IBM QRadar

Hello,

We're observing a logs coming from a windows machine for powersehel command execution, but the command is not logged in Qradar.

Any hint on this one?

<13>Jun 01 13:28:49 <removed> AgentDevice=WindowsLog AgentLogFile=Microsoft-Windows-PowerShell/Operational PluginVersion=7.3.0.41 Source=Microsoft-Windows-PowerShell Computer=<removed> OriginatingComputer=<removed>

User=SYSTEM Domain=NT AUTHORITY

EventID=4103

EventIDCode=4103

EventType=4

EventCategory=106

RecordNumber=165509

TimeGenerated=1622550252

TimeWritten=1622550252

Level=Informational Keywords=0

Task=ExecutePipeline

Opcode=20

Message=CommandInvocation(Add-Type): "Add-Type" ParameterBinding(Add-Type): name="TypeDefinition"; value="

namespace AuditEventPolicy

{

using System;

using System.Runtime.InteropServices;

public static class AuditEventPolicy

{

[StructLayout(LayoutKind.Sequential)]

internal struct LSA_UNICODE_STRING

{

public UInt16 Length;

public UInt16 MaximumLength;

public IntPtr Buffer;

public void SetTo(string str)

{

Buffer = Marshal.StringToHGlobalUni(str);

Length = (UInt16)(str.Length * System.Text.UnicodeEncoding.CharSize);

MaximumLength = (UInt16)(Length + System.Text.UnicodeEncoding.CharSize);

//Console.WriteLine("SetTo: {2} ({3}) Length: {0} Max: {1}", Length, MaximumLength, str, str.Length);

}

public override string ToString()

{

string str = Marshal.PtrToStringUni(Buffer, Length/System.Text.UnicodeEncoding.CharSize);

//Console.WriteLine("ToString: {2} ({3}) Length: {0} Max: {1}", Length, MaximumLength, str, str.Length);

return str;

}

public void Clean()

{

//Console.WriteLine("Clean Length: {0} Max: {1}", Length, MaximumLength);

if (Buffer != IntPtr.Zero)

Marshal.FreeHGlobal(Buffer);

Buffer = IntPtr.Zero;

Length = 0;

MaximumLength = 0;

}

};

[StructLayout(LayoutKind.Sequential)]

internal struct LSA_OBJECT_ATTRIBUTES

{

public int Length;

public IntPtr RootDirectory;

public LSA_UNICODE_STRING ObjectName;

public UInt32 Attributes;

public IntPtr SecurityDescriptor;

public IntPtr SecurityQualityOfService;

};

internal enum LSA_AccessPolicy : long

{

POLICY_VIEW_LOCAL_INFORMATION = 0x00000001L,

POLICY_VIEW_AUDIT_INFORMATION = 0x00000002L,

POLICY_GET_PRIVATE_INFORMATION = 0x00000004L,

POLICY_TRUST_ADMIN = 0x00000008L,

POLICY_CREATE_ACCOUNT = 0x00000010L,

POLICY_CREATE_SECRET = 0x00000020L,

POLICY_CREATE_PRIVILEGE = 0x00000040L,

POLICY_SET_DEFAULT_QUOTA_LIMITS = 0x00000080L,

POLICY_SET_AUDIT_REQUIREMENTS = 0x00000100L,

POLICY_AUDIT_LOG_ADMIN = 0x00000200L,

POLICY_SERVER_ADMIN = 0x00000400L,

POLICY_LOOKUP_NAMES = 0x00000800L,

POLICY_NOTIFICATION = 0x00001000L

};

internal enum POLICY_INFORMATION_CLASS

{

PolicyAuditLogInformation = 1,

PolicyAuditEventsInformation,

PolicyPrimaryDomainInformation,

PolicyPdAccountInformation,

PolicyAccountDomainInformation,

PolicyLsaServerRoleInformation,

PolicyReplicaSourceInformation,

PolicyDefaultQuo

Have you tried to use the event view to try to configure an XPath query to send powershell logs to QRadar. It might be something is not configured correctly on the Windows host

https://www.ibm.com/support/pages/qradar-wincollect-how-use-microsoft-event-viewer-create-xpath-query

I believe that this was fixed in a 2021 auto update and you can run an auto update to confirm if the parsing issue is resolved. If this issue still exists, you should update this post or open a support case for us to investigate further.

This also seems to be a discussion about the same event ID 4103 here: https://www.ibm.com/mysupport/s/question/0D50z00006PEJkXCAX/wincollect-forwarded-events

If the events for ID 4103 are not parsing correctly, you might need to open a support case if this issue still exists. I would add a filter on Log Activity for "Event is Unparsed" = True and see if there are pieces of this event being truncated or just going to Stored as there are special characters in the payload for the command that is breaking parsing patterns for the Microsoft Windows Security Event Log DSM.