search

SigmaHQ / sigma

Main Sigma Rule Repository
Other
8.13k stars 2.16k forks source link

Large amount of sigma rules possibly being incorrectly converted to Carbon Black EEDR format #2176

Closed ghost closed 2 years ago

ghost commented 2 years ago

Hello all,

We noticed that numerous Sigma rules are possibly being translated incorrectly to Carbon Black EDR rules. For example, here is the effect of converting win_apt_dragonfly.yml and win_susp_control_cve_2021_40444.yml using the latest sigmatools package compared to the latest master:

With latest release (sigmatools 0.20 release of Aug 14 2021)

$ sigmac -t carbonblack -c carbon-black-eedr win_apt_dragonfly.yml 
process_name:\\crackmapexec.exe

$ sigmac -t carbonblack -c carbon-black-eedr win_susp_control_cve_2021_40444.yml 
((process_name:\\control.exe AND (parent_name:\\winword.exe OR parent_name:\\powerpnt.exe OR parent_name:\\excel.exe)) AND ( -process_cmdline:"\control.exe input.dll"))

With latest master (2021-10-20 - commit 20e760733a12c2d4612ce36a3fff065035aa2edb)

$ ./sigmac -t carbonblack -c carbon-black-eedr win_apt_dragonfly.yml 
process_name:\[\' AND \\\\crackmapexec.exe\'\]

$ ./sigmac -t carbonblack -c carbon-black-eedr win_susp_control_cve_2021_40444.yml 
((process_name:control.exe AND parent_name:\[\' AND "\\winword.exe', '" AND "\\powerpnt.exe', '" AND \\\\excel.exe\'\]) AND ( -(process_cmdline:"\control.exe input.dll")))

As you can see, the resulting rules - from the latest master - look a bit unexpected. From what I am used to, I expect the converted queries to look roughly like how they are generated by the latest stable release (sigmatools 0.20 release of Aug 14 2021). The resulting conversion of the latest master appears incorrect to me.

I don't know whether this is expected behavior, or whether it is caused by an issue on our side, or whether this is a parsing bug in the sigma code.

Maybe someone can reproduce this issue? (Unfortunately, on the short-term, I don't have time to look into the issue myself, but I just wanted to share this here.)

Please note that not all rules are converted incorrectly. For example, some random rules that appear to be converted correctly include:

(Sorry for my English)

ghost commented 2 years ago

Issue has been fixed with #2219. Closing this issue.