muskangulati-qasource]

Hi @MadameSheema,

We have observed that this issue is occurring on the 7.17.0 BC1 build as well as on the latest snapshot builds for both 8.0.0 & 8.1.0. The details and process.executable is not being displayed for mimikatz node for a prevention alert.

Please find below the testing details: Build details 7.17.0 Build: 46386 Commit:c9b31753ccda9d79ad1f6f7b106674a7ba430000 Artifacts link: https://staging.elastic.co/7.17.0-2a228a35/summary-7.17.0.html

8.0.0 Build: 48894 Commit: 9087e164c6890aa9b3a4ae61746753fabdfb27d2 Artifact page: https://artifacts-api.elastic.co/v1/search/8.0.0-SNAPSHOT

8.1.0 Build: 49385 Commit: 348bfb8b33f418d504489cd4a212539d7e04f256 Artifact page: https://artifacts-api.elastic.co/v1/search/8.1.0-SNAPSHOT

Screenshots:

Hence, we are reopening this issue.

Thanks!!

[ghost]

Hi @MadameSheema ,

We have validated this issue on 7.17.0 BC2 on-prem and observed that issue is Still Occurring.

Please find the below details:

Build Details:

Version: 7.17.0 BC2 on-prem
Build: 46488
Commit: a6fd029464413f6979099d7a3d4232c5194a269d

Screenshot:

Thanks!!

[MadameSheema]

@michaelolo24 can you please help to prioritize this issue? Thanks :)

[janmonschke]

@kqualters-elastic Were you ever able to reproduce the issue?