Skip to content

Commit

Permalink
[8.15] [Security Solution] [Attack discovery] Fixes a display issue w…
Browse files Browse the repository at this point in the history
…hen an entity is repeated (#193428) (#193497)

# Backport

This will backport the following commits from `main` to `8.15`:
- [[Security Solution] [Attack discovery] Fixes a display issue when an
entity is repeated
(#193428)](#193428)

<!--- Backport version: 9.4.3 -->

### Questions ?
Please refer to the [Backport tool
documentation](https://github.com/sqren/backport)

<!--BACKPORT [{"author":{"name":"Andrew
Macri","email":"[email protected]"},"sourceCommit":{"committedDate":"2024-09-19T22:37:50Z","message":"[Security
Solution] [Attack discovery] Fixes a display issue when an entity is
repeated (#193428)\n\n## [Security Solution] [Attack discovery] Fixes a
display issue when an entity is repeated\r\n\r\n### Summary\r\n\r\nThis
PR fixes a display issue in Attack discovery where entities repeated in
a description were displayed with a UUID instead of the value, as
illustrated by the _Before_ and _After_ screenshots
below:\r\n\r\n**Before**\r\n\r\n![before](https://github.com/user-attachments/assets/9197c9b0-27d2-4f46-a967-35bb8ca254d0)\r\n\r\n**After**\r\n\r\n![after](https://github.com/user-attachments/assets/2d7c16bd-972c-45cc-a22f-abe7c8c6c019)","sha":"a84a045e353c8bb2b3780065adbccc2b66b15d46","branchLabelMapping":{"^v9.0.0$":"main","^v8.16.0$":"8.x","^v(\\d+).(\\d+).\\d+$":"$1.$2"}},"sourcePullRequest":{"labels":["bug","release_note:fix","v9.0.0","Team:
SecuritySolution","backport:prev-minor","Team:Security Generative
AI","v8.16.0","v8.15.2"],"title":"[Security Solution] [Attack discovery]
Fixes a display issue when an entity is
repeated","number":193428,"url":"https://github.com/elastic/kibana/pull/193428","mergeCommit":{"message":"[Security
Solution] [Attack discovery] Fixes a display issue when an entity is
repeated (#193428)\n\n## [Security Solution] [Attack discovery] Fixes a
display issue when an entity is repeated\r\n\r\n### Summary\r\n\r\nThis
PR fixes a display issue in Attack discovery where entities repeated in
a description were displayed with a UUID instead of the value, as
illustrated by the _Before_ and _After_ screenshots
below:\r\n\r\n**Before**\r\n\r\n![before](https://github.com/user-attachments/assets/9197c9b0-27d2-4f46-a967-35bb8ca254d0)\r\n\r\n**After**\r\n\r\n![after](https://github.com/user-attachments/assets/2d7c16bd-972c-45cc-a22f-abe7c8c6c019)","sha":"a84a045e353c8bb2b3780065adbccc2b66b15d46"}},"sourceBranch":"main","suggestedTargetBranches":["8.x","8.15"],"targetPullRequestStates":[{"branch":"main","label":"v9.0.0","branchLabelMappingKey":"^v9.0.0$","isSourceBranch":true,"state":"MERGED","url":"https://github.com/elastic/kibana/pull/193428","number":193428,"mergeCommit":{"message":"[Security
Solution] [Attack discovery] Fixes a display issue when an entity is
repeated (#193428)\n\n## [Security Solution] [Attack discovery] Fixes a
display issue when an entity is repeated\r\n\r\n### Summary\r\n\r\nThis
PR fixes a display issue in Attack discovery where entities repeated in
a description were displayed with a UUID instead of the value, as
illustrated by the _Before_ and _After_ screenshots
below:\r\n\r\n**Before**\r\n\r\n![before](https://github.com/user-attachments/assets/9197c9b0-27d2-4f46-a967-35bb8ca254d0)\r\n\r\n**After**\r\n\r\n![after](https://github.com/user-attachments/assets/2d7c16bd-972c-45cc-a22f-abe7c8c6c019)","sha":"a84a045e353c8bb2b3780065adbccc2b66b15d46"}},{"branch":"8.x","label":"v8.16.0","branchLabelMappingKey":"^v8.16.0$","isSourceBranch":false,"state":"NOT_CREATED"},{"branch":"8.15","label":"v8.15.2","branchLabelMappingKey":"^v(\\d+).(\\d+).\\d+$","isSourceBranch":false,"state":"NOT_CREATED"}]}]
BACKPORT-->

