search

SigmaHQ / pySigma-backend-splunk

pySigma Splunk backend
GNU Lesser General Public License v2.1
32 stars 19 forks source link

Multiple sub-rules, detecting only one of them. #10

Closed jonathan-s closed 1 year ago

jonathan-s commented 1 year ago

Thank you for your responsiveness in the past.

I've got another sigma rule issue which seems problematic. I would appreciate your help on whether this is a bug in the software or if the rule is not written correctly. 

action: global
title: MAL_Thanos_Ransomware
description: Unique vssadmin and taskill commands run by Thanos
references: 
    - https://www.recordedfuture.com/thanos-ransomware-builder/
    - 3568d4e423ae368b9e7540f70106a69231fa0771fc2693f8aae572d88a7b0577
    - 75eac37f0619ed3f563a4e5abd1ece1acdf161b2931c20398e1a056ec5df4d27
    - 86ed000fa2dd99f2b2341da607c904c0b510f98ead65be12b358e3f73e624cb6
    - 8e775324fc69a677394cf6d079d1d45bf53af10acd683bda53e5f86a8a192393
    - a8f17141892313d0a0345ea6d44389990e8107417ce1fac811ee9d794c188ca8
    - dcd725c415cebc7df170edf49af18d6f86e76ef75185737de5959405f4aecc56
author: CMCLAUGHLIN, Insikt Group, Recorded Future
date: 2021/02/10
level: critical
tags:
    - attack.t1490
    - attack.t1562
    - attack.t1562.001
logsource:
    category: process_creation
    product: windows
condition: 1 of them

---
id: 56e5e01a-66e3-4e3c-a80a-403dd7e9fa03
truepositives:
    - 86ed000fa2dd99f2b2341da607c904c0b510f98ead65be12b358e3f73e624cb6_370110
    - 3568d4e423ae368b9e7540f70106a69231fa0771fc2693f8aae572d88a7b0577_379196
detection: 
    selection_1:    
        Image: '*vssadmin.exe*'
    selection_2:    
        CommandLine: "*resize*"
    selection_3:
        CommandLine: "*/maxsize=unbounded*"
    selection_4:
        CommandLine: 
          - "*/for=f*"
          - "*/for=g*"
          - "*/for=h*"
    condition: selection_1 and selection_2 and selection_3 and selection_4
falsepositives: 
    - Other Ransomware

---
id: f9703e96-e3fe-41a4-b328-a7472a4989ad
truepositives:
    - 86ed000fa2dd99f2b2341da607c904c0b510f98ead65be12b358e3f73e624cb6_370110
    - 3568d4e423ae368b9e7540f70106a69231fa0771fc2693f8aae572d88a7b0577_379196
detection: 
    selection_1:    
        Image: '*vssadmin.exe*'
    selection_2:    
        CommandLine: "*Delete Shadows /all /quiet*"
    condition: selection_1 and selection_2 
falsepositives: 
    - Other Ransomware

---
id: 98f2e42e-53de-47f1-a6e4-307d81097e42
truepositives:
    - a8f17141892313d0a0345ea6d44389990e8107417ce1fac811ee9d794c188ca8_379200
    - 3568d4e423ae368b9e7540f70106a69231fa0771fc2693f8aae572d88a7b0577_379196
    - 75eac37f0619ed3f563a4e5abd1ece1acdf161b2931c20398e1a056ec5df4d27_376448
    - 86ed000fa2dd99f2b2341da607c904c0b510f98ead65be12b358e3f73e624cb6_370110
    - 8e775324fc69a677394cf6d079d1d45bf53af10acd683bda53e5f86a8a192393_370108
    - dcd725c415cebc7df170edf49af18d6f86e76ef75185737de5959405f4aecc56_370109
detection: 
    selection_1:    
        Image: '*taskkill*'
    selection_2:    
         CommandLine: 
           - "*mspub.exe*"
           - "*CNTAoSMgr.exe*"
           - "*zoolz.exe*"
    condition: selection_1 and selection_2 
falsepositives: 
    - Other Ransomware

When parsing this rule in the following way. 

    rules = SigmaCollection.from_yaml(detection)
    backend = SplunkBackend()
    converted = backend.convert(rules)

The result I get is the following. 

['Image="*vssadmin.exe*" CommandLine="*resize*" CommandLine="*/maxsize=unbounded*" (CommandLine IN ("*/for=f*", "*/for=g*", "*/for=h*"))', 'Image="*vssadmin.exe*" CommandLine="*Delete Shadows /all /quiet*"', 'Image="*taskkill*" (CommandLine IN ("*mspub.exe*", "*CNTAoSMgr.exe*", "*zoolz.exe*"))']

Since the rule says it's 1 of them as a condition I would have expected that when converting the rule you would have OR delimiters between the different rule sections.

thomaspatzke commented 1 year ago

I think there are two misunderstandings: