From 4a83b6f65ba2fabed29f5033488a1dc8ced5250b Mon Sep 17 00:00:00 2001 From: Marc Guasch Date: Fri, 31 May 2024 18:13:49 +0200 Subject: [PATCH] Add script block hash and signature to powershell pipelines --- packages/windows/changelog.yml | 5 ++++ .../test-powershell-events.json-expected.json | 1 + .../test-powershell-operational-events.json | 2 +- ...hell-operational-events.json-expected.json | 4 +++- .../powershell_operational.yml | 24 +++++++++++++++++++ .../data_stream/forwarded/fields/fields.yml | 10 ++++++++ .../_dev/test/pipeline/test-events.json | 2 +- .../pipeline/test-events.json-expected.json | 4 +++- .../elasticsearch/ingest_pipeline/default.yml | 24 +++++++++++++++++++ .../powershell_operational/fields/fields.yml | 10 ++++++++ packages/windows/docs/README.md | 2 ++ packages/windows/manifest.yml | 2 +- 12 files changed, 85 insertions(+), 5 deletions(-) diff --git a/packages/windows/changelog.yml b/packages/windows/changelog.yml index 64e900ef49d..15f92db0e99 100644 --- a/packages/windows/changelog.yml +++ b/packages/windows/changelog.yml @@ -1,4 +1,9 @@ # newer versions go on top +- version: "1.45.0" + changes: + - description: Add powershell.file.script_block_hash and powershell.file.script_block_signature fields. + type: enhancement + link: https://github.com/elastic/integrations/pull/10044 - version: "1.44.5" changes: - description: Fix splitting of parameters for event 600 where it can hold multiline values in parameters. diff --git a/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-powershell-events.json-expected.json b/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-powershell-events.json-expected.json index 152e310e03e..f1bcf811461 100644 --- a/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-powershell-events.json-expected.json +++ b/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-powershell-events.json-expected.json @@ -248,6 +248,7 @@ }, "powershell": { "file": { + "script_block_hash": "64TcviMSSJ/OdhiN8lVcBQeKWDU=", "script_block_id": "50d2dbda-7361-4926-a94d-d9eadfdb43fa", "script_block_text": ".\\patata.ps1" }, diff --git a/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-powershell-operational-events.json b/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-powershell-operational-events.json index e0d4ad99ac5..a50121575ba 100644 --- a/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-powershell-operational-events.json +++ b/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-powershell-operational-events.json @@ -148,7 +148,7 @@ "event_data": { "MessageNumber": "1", "MessageTotal": "1", - "ScriptBlockText": ".\\patata.ps1", + "ScriptBlockText": "# SIG # Begin signature block\n# MIIbDQYJKoZIhvcNAQcCoIIa/jCCGvoCAQExCzAJBgUrDgMCGgUAMGkGCisGAQQB\n# gjcCAQSgWzBZMDQGCisGAQQBgjcCAR4wJgIDAQAABBAfzDtgWUsITrck0sYpfvNR\n# AgEAAgEAAgEAAgEAAgEAMCEwCQYFKw4DAhoFAAQUxKaXN7doWq+mq18IrzABoXMr\n# 4l6gghXyMIIEoDCCA4igAwIBAgIKYRr16gAAAAAAajANBgkqhkiG9w0BAQUFADB5\n# MQswCQYDVQQGEwJVUzETMBEGA1UECBMKV2FzaGluZ3RvbjEQMA4GA1UEBxMHUmVk\n# bW9uZDEeMBwGA1UEChMVTWljcm9zb2Z0IENvcnBvcmF0aW9uMSMwIQYDVQQDExpN\n# aWNyb3NvZnQgQ29kZSBTaWduaW5nIFBDQTAeFw0xMTExMDEyMjM5MTdaFw0xMzAy\n# MDEyMjQ5MTdaMIGDMQswCQYDVQQGEwJVUzETMBEGA1UECBMKV2FzaGluZ3RvbjEQ\n# MA4GA1UEBxMHUmVkbW9uZDEeMBwGA1UEChMVTWljcm9zb2Z0IENvcnBvcmF0aW9u\n# SIG # End signature block\n\n.\\patata.ps1", "ScriptBlockId": "50d2dbda-7361-4926-a94d-d9eadfdb43fa" }, "provider_name": "Microsoft-Windows-PowerShell", diff --git a/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-powershell-operational-events.json-expected.json b/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-powershell-operational-events.json-expected.json index 152e310e03e..d835f3837d8 100644 --- a/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-powershell-operational-events.json-expected.json +++ b/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-powershell-operational-events.json-expected.json @@ -248,8 +248,10 @@ }, "powershell": { "file": { + "script_block_hash": "GDs0QECaJqoAYuKAnsifUYS309U=", "script_block_id": "50d2dbda-7361-4926-a94d-d9eadfdb43fa", - "script_block_text": ".\\patata.ps1" + "script_block_signature": "MIIbDQYJKoZIhvcNAQcCoIIa/jCCGvoCAQExCzAJBgUrDgMCGgUAMGkGCisGAQQBgjcCAQSgWzBZMDQGCisGAQQBgjcCAR4wJgIDAQAABBAfzDtgWUsITrck0sYpfvNRAgEAAgEAAgEAAgEAAgEAMCEwCQYFKw4DAhoFAAQUxKaXN7doWq+mq18IrzABoXMr4l6gghXyMIIEoDCCA4igAwIBAgIKYRr16gAAAAAAajANBgkqhkiG9w0BAQUFADB5MQswCQYDVQQGEwJVUzETMBEGA1UECBMKV2FzaGluZ3RvbjEQMA4GA1UEBxMHUmVkbW9uZDEeMBwGA1UEChMVTWljcm9zb2Z0IENvcnBvcmF0aW9uMSMwIQYDVQQDExpNaWNyb3NvZnQgQ29kZSBTaWduaW5nIFBDQTAeFw0xMTExMDEyMjM5MTdaFw0xMzAyMDEyMjQ5MTdaMIGDMQswCQYDVQQGEwJVUzETMBEGA1UECBMKV2FzaGluZ3RvbjEQMA4GA1UEBxMHUmVkbW9uZDEeMBwGA1UEChMVTWljcm9zb2Z0IENvcnBvcmF0aW9u\n", + "script_block_text": "# SIG # Begin signature block\n# MIIbDQYJKoZIhvcNAQcCoIIa/jCCGvoCAQExCzAJBgUrDgMCGgUAMGkGCisGAQQB\n# gjcCAQSgWzBZMDQGCisGAQQBgjcCAR4wJgIDAQAABBAfzDtgWUsITrck0sYpfvNR\n# AgEAAgEAAgEAAgEAAgEAMCEwCQYFKw4DAhoFAAQUxKaXN7doWq+mq18IrzABoXMr\n# 4l6gghXyMIIEoDCCA4igAwIBAgIKYRr16gAAAAAAajANBgkqhkiG9w0BAQUFADB5\n# MQswCQYDVQQGEwJVUzETMBEGA1UECBMKV2FzaGluZ3RvbjEQMA4GA1UEBxMHUmVk\n# bW9uZDEeMBwGA1UEChMVTWljcm9zb2Z0IENvcnBvcmF0aW9uMSMwIQYDVQQDExpN\n# aWNyb3NvZnQgQ29kZSBTaWduaW5nIFBDQTAeFw0xMTExMDEyMjM5MTdaFw0xMzAy\n# MDEyMjQ5MTdaMIGDMQswCQYDVQQGEwJVUzETMBEGA1UECBMKV2FzaGluZ3RvbjEQ\n# MA4GA1UEBxMHUmVkbW9uZDEeMBwGA1UEChMVTWljcm9zb2Z0IENvcnBvcmF0aW9u\n# SIG # End signature block\n\n.