Co-authored-by: Andrew Macri <[email protected]>
  • Loading branch information
kibanamachine and andrew-goldstein authored Sep 20, 2024
1 parent b8653b2 commit 2f4316a
Show file tree
Hide file tree
Showing 2 changed files with 47 additions and 8 deletions.
Original file line number Diff line number Diff line change
Expand Up @@ -18,6 +18,8 @@ describe('AttackDiscoveryTab', () => {
const mockReplacements: Replacements = {
'5e454c38-439c-4096-8478-0a55511c76e3': 'foo.hostname',
'3bdc7952-a334-4d95-8092-cd176546e18a': 'bar.username',
'c5ba13c4-2391-4045-962e-ec965fc1eb06': 'SRVWIN07',
'2da30969-4127-4ddb-ba0c-2d8ac44d15d7': 'Administrator',
};

describe('when showAnonymized is false', () => {
Expand Down Expand Up @@ -136,4 +138,39 @@ describe('AttackDiscoveryTab', () => {
expect(investigateInTimelineButton).toBeInTheDocument();
});
});

describe('when multiple substitutions for the same replacement are required', () => {
it('replaces all occurrences', () => {
const detailsMarkdownRequiresMultipleSubstitutions =
'## Microsoft Office spawned PowerShell obfuscation on host {{ host.name c5ba13c4-2391-4045-962e-ec965fc1eb06 }} by user {{ user.name 2da30969-4127-4ddb-ba0c-2d8ac44d15d7 }}\n* **Tactic:** Initial Access, Execution\n* **Technique:** Phishing, Command and Scripting Interpreter\n* **Subtechnique:** Spearphishing Attachment, PowerShell\n\nThe user {{ user.name 2da30969-4127-4ddb-ba0c-2d8ac44d15d7 }} opened a malicious Microsoft Word document ({{ process.parent.executable C:\\Program Files\\Microsoft Office\\root\\Office16\\WINWORD.EXE }}) that dropped and executed a VBScript file ({{ process.parent.args wscript C:\\ProgramData\\WindowsAppPool\\AppPool.vbs }}). This VBScript file then created a scheduled task ({{ process.command_line \\"C:\\Windows\\System32\\cmd.exe\\" /C schtasks /create /F /sc minute /mo 1 /tn \\"\\WindowsAppPool\\AppPool\\" /tr \\"wscript /b \\"C:\\ProgramData\\WindowsAppPool\\AppPool.vbs\\"\\" }}) to execute the VBScript every minute. The VBScript then spawned an obfuscated PowerShell process ({{ process.command_line \\"C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\\" -exec bypass -file C:\\ProgramData\\WindowsAppPool\\AppPool.ps1 }}). This sequence of events suggests an attempt to gain initial access to the host and establish persistence through scheduled tasks and obfuscated PowerShell scripts.';

const expected = `Microsoft Office spawned PowerShell obfuscation on host SRVWIN07 by user Administrator
Tactic: Initial Access, Execution
Technique: Phishing, Command and Scripting Interpreter
Subtechnique: Spearphishing Attachment, PowerShell
The user Administrator opened a malicious Microsoft Word document (C:\\Program Files\\Microsoft Office\\root\\Office16\\WINWORD.EXE) that dropped and executed a VBScript file (wscript C:\\ProgramData\\WindowsAppPool\\AppPool.vbs). This VBScript file then created a scheduled task (\\"C:\\Windows\\System32\\cmd.exe\\" /C schtasks /create /F /sc minute /mo 1 /tn \\"\\WindowsAppPool\\AppPool\\" /tr \\"wscript /b \\"C:\\ProgramData\\WindowsAppPool\\AppPool.vbs\\"\\") to execute the VBScript every minute. The VBScript then spawned an obfuscated PowerShell process (\\"C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\\" -exec bypass -file C:\\ProgramData\\WindowsAppPool\\AppPool.ps1 ). This sequence of events suggests an attempt to gain initial access to the host and establish persistence through scheduled tasks and obfuscated PowerShell scripts.`;

const mockAttackDiscoveryWithMultipleSubstitutions = {
...mockAttackDiscovery,
detailsMarkdown: detailsMarkdownRequiresMultipleSubstitutions,
};

render(
<TestProviders>
<AttackDiscoveryTab
attackDiscovery={mockAttackDiscoveryWithMultipleSubstitutions}
replacements={mockReplacements}
showAnonymized={false}
/>
</TestProviders>
);

const markdownFormatters = screen.getAllByTestId('attackDiscoveryMarkdownFormatter');
const detailsMarkdown = markdownFormatters[1];

expect(detailsMarkdown.textContent).toEqual(expected);
});
});
});
Original file line number Diff line number Diff line change
Expand Up @@ -34,19 +34,21 @@ const AttackDiscoveryTabComponent: React.FC<Props> = ({

const summaryMarkdownWithReplacements = useMemo(
() =>
Object.entries<string>(replacements ?? {}).reduce(
(acc, [key, value]) => acc.replace(key, value),
summaryMarkdown
),
Object.entries<string>(replacements ?? {}).reduce((acc, [key, value]) => {
const regex = new RegExp(key, 'g');

return acc.replace(regex, value);
}, summaryMarkdown),
[replacements, summaryMarkdown]
);

const detailsMarkdownWithReplacements = useMemo(
() =>
Object.entries<string>(replacements ?? {}).reduce(
(acc, [key, value]) => acc.replace(key, value),
detailsMarkdown
),
Object.entries<string>(replacements ?? {}).reduce((acc, [key, value]) => {
const regex = new RegExp(key, 'g');

return acc.replace(regex, value);
}, detailsMarkdown),
[detailsMarkdown, replacements]
);

Expand Down

0 comments on commit 2f4316a

Please sign in to comment.