Hi,
I'm trying to make a whitelist for encoded commands which IT Support use and I'm having a problem getting an inputlookup to match against a particular entry in the csv.
The query which I'm using is
(index=wineventlog sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR tag=process) process=*powershell* (CommandLine="*-EncodedCommand*" OR CommandLine="*-enc*")
| search NOT
[| inputlookup CommandLine_whitelist.csv ]
| stats count min(_time) as firstTime max(_time) as lastTime by dest, user, process, CommandLine
And I'm trying to exclude this CommandLine (this is exactly how it appears in the logs):
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noninteractive -noprofile -encodedCommand RwBlAHQALQBJAHQAZQBtAFAAcgBvAHAAZQByAHQAeQAgAEgASwBMAE0AOgBcAFMAbwBmAHQAdwBhAHIAZQBcAE0AaQBjAHIAbwBzAG8AZgB0AFwAVwBpAG4AZABvAHcAcwBcAEMAdQByAHIAZQBuAHQAVgBlAHIAcwBpAG8AbgBcAFUAbgBpAG4AcwB0AGEAbABsAFwAKgAgAHwAIABXAGgAZQByAGUALQBPAGIAagBlAGMAdAAgAHsAJABfAC4ARABpAHMAcABsAGEAeQBOAGEAbQBlAC4ATABlAG4AZwB0AGgAIAAtAGcAdAAgADAAIAAtAGEAbgBkACAAJABfAC4AUABTAEMAaABpAGwAZABOAGEAbQBlAC4AbABlAG4AZwB0AGgAIAAtAGwAdAAgADMAOQAgAC0AYQBuAGQAIAAkAF8ALgBVAG4AaQBuAHMAdABhAGwAbABTAHQAcgBpAG4AZwAgAC0AbABpAGsAZQAgACIAKgBtAHMAaQBlAHgAZQBjACoAIgB9ACAAfAAgAFMAZQBsAGUAYwB0AC0ATwBiAGoAZQBjAHQAIABEAGkAcwBwAGwAYQB5AE4AYQBtAGUALAAgAFAAUwBDAGgAaQBsAGQATgBhAG0AZQAsACAARABpAHMAcABsAGEAeQBWAGUAcgBzAGkAbwBuACwAIABJAG4AcwB0AGEAbABsAEQAYQB0AGUAIAB8ACAAUwBlAGwAZQBjAHQALQBPAGIAagBlAGMAdAAgAEAAewBOAGEAbQBlAD0AJwBBAHAAcAAgAE4AYQBtAGUAJwA7AEUAeAA9AHsAJABfAC4ARABpAHMAcABsAGEAeQBOAGEAbQBlAH0AfQAsAGAADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAQAB7AE4AYQBtAGUAPQAYIFAAcgBvAGQAdQBjAHQAIABDAG8AZABlABggOwBFAHgAcAByAGUAcwBzAGkAbwBuAD0AewAkAF8ALgBQAFMAQwBoAGkAbABkAE4AYQBtAGUAfQB9ACwAYAANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIABAAHsATgBhAG0AZQA9ABggVgBlAHIAcwBpAG8AbgAZIDsARQB4AHAAcgBlAHMAcwBpAG8AbgA9AHsAJABfAC4ARABpAHMAcABsAGEAeQBWAGUAcgBzAGkAbwBuAH0AfQAsAGAADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAQAB7AE4AYQBtAGUAPQAYIEkAbgBzAHQAYQBsAGwAZQBkACAATwBuABkgOwBFAHgAcAByAGUAcwBzAGkAbwBuAD0AewAkAF8ALgBJAG4AcwB0AGEAbABsAEQAYQB0AGUAfQB9ACAAfAAgAFMAbwByAHQAIAAnAEEAcABwACAATgBhAG0AZQAnAA== -inputFormat xml -outputFormat xml
We have other / longer commands which work without a problem, but for the life of me, I cannot get this to work. I'm guessing it has something to do with something in the encoded string which is breaking matching on it, but I don't know what it is, or how to fix it.
Any help would be greatly appreciated.
Thanks,
Steve
Doing windows logs with lots of escaping is a pain. consider doing an md5 hash of the. command string and don't inputlookup. Use a lookup as a lookup. Just make sure you lookup is of the hash values.
(index=wineventlog sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR tag=process) process=*powershell* (CommandLine="*-EncodedCommand*" OR CommandLine="*-enc*")
| eval command_hash=md5(CommandLine)
| lookup CommandLine_whitelist command_hash OUTPUTNEW command_hash AS isFound
| where isnull(command_hash)
Doing windows logs with lots of escaping is a pain. consider doing an md5 hash of the. command string and don't inputlookup. Use a lookup as a lookup. Just make sure you lookup is of the hash values.
(index=wineventlog sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR tag=process) process=*powershell* (CommandLine="*-EncodedCommand*" OR CommandLine="*-enc*")
| eval command_hash=md5(CommandLine)
| lookup CommandLine_whitelist command_hash OUTPUTNEW command_hash AS isFound
| where isnull(command_hash)
This works great thanks.