slincoln-aiq
commented
9 months ago Thanks for reporting! As we discussed in Discord, I'll take a look at this and #14
Closed SecurityAura closed 9 months ago
slincoln-aiq
commented
9 months ago Thanks for reporting! As we discussed in Discord, I'll take a look at this and #14
slincoln-aiq
commented
9 months ago Fixed in v0.2.4 release
Good morning!
Started playing around with your awesome pySigma backend yesterday (since I think it's the only one that supports Microsoft 365 Defender) and I noticed at least one bug when it comes to escaping single and double \. You can look and convert these rules (from the Sigma Core++ ruleset) for reference:
proc_creation_win_schtasks_delete_all.yml ---> Issue escaping the \ in "/tn *"
It results in the following KQL query which throws an error:
proc_creation_win_cmd_del_greedy_deletion.yml -> Issue escaping the \ under the selection_extensions
There should be an additional \ to properly escape the character.
It results in the following KQL query which throws multiple errors:
Basically, there should be 4 \ for each extensions since the rule comes with 2 of them already (so it needs to be escaped twice (e.g.: \\*.au3).
For some reason I have a feeling that this issue may stem from the parsing of the CommandLine (or the command lines) field since I think when it comes to fields with filenames/filepaths, there are no issues. Unless the Sigma rules are just all properly written for them who knows!
Python is really not my strong suit (more of PowerShell kind of guy) so I took a look at the code but could not find anything. I'll take another look and should I find anything before you identify the bug, I'll let you know!