\\patata.ps1" }, "sequence": 1, "total": 1 diff --git a/packages/windows/data_stream/forwarded/elasticsearch/ingest_pipeline/powershell_operational.yml b/packages/windows/data_stream/forwarded/elasticsearch/ingest_pipeline/powershell_operational.yml index c2d3784f20a..3e248ce3518 100644 --- a/packages/windows/data_stream/forwarded/elasticsearch/ingest_pipeline/powershell_operational.yml +++ b/packages/windows/data_stream/forwarded/elasticsearch/ingest_pipeline/powershell_operational.yml @@ -290,6 +290,30 @@ processors: ignore_failure: true ignore_missing: true if: ctx?.winlog?.event_data?.ScriptBlockText != "" + - trim: + field: powershell.file.script_block_text + ignore_missing: true + - dissect: + field: powershell.file.script_block_text + pattern: "# SIG # Begin signature block%{powershell.file.script_block_signature}# SIG # End signature block" + ignore_missing: true + ignore_failure: true + - gsub: + field: powershell.file.script_block_signature + pattern: "\\n# " + replacement: "" + ignore_missing: true + - gsub: + field: powershell.file.script_block_text + target_field: _temp.script_block_no_space + pattern: "\\s" + replacement: "" + ignore_missing: true + - fingerprint: + fields: + - _temp.script_block_no_space + target_field: powershell.file.script_block_hash + ignore_missing: true - split: description: Split Event 4103 command invocation details. diff --git a/packages/windows/data_stream/forwarded/fields/fields.yml b/packages/windows/data_stream/forwarded/fields/fields.yml index bcc69c61490..bd0273868d0 100644 --- a/packages/windows/data_stream/forwarded/fields/fields.yml +++ b/packages/windows/data_stream/forwarded/fields/fields.yml @@ -145,6 +145,16 @@ Text of the executed script block. example: ".\\a_script.ps1" + - name: script_block_signature + type: keyword + description: > + If present in the script, the script signature. + + - name: script_block_hash + type: keyword + description: > + A hash of the script to be used in rules. + - name: powershell.process.executable_version type: keyword description: Version of the engine hosting process executable. diff --git a/packages/windows/data_stream/powershell_operational/_dev/test/pipeline/test-events.json b/packages/windows/data_stream/powershell_operational/_dev/test/pipeline/test-events.json index e0d4ad99ac5..a50121575ba 100644 --- a/packages/windows/data_stream/powershell_operational/_dev/test/pipeline/test-events.json +++ b/packages/windows/data_stream/powershell_operational/_dev/test/pipeline/test-events.json @@ -148,7 +148,7 @@ "event_data": { "MessageNumber": "1", "MessageTotal": "1", - "ScriptBlockText": ".\\patata.ps1", + "ScriptBlockText": "# SIG # Begin signature block\n# MIIbDQYJKoZIhvcNAQcCoIIa/jCCGvoCAQExCzAJBgUrDgMCGgUAMGkGCisGAQQB\n# gjcCAQSgWzBZMDQGCisGAQQBgjcCAR4wJgIDAQAABBAfzDtgWUsITrck0sYpfvNR\n# AgEAAgEAAgEAAgEAAgEAMCEwCQYFKw4DAhoFAAQUxKaXN7doWq+mq18IrzABoXMr\n# 4l6gghXyMIIEoDCCA4igAwIBAgIKYRr16gAAAAAAajANBgkqhkiG9w0BAQUFADB5\n# MQswCQYDVQQGEwJVUzETMBEGA1UECBMKV2FzaGluZ3RvbjEQMA4GA1UEBxMHUmVk\n# bW9uZDEeMBwGA1UEChMVTWljcm9zb2Z0IENvcnBvcmF0aW9uMSMwIQYDVQQDExpN\n# aWNyb3NvZnQgQ29kZSBTaWduaW5nIFBDQTAeFw0xMTExMDEyMjM5MTdaFw0xMzAy\n# MDEyMjQ5MTdaMIGDMQswCQYDVQQGEwJVUzETMBEGA1UECBMKV2FzaGluZ3RvbjEQ\n# MA4GA1UEBxMHUmVkbW9uZDEeMBwGA1UEChMVTWljcm9zb2Z0IENvcnBvcmF0aW9u\n# SIG # End signature block\n\n.\\patata.ps1", "ScriptBlockId": "50d2dbda-7361-4926-a94d-d9eadfdb43fa" }, "provider_name": "Microsoft-Windows-PowerShell", diff --git a/packages/windows/data_stream/powershell_operational/_dev/test/pipeline/test-events.json-expected.json b/packages/windows/data_stream/powershell_operational/_dev/test/pipeline/test-events.json-expected.json index eb795f24c9c..e30c8da8015 100644 --- a/packages/windows/data_stream/powershell_operational/_dev/test/pipeline/test-events.json-expected.json +++ b/packages/windows/data_stream/powershell_operational/_dev/test/pipeline/test-events.json-expected.json @@ -232,8 +232,10 @@ }, "powershell": { "file": { + "script_block_hash": "GDs0QECaJqoAYuKAnsifUYS309U=", "script_block_id": "50d2dbda-7361-4926-a94d-d9eadfdb43fa", - "script_block_text": ".\\patata.ps1" + "script_block_signature": "MIIbDQYJKoZIhvcNAQcCoIIa/jCCGvoCAQExCzAJBgUrDgMCGgUAMGkGCisGAQQBgjcCAQSgWzBZMDQGCisGAQQBgjcCAR4wJgIDAQAABBAfzDtgWUsITrck0sYpfvNRAgEAAgEAAgEAAgEAAgEAMCEwCQYFKw4DAhoFAAQUxKaXN7doWq+mq18IrzABoXMr4l6gghXyMIIEoDCCA4igAwIBAgIKYRr16gAAAAAAajANBgkqhkiG9w0BAQUFADB5MQswCQYDVQQGEwJVUzETMBEGA1UECBMKV2FzaGluZ3RvbjEQMA4GA1UEBxMHUmVkbW9uZDEeMBwGA1UEChMVTWljcm9zb2Z0IENvcnBvcmF0aW9uMSMwIQYDVQQDExpNaWNyb3NvZnQgQ29kZSBTaWduaW5nIFBDQTAeFw0xMTExMDEyMjM5MTdaFw0xMzAyMDEyMjQ5MTdaMIGDMQswCQYDVQQGEwJVUzETMBEGA1UECBMKV2FzaGluZ3RvbjEQMA4GA1UEBxMHUmVkbW9uZDEeMBwGA1UEChMVTWljcm9zb2Z0IENvcnBvcmF0aW9u\n", + "script_block_text": "# SIG # Begin signature block\n# MIIbDQYJKoZIhvcNAQcCoIIa/jCCGvoCAQExCzAJBgUrDgMCGgUAMGkGCisGAQQB\n# gjcCAQSgWzBZMDQGCisGAQQBgjcCAR4wJgIDAQAABBAfzDtgWUsITrck0sYpfvNR\n# AgEAAgEAAgEAAgEAAgEAMCEwCQYFKw4DAhoFAAQUxKaXN7doWq+mq18IrzABoXMr\n# 4l6gghXyMIIEoDCCA4igAwIBAgIKYRr16gAAAAAAajANBgkqhkiG9w0BAQUFADB5\n# MQswCQYDVQQGEwJVUzETMBEGA1UECBMKV2FzaGluZ3RvbjEQMA4GA1UEBxMHUmVk\n# bW9uZDEeMBwGA1UEChMVTWljcm9zb2Z0IENvcnBvcmF0aW9uMSMwIQYDVQQDExpN\n# aWNyb3NvZnQgQ29kZSBTaWduaW5nIFBDQTAeFw0xMTExMDEyMjM5MTdaFw0xMzAy\n# MDEyMjQ5MTdaMIGDMQswCQYDVQQGEwJVUzETMBEGA1UECBMKV2FzaGluZ3RvbjEQ\n# MA4GA1UEBxMHUmVkbW9uZDEeMBwGA1UEChMVTWljcm9zb2Z0IENvcnBvcmF0aW9u\n# SIG # End signature block\n\n.\\patata.ps1" }, "sequence": 1, "total": 1 diff --git a/packages/windows/data_stream/powershell_operational/elasticsearch/ingest_pipeline/default.yml b/packages/windows/data_stream/powershell_operational/elasticsearch/ingest_pipeline/default.yml index c2d3784f20a..3e248ce3518 100644 --- a/packages/windows/data_stream/powershell_operational/elasticsearch/ingest_pipeline/default.yml +++ b/packages/windows/data_stream/powershell_operational/elasticsearch/ingest_pipeline/default.yml @@ -290,6 +290,30 @@ processors: ignore_failure: true ignore_missing: true if: ctx?.winlog?.event_data?.ScriptBlockText != "" + - trim: + field: powershell.file.script_block_text + ignore_missing: true + - dissect: + field: powershell.file.script_block_text + pattern: "# SIG # Begin signature block%{powershell.file.script_block_signature}# SIG # End signature block" + ignore_missing: true + ignore_failure: true + - gsub: + field: powershell.file.script_block_signature + pattern: "\\n# " + replacement: "" + ignore_missing: true + - gsub: + field: powershell.file.script_block_text + target_field: _temp.script_block_no_space + pattern: "\\s" + replacement: "" + ignore_missing: true + - fingerprint: + fields: + - _temp.script_block_no_space + target_field: powershell.file.script_block_hash + ignore_missing: true - split: description: Split Event 4103 command invocation details. diff --git a/packages/windows/data_stream/powershell_operational/fields/fields.yml b/packages/windows/data_stream/powershell_operational/fields/fields.yml index 508fa4d2b8e..622bf3033b0 100644 --- a/packages/windows/data_stream/powershell_operational/fields/fields.yml +++ b/packages/windows/data_stream/powershell_operational/fields/fields.yml @@ -106,6 +106,16 @@ Text of the executed script block. example: ".\\a_script.ps1" + - name: script_block_signature + type: keyword + description: > + If present in the script, the script signature. + + - name: script_block_hash + type: keyword + description: > + A hash of the script to be used in rules. + - name: powershell.process.executable_version type: keyword description: Version of the engine hosting process executable. diff --git a/packages/windows/docs/README.md b/packages/windows/docs/README.md index 426ea19070d..c94f838c86a 100644 --- a/packages/windows/docs/README.md +++ b/packages/windows/docs/README.md @@ -2107,7 +2107,9 @@ An example event for `powershell_operational` looks as following: | powershell.engine.new_state | New state of the PowerShell engine. | keyword | | powershell.engine.previous_state | Previous state of the PowerShell engine. | keyword | | powershell.engine.version | Version of the PowerShell engine version used to execute the command. | keyword | +| powershell.file.script_block_hash | A hash of the script to be used in rules. | keyword | | powershell.file.script_block_id | Id of the executed script block. | keyword | +| powershell.file.script_block_signature | If present in the script, the script signature. | keyword | | powershell.file.script_block_text | Text of the executed script block. | text | | powershell.id | Shell Id. | keyword | | powershell.pipeline_id | Pipeline id. | keyword | diff --git a/packages/windows/manifest.yml b/packages/windows/manifest.yml index 3c7ca7072f3..a902c901b9d 100644 --- a/packages/windows/manifest.yml +++ b/packages/windows/manifest.yml @@ -1,6 +1,6 @@ name: windows title: Windows -version: 1.44.5 +version: 1.45.0 description: Collect logs and metrics from Windows OS and services with Elastic Agent. type: integration categories: