search

NextronSystems / evtx-baseline

A repository hosting example goodware evtx logs containing sample software installation and basic user interaction
Apache License 2.0
68 stars 7 forks source link

Possible evtx-sigma-checker Issue #6

Closed cipher067 closed 12 months ago

cipher067 commented 1 year ago

Hello,

I've noticed that evtx-sigma-checker is not reading the value of ProcessId and AccessMask as strings, meanwhile Aurora detects the following example rule as string and works perfectly:

Sigma working with Aurora EventID: 4663 ObjectType: 'File' ObjectServer: 'Security' ProcessId: '0x4' AccessMask: '0x1'

Sigma working with evtx-sigma-checker EventID: 4663 ObjectType: 'File' ObjectServer: 'Security' ProcessId: 0x4 AccessMask: 0x1

It could be an issue from my end or from the compiled evtx-sigma-checker

thanks in advance

secDre4mer commented 1 year ago

Hi,

This sounds interesting. Maybe there's a difference in formatting from different sources (ETW versus EVTX files)? Could you send me an EVTX file with the event you described?

cipher067 commented 1 year ago

Access-Password-File-TruePositive.zip Thanks for your response.

EventID: 4663
ObjectType: 'File'
ObjectServer: 'Security'
ObjectName: 'C:\Windows\SYSVOL\domain\Password\password.txt'
ProcessId: '0x4'
AccessMask: '0x1'

exclude: SubjectUserName|endswith: '$' condition:

secDre4mer commented 12 months ago

Thanks for the file! From the EVTX file, I think the "different formatting" hypothesis holds up. The raw event in the evtx-checker looks like: ... ObjectServer: Security ObjectType: File ObjectName: <redacted> HandleId: 8020 AccessList: %%4416 AccessMask: 1 ProcessId: 4 ProcessName: ResourceAttributes: S:AI Provider_Name: Microsoft-Windows-Security-Auditing ...

So access mask and process ID both get formatted as decimal numbers here, not as hex numbers. Probably the formatting information gets lost in the EVTX parser. I'll need to talk to some colleagues about this. This is probably not trivial to fix; but the current evtx-sigma-checker behaviour results in differences between recorded baseline and live behaviour, which is also less than ideal.

secDre4mer commented 12 months ago

Okay, unfortunately, the formatting information isn't available in the EVTX file: it's part of the manifests that describe the events, which are separate and only available on Windows. The evtx-sigma-checker (since it's OS independent) can't use those. I've built a workaround into the checker that essentially "mimics" the formatting for your case that is described by the manifest. However, this is obviously only a solution for this issue, not for this class of issue. If you come across similar issues, please let me know and I'll add more fixes.

cipher067 commented 12 months ago

@secDre4mer Thank you, appreciate your great support!

secDre4mer commented 12 months ago

New release that contains the fix is now available.