SigmaHQ / sigma

Main Sigma Rule Repository
Other
8.3k stars 2.19k forks source link

Improperly escaped ending backslashes for rules with contains and startswith #722

Closed tjgeorgen-zz closed 4 years ago

tjgeorgen-zz commented 4 years ago

Many rules that use the |contains modifier specify string values that end with backslashes. Rules that have string values ending in a backslash can be found using this query from the project's root directory:

$ grep -r -l -F "\\'" rules/ | sort | uniq
rules//windows/builtin/win_meterpreter_or_cobaltstrike_getsystem_service_installation.yml
rules//windows/builtin/win_transferring_files_with_credential_data_via_network_shares.yml
rules//windows/other/win_defender_bypass.yml
rules//windows/powershell/powershell_suspicious_profile_create.yml
rules//windows/process_creation/win_apt_gallium.yml
rules//windows/process_creation/win_apt_wocao.yml
rules//windows/process_creation/win_local_system_owner_account_discovery.yml
rules//windows/process_creation/win_malware_ryuk.yml
rules//windows/process_creation/win_meterpreter_or_cobaltstrike_getsystem_service_start.yml
rules//windows/process_creation/win_net_enum.yml
rules//windows/process_creation/win_query_registry.yml
rules//windows/process_creation/win_task_folder_evasion.yml
rules//windows/sysmon/sysmon_possible_privilege_escalation_via_service_registry_permissions_weakness.yml
rules//windows/sysmon/sysmon_susp_run_key_img_folder.yml
rules//windows/sysmon/sysmon_webshell_creation_detect.yml

Let's take rules//windows/process_creation/win_malware_ryuk.yml as an example:

$ cat ./rules/windows/process_creation/win_malware_ryuk.yml 
title: Ryuk Ransomware
id: c37510b8-2107-4b78-aa32-72f251e7a844
status: experimental
description: Detects Ryuk ransomware activity
author: Florian Roth
date: 2019/12/16
references:
    - https://app.any.run/tasks/d860402c-3ff4-4c1f-b367-0237da714ed1/
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        CommandLine|contains|all:
            - 'Microsoft\Windows\CurrentVersion\Run'
            - 'C:\users\Public\'
    condition: selection
fields:
    - CommandLine
    - ParentCommandLine
falsepositives:
    - Unlikely
level: critical

When converted, the 'C:\users\Public\' value accidentally escapes the wildcard inserted after the string due to the |contains modifier:

$ ./tools/sigmac -t splunk -c splunk-windows ./rules/windows/process_creation/win_malware_ryuk.yml 
(CommandLine="*Microsoft\\Windows\\CurrentVersion\\Run*" CommandLine="*C:\\users\\Public\*") | table CommandLine,ParentCommandLine

As you can see, with CommandLine="*C:\\users\\Public\*" instead of ending in a backslash followed by a wildcard, it is escaping the asterisk resulting in a literal asterisk.

This could be fixed by modifying all of the affected rules by having the string values end with two backslashes, similar to the guidance in https://github.com/Neo23x0/sigma/wiki/Rule-Creation-Guide#backslashes. If it's intended for rules that use |contains or |startswith to have string values that end in a single backslash, then the tranform functions would need to be corrected.

indiechixor commented 4 years ago

Not sure if this is a similar/different issue, but our splunk queries are also escaping with too many slashes.

For example, RDP Registry Modification has the following sigma rule

TargetObject|endswith:
            - '\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp\UserAuthentication'
            - '\CurrentControlSet\Control\Terminal Server\fDenyTSConnections'

Which creates the following splunk query: (EventID="13" (TargetObject="*\\\\CurrentControlSet\\\\Control\\\\Terminal Server\\\\WinStations\\\\RDP-Tcp\\\\UserAuthentication" OR TargetObject="*\\\\CurrentControlSet\\\\Control\\\\Terminal Server\\\\fDenyTSConnections")

Unfortunately, that Splunk query fails to run, because it has four "\\" instead of three "\\". Should I open a new issue? This seems to be a similar problem with the entire escape charachter build process.

thomaspatzke commented 4 years ago

Same issue, it's backend agnostic. Will fix this.