[windows.powershell] Pipeline error while handling event ID 600

[andrewkroh]

The error is

field [winlog.event_data.param3] does not contain value_split [=]

Here is an example event:

Details

Event:

{
  "agent": {
    "name": "EC2AMAZ-O8G96EI",
    "id": "36149601-f28f-469f-90ac-228e41049d51",
    "ephemeral_id": "cf7adf4d-ba58-4ba2-acab-df6930d4f5e1",
    "type": "filebeat",
    "version": "8.13.0"
  },
  "winlog": {
    "computer_name": "EC2AMAZ-O8G96EI",
    "record_id": 67086,
    "event_id": "600",
    "task": "Provider Lifecycle",
    "keywords": [
      "Classic"
    ],
    "channel": "Windows PowerShell",
    "event_data": {
      "HostApplication": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe function Convert-GuidToCompressedGuid {",
      "ProviderName": "Function",
      "SequenceNumber": "9",
      "NewProviderState": "Started",
      "param3": "\tProviderName=Function\n\tNewProviderState=Started\n\n\tSequenceNumber=9\n\n\tHostName=ConsoleHost\n\tHostVersion=5.1.20348.2227\n\tHostId=00654153-46ad-42bf-ad06-3bfce5c65b55\n\tHostApplication=C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe function Convert-GuidToCompressedGuid {\n\t\t\t\t\t\t[CmdletBinding()]\n\t\t\t\t\t\t[OutputType('System.String')]\n\t\t\t\t\t\tparam (\n\t\t\t\t\t\t\t[Parameter(ValueFromPipeline=\"\", ValueFromPipelineByPropertyName=\"\", Mandatory=$true)]\n\t\t\t\t\t\t\t[string]$Guid\n\t\t\t\t\t\t)\n\t\t\t\t\t\tbegin {\n\t\t\t\t\t\t\t$Guid = $Guid.Replace('-', '').Replace('{', '').Replace('}', '')\n\t\t\t\t\t\t}\n\t\t\t\t\t\tprocess {\n\t\t\t\t\t\t\ttry {\n\t\t\t\t\t\t\t\t$Groups = @(\n\t\t\t\t\t\t\t\t\t$Guid.Substring(0, 8).ToCharArray(),\n\t\t\t\t\t\t\t\t\t$Guid.Substring(8, 4).ToCharArray(),\n\t\t\t\t\t\t\t\t\t$Guid.Substring(12, 4).ToCharArray(),\n\t\t\t\t\t\t\t\t\t$Guid.Substring(16, 16).ToCharArray()\n\t\t\t\t\t\t\t\t)\n\t\t\t\t\t\t\t\t$Groups[0..2] | foreach {\n\t\t\t\t\t\t\t\t\t[array]::Reverse($_)\n\t\t\t\t\t\t\t\t}\n\t\t\t\t\t\t\t\t$CompressedGuid = ($Groups[0..2] | foreach { $_ -join '' }) -join ''\n\n\t\t\t\t\t\t\t\t$chararr = $Groups[3]\n\t\t\t\t\t\t\t\tfor ($i = 0; $i -lt $chararr.count; $i++) {\n\t\t\t\t\t\t\t\t\tif (($i % 2) -eq 0) {\n\t\t\t\t\t\t\t\t\t\t$CompressedGuid += ($chararr[$i+1] + $chararr[$i]) -join ''\n\t\t\t\t\t\t\t\t\t}\n\t\t\t\t\t\t\t\t}\n\t\t\t\t\t\t\t\t$CompressedGuid\n\t\t\t\t\t\t\t} catch {\n\t\t\t\t\t\t\t\tWrite-Error $_.Exception.Message\n\t\t\t\t\t\t\t}\n\t\t\t\t\t\t}\n\t\t\t\t\t}\n                    function Clean-Quotes-Backslash {\n                         param ([string]$str)\n                         if($str.length -ge 2 -and $str.Substring(0,1) -eq '\"' -and $str.Substring($str.length - 1) -eq '\"'){\n                                 $str = $str.Substring(1, $str.length - 2)\n                             }\n                         $str = $str.Replace('\\', '\\\\')\n                         $str = $str.Replace('\"', '\\\"')\n                         return $str\n                     }\n\t\t\t\t     $products = Get-ItemProperty HKLM:\\Software\\Classes\\Installer\\Products\\* | Select-Object  @{n=\"PSChildName\";e={$_.