Add em dash, en dash and horizontal bar to windash modifier - Githubissues

SigmaHQ / pySigma

Python library to parse and convert Sigma rules into queries (and whatever else you could imagine)

GNU Lesser General Public License v2.1

395 stars 101 forks source link

Add em dash, en dash and horizontal bar to windash modifier #233

Closed martinspielmann closed 4 months ago

martinspielmann commented 4 months ago

The existing windash modifier takes into account that many Windows programs accept their arguments provided via / and -.

However, multiple programs including Powershell additionally support – (en dash), — (em dash), and ― (horizontal bar). E.g. see the Powershell Tokenizer that handles all dashes the same way:

Downside:

More search parameters and complexity: Every windash expanded argument string will result in five (5) search parameters instead of only two (2). This multiplies when there is more than one arguments processed by windash. See tests/test_modifiers.py

Advantage:

Detection of simple command-line obfuscation relying on hiding command-line arguments.

References

https://www.youtube.com/watch?v=52tAmVLg1KM&t=565s by @wietze

thomaspatzke commented 4 months ago

Great, thanks for the PR!