search

SigmaHQ / pySigma-backend-splunk

pySigma Splunk backend
GNU Lesser General Public License v2.1
32 stars 19 forks source link

escape backslashes #1

Closed M3NIX closed 2 years ago

M3NIX commented 2 years ago

at the moment the backend is not escaping backslashes. e.g. 

sigma convert -t splunk ./rules/windows/process_creation/proc_creation_win_office_shell.yml

results in

ParentImage="*\WINWORD.EXE" OR ParentImage="*\EXCEL.EXE" OR ParentImage="*\POWERPNT.exe" OR ParentImage="*\MSPUB.exe" OR ParentImage="*\VISIO.exe" OR ParentImage="*\MSACCESS.EXE" OR ParentImage="*\EQNEDT32.EXE") (Image="*\cmd.exe" OR Image="*\powershell.exe" OR Image="*\wscript.exe" OR Image="*\cscript.exe" OR Image="*\sh.exe" OR Image="*\bash.exe" OR Image="*\scrcons.exe" OR Image="*\schtasks.exe" OR Image="*\regsvr32.exe" OR Image="*\hh.exe" OR Image="*\wmic.exe" OR Image="*\mshta.exe" OR Image="*\rundll32.exe" OR Image="*\msiexec.exe" OR Image="*\forfiles.exe" OR Image="*\scriptrunner.exe" OR Image="*\mftrace.exe" OR Image="*\AppVLP.exe" OR Image="*\svchost.exe" OR Image="*\msbuild.exe")

with the change in this PR the new query is:

(ParentImage="*\\WINWORD.EXE" OR ParentImage="*\\EXCEL.EXE" OR ParentImage="*\\POWERPNT.exe" OR ParentImage="*\\MSPUB.exe" OR ParentImage="*\\VISIO.exe" OR ParentImage="*\\MSACCESS.EXE" OR ParentImage="*\\EQNEDT32.EXE") (Image="*\\cmd.exe" OR Image="*\\powershell.exe" OR Image="*\\wscript.exe" OR Image="*\\cscript.exe" OR Image="*\\sh.exe" OR Image="*\\bash.exe" OR Image="*\\scrcons.exe" OR Image="*\\schtasks.exe" OR Image="*\\regsvr32.exe" OR Image="*\\hh.exe" OR Image="*\\wmic.exe" OR Image="*\\mshta.exe" OR Image="*\\rundll32.exe" OR Image="*\\msiexec.exe" OR Image="*\\forfiles.exe" OR Image="*\\scriptrunner.exe" OR Image="*\\mftrace.exe" OR Image="*\\AppVLP.exe" OR Image="*\\svchost.exe" OR Image="*\\msbuild.exe")
thomaspatzke commented 2 years ago

Indeed, totally missed this...thanks!