search

AttackIQ / pySigma-backend-kusto

GNU Lesser General Public License v3.0
30 stars 10 forks source link

AttributeError: 'SigmaNumber' object has no attribute 'convert' when converting rules with multiple numbers #29

Open k4otix opened 2 weeks ago

k4otix commented 2 weeks ago

There appears to be a bug when trying to convert certain rules with multiple numeric values (SigmaNumber objects), as is seen in over two dozen Windows security rules. Example rules from SigmaHQ include:

Here's the traceback from running the CLI converter:

$ sigma convert -t kusto win_security_aadhealth_mon_agent_regkey_access.yml
Parsing Sigma rules  [####################################]  100%
Traceback (most recent call last):
  File "/venv/bin/sigma", line 8, in <module>
    sys.exit(main())
  File "/venv/lib/python3.10/site-packages/sigma/cli/main.py", line 81, in main
    cli()
  File "/venv/lib/python3.10/site-packages/click/core.py", line 1157, in __call__
    return self.main(*args, **kwargs)
  File "/venv/lib/python3.10/site-packages/click/core.py", line 1078, in main
    rv = self.invoke(ctx)
  File "/venv/lib/python3.10/site-packages/click/core.py", line 1688, in invoke
    return _process_result(sub_ctx.command.invoke(sub_ctx))
  File "/venv/lib/python3.10/site-packages/click/core.py", line 1434, in invoke
    return ctx.invoke(self.callback, **ctx.params)
  File "/venv/lib/python3.10/site-packages/click/core.py", line 783, in invoke
    return __callback(*args, **kwargs)
  File "/venv/lib/python3.10/site-packages/sigma/cli/convert.py", line 287, in convert
    result = backend.convert(rule_collection, format, correlation_method)
  File "/venv/lib/python3.10/site-packages/sigma/conversion/base.py", line 164, in convert
    queries = [
  File "/venv/lib/python3.10/site-packages/sigma/conversion/base.py", line 168, in <listcomp>
    self.convert_rule(rule, output_format or self.default_format)
  File "/venv/lib/python3.10/site-packages/sigma/conversion/base.py", line 197, in convert_rule
    queries = [
  File "/venv/lib/python3.10/site-packages/sigma/conversion/base.py", line 198, in <listcomp>
    self.convert_condition(cond.parsed, states[index])
  File "/venv/lib/python3.10/site-packages/sigma/conversion/base.py", line 515, in convert_condition
    return self.convert_condition_and(cond, state)
  File "/venv/lib/python3.10/site-packages/sigma/conversion/base.py", line 1146, in convert_condition_and
    return joiner.join(
  File "/venv/lib/python3.10/site-packages/sigma/conversion/base.py", line 1147, in <genexpr>
    (
  File "/venv/lib/python3.10/site-packages/sigma/conversion/base.py", line 1153, in <genexpr>
    else self.convert_condition_group(arg, state)
  File "/venv/lib/python3.10/site-packages/sigma/conversion/base.py", line 1079, in convert_condition_group
    expr = self.convert_condition(cond, state)
  File "/venv/lib/python3.10/site-packages/sigma/conversion/base.py", line 515, in convert_condition
    return self.convert_condition_and(cond, state)
  File "/venv/lib/python3.10/site-packages/sigma/conversion/base.py", line 1146, in convert_condition_and
    return joiner.join(
  File "/venv/lib/python3.10/site-packages/sigma/conversion/base.py", line 1147, in <genexpr>
    (
  File "/venv/lib/python3.10/site-packages/sigma/conversion/base.py", line 1153, in <genexpr>
    else self.convert_condition_group(arg, state)
  File "/venv/lib/python3.10/site-packages/sigma/conversion/base.py", line 1079, in convert_condition_group
    expr = self.convert_condition(cond, state)
  File "/venv/lib/python3.10/site-packages/sigma/conversion/base.py", line 508, in convert_condition
    return self.convert_condition_as_in_expression(cond, state)
  File "/venv/lib/python3.10/site-packages/sigma/backends/kusto/kusto.py", line 179, in convert_condition_as_in_expression
    [
  File "/venv/lib/python3.10/site-packages/sigma/backends/kusto/kusto.py", line 180, in <listcomp>
    self.convert_value_str(arg.value, state)
  File "/venv/lib/python3.10/site-packages/sigma/backends/kusto/kusto.py", line 236, in convert_value_str
    converted = super().convert_value_str(s, state)
  File "/venv/lib/python3.10/site-packages/sigma/conversion/base.py", line 1262, in convert_value_str
    converted = s.convert(
AttributeError: 'SigmaNumber' object has no attribute 'convert' (while converting rule /repos/sigma/rules/windows/builtin/security/win_security_aadhealth_mon_agent_regkey_access.yml)

I also noticed the same behavior in ETW Logging Disabled In .NET Processes - Sysmon Registry which from what I can tell would be caused by the Details statement in the detection, due to the mix of numeric and non-numeric values (best guess).

        Details:
            - 0 # For REG_SZ type
            - 'DWORD (0x00000000)'

I really appreciate your efforts on this much-needed Sigma backend! If interested, here's the full list of rule IDs from SigmaHQ:

eee8311f-a752-44f0-bf2f-6b007db16300 47a1658b-67a4-48e2-8ab1-c10437fc0148 73c59189-6a6d-4b9f-a748-8f6f9bbed75c 8fa65166-f463-4fd2-ad4f-1436133c52e1 bf4fc428-dcc3-4bbd-99fe-2422aeee2544 e9c8808f-4cfb-4ba9-97d4-e5f3beaa244d 9a4ff3b8-6187-4fd2-8e8b-e0eae1129495 72124974-a68b-4366-b990-d30e0b2a190d 20d96d95-5a20-4cf1-a483-f3bda8a7c037 1de68c67-af5c-4097-9c85-fe5578e09e67 ff151c33-45fa-475d-af4f-c2f93571f4fe 8cd538a4-62d5-4e83-810b-12d41e428d6e 470ec5fa-7b4e-4071-b200-4c753100f49b 13acf386-b8c6-4fe0-9a6e-c4756b974698 24549159-ac1b-479c-8175-d42aea947cae 9eb99343-d336-4020-a3cd-67f3819e68ee 39a80702-d7ca-4a83-b776-525b1f86a36d f7644214-0eb0-4ace-9455-331ec4c09253 123e4e6d-b123-48f8-b261-7214938acaf0 2632954e-db1c-49cb-9936-67d1ef1d17d2 0badd08f-c6a3-4630-90d3-6875cca440be e9faba72-4974-4ab2-a4c5-46e25ad59e9b 1d2ab8ac-1a01-423b-9c39-001510eae8e8 98054878-5eab-434c-85d4-72d4e5a3361b 962fe167-e48d-4fd6-9974-11e5b9a5d6d1 7595ba94-cf3b-4471-aa03-4f6baa9e5fad b237c54b-0f15-4612-a819-44b735e0de27 02c39d30-02b5-45d2-b435-8aebfe5a8629 c43c26be-2e87-46c7-8661-284588c5a53e

slincoln-aiq commented 1 week ago

Thanks for reporting this issue and the detailed list of rules that fail! I've been busy with the other SecOps backend, but I can tackle this issue next week.