MetricBeat is Triggering Avoidable Credential Dumping False Positives #41407
Assignees
Labels
Comments
botelastic
bot
added
the
needs_team
gabriellandau
changed the title
leehinman
added
the
Team:Elastic-Agent-Data-Plane
|
Pinging @elastic/elastic-agent-data-plane (Team:Elastic-Agent-Data-Plane) |
botelastic
bot
removed
the
needs_team
|
@andrewkroh said that go-sysinfo has similar code which can likely be improved: https://github.com/elastic/go-sysinfo/blob/323c852f7ef4e11d668f3eb99ecaf9c6baa967c9/providers/windows/process_windows.go#L266-L285 |
|
FYI @VihasMakwana since you have been addressing some of the other unnecessary sources of errors in the system module. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
MetricBeat uses gosigar for ProcMem and ProcArgs. Both of these calls request
PROCESS_QUERY_LIMITED_INFORMATION | PROCESS_VM_READwhich can trigger credential dumping false positives in third-party security software. We can avoid this problem with two simple changes, reducing SDH, customer headache, and vulnerabilities/blindspots created through customer exceptions in their security software. As a benefit, we'll be able to collect some data that we couldn't collect previously.ProcMem::Get()ProcMem::Get()requestsPROCESS_QUERY_LIMITED_INFORMATION | PROCESS_VM_READhere. The handle is forGetProcessMemoryInfo. The docs forGetProcessMemoryInfostate thatPROCESS_VM_READis only needed for XP and Server 2003. Agent no longer supports either of those platforms, so let's stop requesting/requiringPROCESS_VM_READ.Another important point is that we will never successfully acquire a
PROCESS_VM_READhandle on any Protected Process or PPL, meaning this function will always fail on those processes. Since it's unnecessary forGetProcessMemoryInfo, then this function is failing needlessly on such processes. As a simple test for this, check whether you are getting memory information forservices.exewhich always runs as PPL.ProcArgs::Get()ProcArgs::Get()requestsPROCESS_QUERY_LIMITED_INFORMATION | PROCESS_VM_READhere.lsass.exenever has a meaningful command line (screenshot below), so can we skip callingProcArgs::Get()onlsass.exe?Its PID can be found in the registry. We can query that value once and cache the value because it will never change until reboot. This LSA exclusion logic may be better put outside of gosigar itself.
For confirmed bugs, please report:
The text was updated successfully, but these errors were encountered: