Hayabusa rules that include fields alias cannot detect logs correctly

[fukusuket]

Hello, I found a Hayabusa rules related issue, so I' ll report it :)

Describe the issue Some hayabusa-rules use alias fields name. Therefore, rules that use alias are not correctly detecting logs. For example, The following Important Log File Cleared rule uses the LogFileClearedChannel field,

• Important Log File Cleared

However, LogFileClearedChannel field is an alias, and the actual field name in the EVTX file are mapped based on the txt below.

• config/eventkey_alias.txt

Therefore, when using hayabusa-rules, it is necessary to perform the above alias mapping.

Step to Reproduce

1. Place a evtx file : C:/tmp/all-evtx/win2022-0-20348-azure
   1. https://github.com/NextronSystems/evtx-baseline/releases/tag/v0.8
      1. (System.evtx with EventID: 104)
2. Import the curated Sigma rules by Server.Import.CuratedSigma server artifact
3. Collect artifact Sigma.Windows.Hayabusa.Rules with following option
   1. ROOT: C:/tmp/all-evtx/win2022-0-20348-azure
   2. RuleLevel: Critical and High

Expected behavior Important Log File Cleared rule detect 2 logs.

Actual behavior Important Log File Cleared rule does not detect log.

Screenshot System.evtx with EventID: 104 sample event.

Environment

• OS(client): Windows 11
• OS(server): Ubuntu 22.04 LTS
• Velociraptor: 0.7.1
• Client artifact: Sigma.Windows.Hayabusa.Rules

Thank you for your time.

[scudette]

Thanks for reporting

That's interesting - We do have the field mapping defined in the config file so it should be able to find it

https://github.com/Velocidex/velociraptor-sigma-rules/blob/33dafd964c27c697fc6dba63681be867fbbe768b/config/windows_hayabusa_rules.yaml#L155

[scudette]

Ok after investigation the rule is

detection:
    selection:
        Channel: 'System'
        Provider_Name: 'Microsoft-Windows-Eventlog'
        EventID: 104
        LogFileClearedChannel:
            - 'Application'
            - 'Microsoft-Windows-Windows Defender/Operational'
            - 'Microsoft-Windows-AppLocker/EXE and DLL'
            - 'Microsoft-Windows-PowerShell/Operational'
            - 'Microsoft-Windows-Sysmon/Operational'
            - 'Microsoft-Windows-TaskScheduler/Operational'
            - 'OpenSSH/Operational'
            - 'Security'
            - 'System'
            - 'Windows PowerShell'
    condition: selection

But the field mapping for Provider_Name is defined as https://github.com/Velocidex/velociraptor-sigma-rules/blob/33dafd964c27c697fc6dba63681be867fbbe768b/config/windows_hayabusa_rules.yaml#L208

Which is wrong - it should be "x=>x.System.Provider.Name"

[scudette]

Its interesting - the alias actually comes from Hayabusa itself https://github.com/Yamato-Security/hayabusa-rules/blob/09dba13950cb849d320d76ae63707496c5947f14/config/eventkey_alias.txt#L139

From the README file of Hayabusa it says the _attributes notation is a special case

To specify XML attributes in an eventkey, use the format {eventkey}_attributes.{attribute_name}.

So we need to consider that when converting the field mappings from Hayabusa (In Velociraptor we just merge the attribute names directly so there is no need to use this notation).

[fukusuket]

Thank you so much for quick investigation. I see, it was an Attribute notation issue :)

[scudette]

This should be fixed now by #18

Thanks for reporting and testing!

[fukusuket]

I confirmed Important Log File Cleared rule detect 2 logs with fixed rule set:) Thank you!