I have started to use the MDATP backend to translate Sigma queries into ATP advanced hunting queries. It seems that there is an issue during conversion to matches regex operator.
If we are looking at the rules win_susp_crackmapexec_execution.yml. Sigmac gives in return:
DeviceProcessEvents | where ProcessCommandLine matches regex ".*cmd\.exe /Q /c .* 1> \\\\\\\.*\\\.*\\\.* 2>&1"
In Hunting console I'm getting syntax errors as the \ just before .exe is not escaped and also there is missing \ in the \\\\ sequence after 1>.
This change in default value mapping function seems to fix it:
if "" in val[1:-1]: # value contains inside string - use regex match
op = "matches regex"
val = re.sub('(["^$]|\\)', '\\\g<1>', val)
val = re.sub('(\.)', '\\\\\g<1>', val)
val = re.sub('\', '.', val)
val = re.sub('\?', '.', val)
we are getting this result:
DeviceProcessEvents | where ProcessCommandLine matches regex ".*cmd\\.exe /Q /c .* 1> \\\\\\\\.*\\\\.*\\\\.* 2>&1"
Let me know if this is an expected behavior or not,
Hello,
I have started to use the MDATP backend to translate Sigma queries into ATP advanced hunting queries. It seems that there is an issue during conversion to matches regex operator.
If we are looking at the rules win_susp_crackmapexec_execution.yml. Sigmac gives in return:
DeviceProcessEvents | where ProcessCommandLine matches regex ".*cmd\.exe /Q /c .* 1> \\\\\\\.*\\\.*\\\.* 2>&1"
In Hunting console I'm getting syntax errors as the \ just before .exe is not escaped and also there is missing \ in the \\\\ sequence after 1>.
This change in default value mapping function seems to fix it:
we are getting this result:
DeviceProcessEvents | where ProcessCommandLine matches regex ".*cmd\\.exe /Q /c .* 1> \\\\\\\\.*\\\\.*\\\\.* 2>&1"
Let me know if this is an expected behavior or not,
Thanks,
Lucas