Issues with detection rules

[antonino-tocco]

Hi, I have tried to install elk with a fleet server and the prebuilt rules integration.
I simulate the mimikatz misc::memssp on a host and generate the mimilsa.log file, but no alerts was triggerer.
I also receive warning with all the endgame rules.

Can you help me?

[Mikaayenson]

Hi @antonino-tocco, can you share some details / screenshots about your setup?

For starters:

• What version are you running?
• Can you provide screenshots of your endpoints https://<stack-url>/app/security/administration/endpoints
• Can you provide screenshots of your policy https://<stack-url>/app/security/administration/policy/<policy id>/settings
• Can you provide screenshots of your rules enabled https://<stack-url>/app/security/rules

[antonino-tocco]

Hi, I run version 8.4.0 of the ELK stack. When I go to https:///app/security/administration/endpoints it seems that no agents are enrolled and it give me the list of policy for enrollment.

I have setup multiple policies for different type of agents as windows agents. I have enabled multiple integrations such as "Endpoint security" and "Prebuilt rules". Also you find attached Mimikatz rules enabled screenshots.

.

[Mikaayenson]

You need to enroll an endpoint system. Try installing the agent on the system where you're running mimikatz.

[antonino-tocco]

I have already do it but nothing changed. No notification. The agent was successfull installed.

[Mikaayenson]

Looking at all the screenshots you've provided, it appears that the reason you're not receiving alerts is because your windows endpoints are having issue. For the unhealthy endpoint, can you share a policy status screenshot on from https:///app/security/administration/endpoints ?

It should look something like this:

If its not success, there should be errors within the policy indicating the actual issue.

[antonino-tocco]

Hi, when I go to https:///app/security/administration/endpoints no endpoints showed but only a sreen for add agent. Il giorno gio 22 set 2022 alle ore 01:34 Mika Ayenson < ***@***.***> ha scritto:

…

Looking at all the screenshots you've provided, it appears that the reason you're not receiving alerts is because your windows endpoints are having issue. For the unhealthy endpoint, can you share a policy status screenshot on from https:///app/security/administration/endpoints ? It should look something like this: [image: Screen Shot 2022-09-21 at 7 33 26 PM] <https://user-images.githubusercontent.com/1636709/191627869-4f1170ff-6bbe-414a-a0fa-ecbe1bed832f.png> If its not success, there should be errors within the policy indicating the actual issue. — Reply to this email directly, view it on GitHub <#2316 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AC3VTNQGLNATDQRKRABJ7YLV7OLQVANCNFSM6AAAAAAQSAHVGY> . You are receiving this because you were mentioned.Message ID: ***@***.***>

[antonino-tocco]

Hi, my agents is healthy at this moment but this screen always show no endpoints.I start receive alerts from other host for other rules but not for mimikatz on this host. I can’t test mimikatz on the other hosts 

[Mikaayenson]

Can you describe what happens when you try running the mimikatz test on one of the healthy windows endpoints?

Also did you run the command together mimikatz misc::memssp or did you spawn mimikatz and then run misc::memssp. The former should work on an 8.4.0 stack based on our internal testing. We receive an alert based on the rule Potential Credential Access via Mimikatz as a Malicious Behavior Detection Alert

[terrancedejesus]

Hello @antonino-tocco!

We took some time to setup a lab environment with the requirements to run mimikatz misc::memssp and trigger an Elastic security rule alert. I'll try my best to explain how we did so.

Setup

For the setup, I used a Windows Server 2019 image and deployed a cloud-based stack with version 8.4.1. Using Fleet, I created an agent policy called endpoint.

I then added the "Endpoint and Cloud Security" integration to this policy. This integration allows us to use detection rules from the Protections Artifacts repository where we have a rule that should detect mimikatz misc:memssp when executed. @Mikaayenson pointed out this rule in the previous comment. I also loaded all pre-built detection rules during this setup and enabled them all, but you should only need to enable the ones your trying to trigger.

As you did, I then deployed an Elastic agent to my Windows Server 2019 host with my endpoint policy that uses the "Endpoint and Cloud Security" integration.

I also made sure I updated the endpoint security policy settings by visiting Security > Manage > Policies > endpoint. In here, I made sure every protection level was set to "Detect" and not "Prevent", especially "Malicious behavior".

By the end of this, I made sure the agent on my Windows Server 2019 host was in a "Healthy" status to ensure logs were being ingested properly. Sometimes unhealthy agents need updates, re-installed or security settings on the host itself need to be reviewed.

Also, when setting up my Windows Server 2019 host, I made sure to disable any security protections it had such as Windows Defender, Virus Protection, etc. as these often block certain actions necessary to trigger these alerts.

Rule Managing

For rules, you will notice if you search for "mimikatz" in Security > Manage > Rules, a detection rule does exist, called "Mimikatz Memssp Log File Detected", so I made sure it was enabled. If you select the rule you want to trigger, you will notice data sourced to trigger this rule comes from the Endpoint and Cloud Security integration based on the index pattern it checks for documents in.

Triggering Mimikatz Rule

I downloaded Mimikatz from the Github repository onto my Windows Server 2019 host, unzipped the files and then ran the following from a PowerShell console with administrative privileges.

.\mimikatz.exe misc::memssp
cmd.exe -c mimikatz.exe misc::memssp

The time it takes for the alert to trigger is based on how often the rule is run which can be determined by reviewing the rule itself so we knew it would be about ~5 minutes before an alert was triggered.

When checking Security > Alerts I used a KQL filter for any Mimikatz rule names that may have triggered and saw that we have a few alerts.

If these alerts do not trigger you can also search Discover to check for the documents by visiting Analytics > Discover and searching for *mimikatz* to find any documents with mimikatz references, mainly the process.name itself. You can also search for file.name: mimilsa.log as well just make sure your data-view selected is logs-*.

I do hope this helps but please continue to let us know if you have questions and we will continue to attempt in helping!

[antonino-tocco]

Hi, I want to try to use the protection-artifacts rules but when I try to upload or export the rules with the detection_rules package, I receive this error: marshmallow.exceptions.ValidationError: {'rule': [ValidationError({'type': ['Missing data for required field.'], 'author': ['Missing data for required field.']. Can you help me?

[Mikaayenson]

@antonino-tocco Those rules are for the endpoint-sensor (and not the SIEM), so they are already in use within the agent that you installed on your VMs. You can always create a custom rule in the SIEM for testing purposes with similar logic, but again the protections-artifacts are already enabled and running.

Feel free to reopen this issue if you have any other issues with your setup!