I've got another sigma rule issue which seems problematic. I would appreciate your help on whether this is a bug in the software or if the rule is not written correctly.
action: global
title: MAL_Thanos_Ransomware
description: Unique vssadmin and taskill commands run by Thanos
references:
- https://www.recordedfuture.com/thanos-ransomware-builder/
- 3568d4e423ae368b9e7540f70106a69231fa0771fc2693f8aae572d88a7b0577
- 75eac37f0619ed3f563a4e5abd1ece1acdf161b2931c20398e1a056ec5df4d27
- 86ed000fa2dd99f2b2341da607c904c0b510f98ead65be12b358e3f73e624cb6
- 8e775324fc69a677394cf6d079d1d45bf53af10acd683bda53e5f86a8a192393
- a8f17141892313d0a0345ea6d44389990e8107417ce1fac811ee9d794c188ca8
- dcd725c415cebc7df170edf49af18d6f86e76ef75185737de5959405f4aecc56
author: CMCLAUGHLIN, Insikt Group, Recorded Future
date: 2021/02/10
level: critical
tags:
- attack.t1490
- attack.t1562
- attack.t1562.001
logsource:
category: process_creation
product: windows
condition: 1 of them
---
id: 56e5e01a-66e3-4e3c-a80a-403dd7e9fa03
truepositives:
- 86ed000fa2dd99f2b2341da607c904c0b510f98ead65be12b358e3f73e624cb6_370110
- 3568d4e423ae368b9e7540f70106a69231fa0771fc2693f8aae572d88a7b0577_379196
detection:
selection_1:
Image: '*vssadmin.exe*'
selection_2:
CommandLine: "*resize*"
selection_3:
CommandLine: "*/maxsize=unbounded*"
selection_4:
CommandLine:
- "*/for=f*"
- "*/for=g*"
- "*/for=h*"
condition: selection_1 and selection_2 and selection_3 and selection_4
falsepositives:
- Other Ransomware
---
id: f9703e96-e3fe-41a4-b328-a7472a4989ad
truepositives:
- 86ed000fa2dd99f2b2341da607c904c0b510f98ead65be12b358e3f73e624cb6_370110
- 3568d4e423ae368b9e7540f70106a69231fa0771fc2693f8aae572d88a7b0577_379196
detection:
selection_1:
Image: '*vssadmin.exe*'
selection_2:
CommandLine: "*Delete Shadows /all /quiet*"
condition: selection_1 and selection_2
falsepositives:
- Other Ransomware
---
id: 98f2e42e-53de-47f1-a6e4-307d81097e42
truepositives:
- a8f17141892313d0a0345ea6d44389990e8107417ce1fac811ee9d794c188ca8_379200
- 3568d4e423ae368b9e7540f70106a69231fa0771fc2693f8aae572d88a7b0577_379196
- 75eac37f0619ed3f563a4e5abd1ece1acdf161b2931c20398e1a056ec5df4d27_376448
- 86ed000fa2dd99f2b2341da607c904c0b510f98ead65be12b358e3f73e624cb6_370110
- 8e775324fc69a677394cf6d079d1d45bf53af10acd683bda53e5f86a8a192393_370108
- dcd725c415cebc7df170edf49af18d6f86e76ef75185737de5959405f4aecc56_370109
detection:
selection_1:
Image: '*taskkill*'
selection_2:
CommandLine:
- "*mspub.exe*"
- "*CNTAoSMgr.exe*"
- "*zoolz.exe*"
condition: selection_1 and selection_2
falsepositives:
- Other Ransomware
['Image="*vssadmin.exe*" CommandLine="*resize*" CommandLine="*/maxsize=unbounded*" (CommandLine IN ("*/for=f*", "*/for=g*", "*/for=h*"))', 'Image="*vssadmin.exe*" CommandLine="*Delete Shadows /all /quiet*"', 'Image="*taskkill*" (CommandLine IN ("*mspub.exe*", "*CNTAoSMgr.exe*", "*zoolz.exe*"))']
Since the rule says it's 1 of them as a condition I would have expected that when converting the rule you would have OR delimiters between the different rule sections.
The global rule is only a set of attributes that are propagated into the subsequent rules and where they can also be overridden, as it happens with the condition in your example.
The conditon always refers to the definitions in the same detections section of a Sigma rule.
Thank you for your responsiveness in the past.
I've got another sigma rule issue which seems problematic. I would appreciate your help on whether this is a bug in the software or if the rule is not written correctly.
When parsing this rule in the following way.
The result I get is the following.
Since the rule says it's
1 of them
as a condition I would have expected that when converting the rule you would have OR delimiters between the different rule sections.