\"PSChildName\"}} |\n\t\t\t\t      Select -expand PSChildName\n\n\t\t\t\t     \n[Console]::OutputEncoding = [System.Text.Encoding]::UTF8\nGet-ItemProperty HKLM:\\Software\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\* |\nWhere-Object {($_.DisplayName -ne $null -and $_DisplayName -ne '' -and $_.DisplayName -notmatch '^KB[000000-999999]') -and\n\t($_.SystemComponent -eq $null -or ($_.SystemComponent -ne $null -and $_.SystemComponent -eq '0'))  -and\n\t($_.ParentKeyName -eq $null) -and\n\t($_.WindowsInstaller -eq $null -or ($_.WindowsInstaller -eq '0') -or ($_.WindowsInstaller -eq 1 -and $products -contains (Convert-GuidToCompressedGuid $_.PSChildName))) -and\n\t($_.ReleaseType -eq $null -or ($_.ReleaseType -ne $null -and\n\t\t$_.ReleaseType -ne 'Security Update' -and\n\t\t$_.ReleaseType -ne 'Update Rollup' -and\n\t\t$_.ReleaseType -ne 'Hotfix'))\n} |\nSelect-Object @{n=\"Name\";e={$_.\"DisplayName\"}},\n\t@{n=\"PackageId\";e={$_.\"PSChildName\"}}, @{n=\"Version\";e={$_.\"DisplayVersion\"}}, Publisher,\n\t@{n=\"InstalledTime\";e={[datetime]::ParseExact($_.\"InstallDate\",\"yyyyMMdd\",$null).ToUniversalTime().ToString(\"yyyy-MM-ddTHH:mm:ssZ\")}} | % { [Console]::WriteLine(@\"\n{\"Name\":\"$(Clean-Quotes-Backslash $_.Name)\",\"PackageId\":\"$($_.PackageId)\",\"Version\":\"$(Clean-Quotes-Backslash $_.Version)\",\"Publisher\":\"$(Clean-Quotes-Backslash $_.Publisher)\",\"InstalledTime\":\"$($_.InstalledTime)\"},\n\"@)} \n\tEngineVersion=\n\tRunspaceId=\n\tPipelineId=\n\tCommandName=\n\tCommandType=\n\tScriptName=\n\tCommandPath=\n\tCommandLine=",
      "HostId": "00654153-46ad-42bf-ad06-3bfce5c65b55",
      "param1": "Function",
      "HostName": "ConsoleHost",
      "HostVersion": "5.1.20348.2227",
      "param2": "Started"
    },
    "api": "wineventlog",
    "provider_name": "PowerShell",
    "opcode": "Info"
  },
  "log": {
    "level": "information"
  },
  "elastic_agent": {
    "id": "36149601-f28f-469f-90ac-228e41049d51",
    "version": "8.13.0",
    "snapshot": false
  },
  "message": "Provider \"Function\" is Started. \n\nDetails: \n\tProviderName=Function\n\tNewProviderState=Started\n\n\tSequenceNumber=9\n\n\tHostName=ConsoleHost\n\tHostVersion=5.1.20348.2227\n\tHostId=00654153-46ad-42bf-ad06-3bfce5c65b55\n\tHostApplication=C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe function Convert-GuidToCompressedGuid {\n\t\t\t\t\t\t[CmdletBinding()]\n\t\t\t\t\t\t[OutputType('System.String')]\n\t\t\t\t\t\tparam (\n\t\t\t\t\t\t\t[Parameter(ValueFromPipeline=\"\", ValueFromPipelineByPropertyName=\"\", Mandatory=$true)]\n\t\t\t\t\t\t\t[string]$Guid\n\t\t\t\t\t\t)\n\t\t\t\t\t\tbegin {\n\t\t\t\t\t\t\t$Guid = $Guid.Replace('-', '').Replace('{', '').Replace('}', '')\n\t\t\t\t\t\t}\n\t\t\t\t\t\tprocess {\n\t\t\t\t\t\t\ttry {\n\t\t\t\t\t\t\t\t$Groups = @(\n\t\t\t\t\t\t\t\t\t$Guid.Substring(0, 8).ToCharArray(),\n\t\t\t\t\t\t\t\t\t$Guid.Substring(8, 4).ToCharArray(),\n\t\t\t\t\t\t\t\t\t$Guid.Substring(12, 4).ToCharArray(),\n\t\t\t\t\t\t\t\t\t$Guid.Substring(16, 16).ToCharArray()\n\t\t\t\t\t\t\t\t)\n\t\t\t\t\t\t\t\t$Groups[0..2] | foreach {\n\t\t\t\t\t\t\t\t\t[array]::Reverse($_)\n\t\t\t\t\t\t\t\t}\n\t\t\t\t\t\t\t\t$CompressedGuid = ($Groups[0..2] | foreach { $_ -join '' }) -join ''\n\n\t\t\t\t\t\t\t\t$chararr = $Groups[3]\n\t\t\t\t\t\t\t\tfor ($i = 0; $i -lt $chararr.count; $i++) {\n\t\t\t\t\t\t\t\t\tif (($i % 2) -eq 0) {\n\t\t\t\t\t\t\t\t\t\t$CompressedGuid += ($chararr[$i+1] + $chararr[$i]) -join ''\n\t\t\t\t\t\t\t\t\t}\n\t\t\t\t\t\t\t\t}\n\t\t\t\t\t\t\t\t$CompressedGuid\n\t\t\t\t\t\t\t} catch {\n\t\t\t\t\t\t\t\tWrite-Error $_.Exception.Message\n\t\t\t\t\t\t\t}\n\t\t\t\t\t\t}\n\t\t\t\t\t}\n                    function Clean-Quotes-Backslash {\n                         param ([string]$str)\n                         if($str.length -ge 2 -and $str.Substring(0,1) -eq '\"' -and $str.Substring($str.length - 1) -eq '\"'){\n                                 $str = $str.Substring(1, $str.length - 2)\n                             }\n                         $str = $str.Replace('\\', '\\\\')\n                         $str = $str.Replace('\"', '\\\"')\n                         return $str\n                     }\n\t\t\t\t     $products = Get-ItemProperty HKLM:\\Software\\Classes\\Installer\\Products\\* | Select-Object  @{n=\"PSChildName\";e={$_.\"PSChildName\"}} |\n\t\t\t\t      Select -expand PSChildName\n\n\t\t\t\t     \n[Console]::OutputEncoding = [System.Text.Encoding]::UTF8\nGet-ItemProperty HKLM:\\Software\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\* |\nWhere-Object {($_.DisplayName -ne $null -and $_DisplayName -ne '' -and $_.DisplayName -notmatch '^KB[000000-999999]') -and\n\t($_.SystemComponent -eq $null -or ($_.SystemComponent -ne $null -and $_.SystemComponent -eq '0'))  -and\n\t($_.ParentKeyName -eq $null) -and\n\t($_.WindowsInstaller -eq $null -or ($_.WindowsInstaller -eq '0') -or ($_.WindowsInstaller -eq 1 -and $products -contains (Convert-GuidToCompressedGuid $_.PSChildName))) -and\n\t($_.ReleaseType -eq $null -or ($_.ReleaseType -ne $null -and\n\t\t$_.ReleaseType -ne 'Security Update' -and\n\t\t$_.ReleaseType -ne 'Update Rollup' -and\n\t\t$_.ReleaseType -ne 'Hotfix'))\n} |\nSelect-Object @{n=\"Name\";e={$_.\"DisplayName\"}},\n\t@{n=\"PackageId\";e={$_.\"PSChildName\"}}, @{n=\"Version\";e={$_.\"DisplayVersion\"}}, Publisher,\n\t@{n=\"InstalledTime\";e={[datetime]::ParseExact($_.\"InstallDate\",\"yyyyMMdd\",$null).ToUniversalTime().ToString(\"yyyy-MM-ddTHH:mm:ssZ\")}} | % { [Console]::WriteLine(@\"\n{\"Name\":\"$(Clean-Quotes-Backslash $_.Name)\",\"PackageId\":\"$($_.PackageId)\",\"Version\":\"$(Clean-Quotes-Backslash $_.Version)\",\"Publisher\":\"$(Clean-Quotes-Backslash $_.Publisher)\",\"InstalledTime\":\"$($_.InstalledTime)\"},\n\"@)} \n\tEngineVersion=\n\tRunspaceId=\n\tPipelineId=\n\tCommandName=\n\tCommandType=\n\tScriptName=\n\tCommandPath=\n\tCommandLine=",
  "error": {
    "message": [
      "field [winlog.event_data.param3] does not contain value_split [=]"
    ]
  },
  "input": {
    "type": "winlog"
  },
  "@timestamp": "2024-03-28T19:01:28.331Z",
  "ecs": {
    "version": "8.0.0"
  },
  "data_stream": {
    "namespace": "42a2",
    "type": "logs",
    "dataset": "windows.powershell"
  },
  "host": {
    "hostname": "ec2amaz-o8g96ei",
    "os": {
      "build": "20348.2340",
      "kernel": "10.0.20348.2340 (WinBuild.160101.0800)",
      "name": "Windows Server 2022 Datacenter",
      "type": "windows",
      "family": "windows",
      "version": "10.0",
      "platform": "windows"
    },
    "ip": [
      "fe80::8b95:9e26:1cd1:b211",
      "172.31.11.126"
    ],
    "name": "ec2amaz-o8g96ei",
    "id": "94ad70f4-2445-4e21-b989-0d07e78ff143",
    "mac": [
      "02-86-DF-E2-E5-A3"
    ],
    "architecture": "x86_64"
  },
  "event": {
    "agent_id_status": "verified",
    "ingested": "2024-03-28T19:01:35Z",
    "code": "600",
    "provider": "PowerShell",
    "created": "2024-03-28T19:01:29.046Z",
    "kind": "pipeline_error",
    "action": "Provider Lifecycle",
    "dataset": "windows.powershell"
  }
}

This happens with some regularity:

[elasticmachine]

Pinging @elastic/sec-windows-platform (Team:Security-Windows Platform)