search

SigmaHQ / pySigma-backend-splunk

pySigma Splunk backend
GNU Lesser General Public License v2.1
32 stars 19 forks source link

Converting rules gives wrong results #8

Closed jonathan-s closed 1 year ago

jonathan-s commented 1 year ago

I've got the following rule. 

            title: MAL_TChopper
            id: 75d1edae-f883-484e-81a9-3d0678017c2f
            description: Detects lateral movement using TChopper.
            references:
                - https://app.recordedfuture.com/live/sc/72Y3BeWvp1BO
                - https://twitter.com/zux0x3a/status/1403282239169957893
                - https://github.com/lawrenceamer/TChopper
                - http://0xsp.com/security%20research%20&%20development%20(SRD)/smuggling-via-windows-services-display-name-lateral-movement
            status: stable
            author: CNANCE, Insikt Group, Recorded Future
            date: 2021/06/16
            level: high
            tags:
                - attack.t1027 # Obfuscated Files or Information
                - attack.t1543.003 # Create or Modify System Process: Windows Service
                - attack.t1036.004 # Masquerading: Masquerade Task or Service
                - attack.t1047 # Windows Management Instrumentation
            logsource:
                category: process_creation
                product: windows
            detection:
                decoder:
                    CommandLine:
                      - \'c:\\windows\\system32\\cmd.exe /c certutil -decode -f tmp_payload.txt payload.exe & payload.exe\'
                      - \'c:\\windows\\system32\\cmd.exe /c certutil -decode -f tmp_payload.txt payload.exe & payload.exe"\'
                      - \'c:\\windows\\system32\\cmd.exe /c certutil -decode -f c:\\Users\\Public\\chop.enc c:\\Users\\Public\\chopper.exe & c:\\Users\\Public\\chopper.exe\'
                get_svc_1:
                    CommandLine|all:
                      - \'c:\\windows\\system32\\cmd.exe /c powershell -command "Get-Service "*\'
                      - \'*" | select -Expand DisplayName |out-file -append tmp_payload.txt"\'
                get_svc_2:
                    CommandLine|all:
                        - \'c:\\windows\\system32\\cmd.exe /c powershell.exe -command "*\'
                        - \'* |out-file -append c:\\Users\\Public\\chop.enc"\'
                condition: decoder or (1 of get_svc*)
            falsepositives:
                - Unlikely

When I run the following code.

# detection is the above detection
rules = SigmaCollection.from_yaml(detection)
backend = SplunkBackend()
converted = backend.convert(rules)

I get this result. 

['CommandLine IN ("c:\\\\windows\\\\system32\\\\cmd.exe /c certutil -decode -f tmp_payload.txt payload.exe & payload.exe", "c:\\\\windows\\\\system32\\\\cmd.exe /c certutil -decode -f tmp_payload.txt payload.exe & payload.exe\\"", "c:\\\\windows\\\\system32\\\\cmd.exe /c certutil -decode -f c:\\\\Users\\\\Public\\\\chop.enc c:\\\\Users\\\\Public\\\\chopper.exe & c:\\\\Users\\\\Public\\\\chopper.exe") OR CommandLine="c:\\\\windows\\\\system32\\\\cmd.exe /c powershell -command \\"Get-Service \\"*" CommandLine="*\\" | select -Expand DisplayName |out-file -append tmp_payload.txt\\"" OR CommandLine="c:\\\\windows\\\\system32\\\\cmd.exe /c powershell.exe -command \\"*" CommandLine="* |out-file -append c:\\\\Users\\\\Public\\\\chop.enc\\""']

I'm expecting 

['CommandLine IN ("c:\\\\windows\\\\system32\\\\cmd.exe /c certutil -decode -f tmp_payload.txt payload.exe & payload.exe", "c:\\\\windows\\\\system32\\\\cmd.exe /c certutil -decode -f tmp_payload.txt payload.exe & payload.exe\\"", "c:\\\\windows\\\\system32\\\\cmd.exe /c certutil -decode -f c:\\\\Users\\\\Public\\\\chop.enc c:\\\\Users\\\\Public\\\\chopper.exe & c:\\\\Users\\\\Public\\\\chopper.exe")

# this is where it starts to differ, note the addition of parenthesis. 
OR (CommandLine="c:\\\\windows\\\\system32\\\\cmd.exe /c powershell -command \\"Get-Service \\"*" 
CommandLine="*\\" | select -Expand DisplayName |out-file -append tmp_payload.txt\\"") 
OR (CommandLine="c:\\\\windows\\\\system32\\\\cmd.exe /c powershell.exe -command \\"*" CommandLine="* |out-file -append c:\\\\Users\\\\Public\\\\chop.enc\\""')]
jonathan-s commented 1 year ago

It seems like this issue is resolved by adding parenthesize = True for the SplunkBackend

thomaspatzke commented 1 year ago

Hi! Thanks for reporting this! The root cause is that the current Splunk backend doesn't defines an operator precedence and inherits the default precedence from TextQueryBackendBase, which is NOT, AND, OR while Splunk has the different precendence NOT, OR, AND for the search command. Further, there doesn't seems to be a proper test to catch this.

I fix this by adding the precedence and a stripped down version of your rule as test case. Setting parenthesize to True will generate lots of parentheses and is only meant for target query languages that don't have a strict ordered precedence, like Lucene.

thomaspatzke commented 1 year ago

Fixed!

thomaspatzke commented 1 year ago

Included in backend release 0.3.6.