-
Notifications
You must be signed in to change notification settings - Fork 4.9k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
MetricBeat is Triggering Avoidable Credential Dumping False Positives #41407
Comments
Pinging @elastic/elastic-agent-data-plane (Team:Elastic-Agent-Data-Plane) |
@andrewkroh said that go-sysinfo has similar code which can likely be improved: https://github.com/elastic/go-sysinfo/blob/323c852f7ef4e11d668f3eb99ecaf9c6baa967c9/providers/windows/process_windows.go#L266-L285 |
FYI @VihasMakwana since you have been addressing some of the other unnecessary sources of errors in the system module. |
@gabriellandau For process args: |
We should probably update gosigar for handling the process memory without But as far as metricbeat is concerned, I don't think we need to make any additional changes. cc: @cmacknz |
Makes sense to me. We still depend on gosigar so fixing it there will potentially save us from accidentally regressing on this somewhere else in the future. |
Thanks for clarifying. So the original question remains:
|
As per https://learn.microsoft.com/en-us/windows/win32/api/psapi/nf-psapi-getprocessmemoryinfo, GetProcessMemoryInfo doesn't need PROCESS_VM_READ. Hence, remove it and only use PROCESS_QUERY_LIMITED_INFORMATION. Relates: elastic/beats#41407
elastic/elastic-agent-system-metrics#198 up for review. |
…ted processes (currently, lsass.exe) (#198) See elastic/beats#41407 for more details. TL;DR; Processes such as `lsass.exe` has no meaningful cmd line and and can trigger false positives with Windows ASR rules. We can find pid for that using `SYSTEM\\CurrentControlSet\\Control\\Lsa` path Relates elastic/beats#41407 --------- Co-authored-by: Gabriel Landau <42078554+gabriellandau@users.noreply.github.com>
MetricBeat uses gosigar for ProcMem and ProcArgs. Both of these calls request
PROCESS_QUERY_LIMITED_INFORMATION | PROCESS_VM_READ
which can trigger credential dumping false positives in third-party security software. We can avoid this problem with two simple changes, reducing SDH, customer headache, and vulnerabilities/blindspots created through customer exceptions in their security software. As a benefit, we'll be able to collect some data that we couldn't collect previously.ProcMem::Get()
ProcMem::Get()
requestsPROCESS_QUERY_LIMITED_INFORMATION | PROCESS_VM_READ
here. The handle is forGetProcessMemoryInfo
. The docs forGetProcessMemoryInfo
state thatPROCESS_VM_READ
is only needed for XP and Server 2003. Agent no longer supports either of those platforms, so let's stop requesting/requiringPROCESS_VM_READ
.Another important point is that we will never successfully acquire a
PROCESS_VM_READ
handle on any Protected Process or PPL, meaning this function will always fail on those processes. Since it's unnecessary forGetProcessMemoryInfo
, then this function is failing needlessly on such processes. As a simple test for this, check whether you are getting memory information forservices.exe
which always runs as PPL.ProcArgs::Get()
ProcArgs::Get()
requestsPROCESS_QUERY_LIMITED_INFORMATION | PROCESS_VM_READ
here.lsass.exe
never has a meaningful command line (screenshot below), so can we skip callingProcArgs::Get()
onlsass.exe
?Its PID can be found in the registry. We can query that value once and cache the value because it will never change until reboot. This LSA exclusion logic may be better put outside of gosigar itself.
For confirmed bugs, please report:
The text was updated successfully, but these errors were encountered: