search

SigmaHQ / pySigma-backend-elasticsearch

pySigma Elasticsearch backend
GNU Lesser General Public License v3.0
41 stars 24 forks source link

Single quote escaping problem in query_string #50

Open foxalfabravo opened 6 months ago

foxalfabravo commented 6 months ago

Converted rule not accepted by elastalert

Pipeline configuration: -t lucene -p sysmon -p ecs_windows

For instance : posh_ps_amsi_null_bits_bypass.yml, result is

filter:
  - query:
      query_string:
        query: 'powershell.file.script_block_text:(*if\(0\)\{\{\{0\}\}\}'\ \-f\ $\(0\ \-as\ \[char\]\)\ \+* OR *#\<NULL\>*)'

The following rules have the problem (r2024-01-29): posh_pm_susp_invocation_specific.yml posh_ps_amsi_null_bits_bypass.yml posh_ps_import_module_susp_dirs.yml posh_ps_set_acl_susp_location.yml posh_ps_set_policies_to_unsecure_level.yml posh_ps_susp_invocation_specific.yml posh_ps_user_profile_tampering.yml proc_creation_win_cmd_redirection_susp_folder.yml proc_creation_win_curl_download_direct_ip_exec.yml proc_creation_win_curl_download_direct_ip_susp_extensions.yml proc_creation_win_curl_download_susp_file_sharing_domains.yml proc_creation_win_findstr_lnk.yml proc_creation_win_findstr_recon_everyone.yml proc_creation_win_hktl_crackmapexec_execution.yml proc_creation_win_hktl_crackmapexec_powershell_obfuscation.yml proc_creation_win_net_default_accounts_manipulation.yml proc_creation_win_powershell_amsi_null_bits_bypass.yml proc_creation_win_powershell_import_module_susp_dirs.yml proc_creation_win_powershell_invocation_specific.yml proc_creation_win_powershell_set_acl_susp_location.yml proc_creation_win_powershell_xor_commandline.yml proc_creation_win_regsvr32_susp_exec_path_2.yml proc_creation_win_rundll32_uncommon_dll_extension.yml proc_creation_win_schtasks_guid_task_name.yml proc_creation_win_susp_office_token_search.yml proc_creation_win_susp_privilege_escalation_cli_patterns.yml proc_creation_win_wget_download_direct_ip.yml proc_creation_win_wget_download_susp_file_sharing_domains.yml

frack113 commented 6 months ago

Hello, As ' don't need to be escape in lucene I try to update my template

      index: {{ index() }}
      filter:
        - query:
            query_string:
              query: {% if "'" in query%}"{{ query }}"{% else %}'{{ query }}'{% endif %}
sigma convert -t lucene -p sysmon -p ecs_windows rules\windows\powershell\powershell_script\posh_ps_amsi_null_bits_bypass.yml -p elastalert_any_v2.yml
Parsing Sigma rules  [####################################]  100%
name: fa2559c8-1197-471d-9cdd-05a0273d4522
description: Potential AMSI Bypass Script Using NULL Bits
owner: Nasreddine Bencherchali (Nextron Systems)

type: any
priority: 2
alert:
  - debug

index: winlogbeat-*
filter:
  - query:
      query_string:
        query: "powershell.file.script_block_text:(*if\(0\)\{\{\{0\}\}\}'\ \-f\ $\(0\ \-as\ \[char\]\)\ \+* OR *#\<NULL\>*)"

Need to test on an elastalert 😔

frack113 commented 5 months ago

hi @foxalfabravo , with " rule fail, So I try simply this

      filter:
        - query:
            query_string:
              query: {{ query }}

It's works , I think it is more an elastalert trouble than a backend one as the output lucene query is valid. In a yaml the double quote are for escape sequences.