search

SigmaHQ / sigma

Main Sigma Rule Repository
Other
8.19k stars 2.17k forks source link

Event Action data missing apostrophes #4981

Closed djlukic closed 1 month ago

djlukic commented 1 month ago

Rule UUID

cde0a575-7d3d-4a49-9817-b8004a7bf105

Example EventLog

RuleId {5B6F0B20-15BF-437D-B5EA-AF499B23FF4A} RuleName @{Microsoft.YourPhone_1.24072.111.0_x648wekyb3d8bbwe?ms-resource://Microsoft.YourPhone/Resources/AppName} Origin 1 ApplicationPath
ServiceName
Direction 2 Protocol 256 LocalPorts
RemotePorts
Action 2 Profiles 2147483647 LocalAddresses RemoteAddresses RemoteMachineAuthorizationList
RemoteUserAuthorizationList
EmbeddedContext @{Microsoft.YourPhone_1.24072.111.0_x648wekyb3d8bbwe?ms-resource://Microsoft.YourPhone/Resources/AppName} Flags 1 Active 1 EdgeTraversal 0 LooseSourceMapped 0 SecurityOptions 0 ModifyingUser S-1-5-80-3088073201-1464728630-1879813800-1107566885-823218052 ModifyingApplication C:\Windows\System32\svchost.exe SchemaVersion 542 RuleStatus 65536 LocalOnlyMapped 0 PolicyAppId

Description

Hi,

I was testing this rule and it seems it needs apostrophes around 2, otherwise that condition is not valued. 

    filter_main_block:
        Action: 2 # Block

it should be

    filter_main_block:
        Action: '2' # Block

Please correct me if I am wrong as I am still learning Sigma. Thank you!

github-actions[bot] commented 1 month ago

Welcome @djlukic :wave:

It looks like this is your first issue on the Sigma rules repository!

The following repository accepts issues related to false positives or 'rule ideas'.

If you're reporting an issue related to the pySigma library please consider submitting it here

If you're reporting an issue related to the deprecated sigmac library please consider submitting it here

Thanks for taking the time to open this issue, and welcome to the Sigma community! :smiley:

nasbench commented 1 month ago

Hi @djlukic,

How did you find that it's not evaluated? TheAction value is an integer and not a string, so it should be correct. Can you please share more info on your setup?

djlukic commented 1 month ago

Hi. I used a custom tool that was supposed to convert this to Golang like script but integer was not properly parsed apparently. Thank you for your guidance.

nasbench commented 1 month ago

Hi. I used a custom tool that was supposed to convert this to Golang like script but integer was not properly parsed apparently. Thank you for your guidance.

So is this an issue from your side? or how do we proceed?

djlukic commented 1 month ago

Yes, issue was on my side.