Closed tjgeorgen-zz closed 4 years ago
Not sure if this is a similar/different issue, but our splunk queries are also escaping with too many slashes.
For example, RDP Registry Modification has the following sigma rule
TargetObject|endswith:
- '\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp\UserAuthentication'
- '\CurrentControlSet\Control\Terminal Server\fDenyTSConnections'
Which creates the following splunk query:
(EventID="13" (TargetObject="*\\\\CurrentControlSet\\\\Control\\\\Terminal Server\\\\WinStations\\\\RDP-Tcp\\\\UserAuthentication" OR TargetObject="*\\\\CurrentControlSet\\\\Control\\\\Terminal Server\\\\fDenyTSConnections")
Unfortunately, that Splunk query fails to run, because it has four "\\" instead of three "\\". Should I open a new issue? This seems to be a similar problem with the entire escape charachter build process.
Same issue, it's backend agnostic. Will fix this.
Many rules that use the
|contains
modifier specify string values that end with backslashes. Rules that have string values ending in a backslash can be found using this query from the project's root directory:Let's take
rules//windows/process_creation/win_malware_ryuk.yml
as an example:When converted, the
'C:\users\Public\'
value accidentally escapes the wildcard inserted after the string due to the|contains
modifier:As you can see, with
CommandLine="*C:\\users\\Public\*"
instead of ending in a backslash followed by a wildcard, it is escaping the asterisk resulting in a literal asterisk.This could be fixed by modifying all of the affected rules by having the string values end with two backslashes, similar to the guidance in https://github.com/Neo23x0/sigma/wiki/Rule-Creation-Guide#backslashes. If it's intended for rules that use
|contains
or|startswith
to have string values that end in a single backslash, then the tranform functions would need to be corrected.