Update of Rare Service Install Detection Rule to use correlation syntax

[Mat0vu]

Hi, as my company is trying to move from sigmac to pysigma for translating our detection rules, I´m currently checking if I get the same output with the new tool. For quite some time, in our environment the following rule was used to check for rare service installs: (https://github.com/SigmaHQ/sigma/blob/master/unsupported/windows/win_system_rare_service_installs.yml)

Because this rule is using the old | syntax for aggregations, it is rejected by pysigma. I suppose this is also the reason why this rule is in the unsupported directory, just like a few other rules using | aggregations.

I did not find any rules in the repository using the new correlation syntax, maybe because correlations are not yet officially and fully supported? However, I´m following the development of pysigma and because converting correlation rules is possible now, I was curious and tried to change this rule following the correlation specification so that pysigma can convert it.

Because this attempt was successful (using Elasticsearch ESQLBackend), I wanted to ask if it is planned that the rules in the unsupported directory will be updated in the future to follow the new specification or if correlations are not yet to be used in the main rule repository.

---

Here is a suggestion for the updated rule using the event_count correlation:

title: Rare Service Installs
id: 66bfef30-22a5-4fcd-ad44-8d81e60922ae
name: rare_service_installs
status: test
description: Detects rare service installs that only appear a few times per time frame and could reveal password dumpers, backdoor installs or other types of malicious services
author: Florian Roth (Nextron Systems)
date: 2017/03/08
modified: 2024/05/14
tags:
    - attack.persistence
    - attack.privilege_escalation
    - car.2013-09-005
    - attack.t1543.003
correlation:
    type: event_count
    rules:
        - service_installs
    group-by:
        - ServiceName 
    timespan: 7d
    condition:
        lt: 5
level: low
falsepositives:
    - Software installation
    - Software updates
---
title: Service Installations
id: 1b4db7eb-4057-5ddf-91e0-36dec72071f5
name: service_installs
status: test
logsource:
    product: windows
    service: system
detection:
    selection:
        Provider_Name: 'Service Control Manager'
        EventID: 7045
    condition: selection
level: informational

[github-actions[bot]]

Welcome @Mat0vu :wave:

It looks like this is your first issue on the Sigma rules repository!

The following repository accepts issues related to false positives or 'rule ideas'.

If you're reporting an issue related to the pySigma library please consider submitting it here

If you're reporting an issue related to the deprecated sigmac library please consider submitting it here

Thanks for taking the time to open this issue, and welcome to the Sigma community! :smiley:

[nasbench]

Hey @Mat0vu thanks for reaching out. You are correct in your assumptions. While correlations were recently added to PySigma we still haven't announced the V2 spec (which include correlationà.

We are now in the process of adding a folder to allow for the submitting of correlation rules and as you guessed old rules in the supported using the old pipe notation will also be converted to use the new format.

Thanks for your understanding.

Will take your rule suggestion as input when the new folder is added.

[frack113]

HI, I have try as a POC on https://github.com/frack113/MetaRuleBazar No test , No review only the curiosity : is it hard to convert old rules ?

[Mat0vu]

Hi @frack113, that´s a great resource, thanks for the link! Looks like you´ve already converted most the currently unsupported rules 👍