search

Velocidex / velociraptor-sigma-rules

A Compiler from Sigma rules to VQL
10 stars 4 forks source link

`Sigma.Windows.Hayabusa.Rule: PwSh Engine Started` rule's Details fields value is `null` #32

Closed fukusuket closed 6 months ago

fukusuket commented 6 months ago

Hello, Thank you for maintain rules :)

I found Sigma.Windows.Hayabusa.Rule: PwSh Engine Started rule's Details fields value is null as follows, so I report it.

powershell

hayabusa json-timeline's output

{
    "Timestamp": "2023-10-12 16:29:10.368 +09:00",
    "RuleTitle": "PwSh Engine Started",
    "Level": "info",
    "Computer": "MyComputer",
    "Channel": "PwShClassic",
    "EventID": 400,
    "RecordID": 15,
    "Details": {
        "HostApplication": "powershell -ExecutionPolicy Bypass -windowstyle hidden -command C:\\mcj\\software\\win10\\antivirus\\mcafee\\mcafee_install.ps1"
    },
    "ExtraFieldInfo": {
        "CommandLine": "",
        "CommandName": "",
        "CommandPath": "",
        "CommandType": "",
        "Data": ["Available", "NewEngineState=Available\\r\\n\\tPreviousEngineState=None\\r\\n\\r\\n\\tSequenceNumber=13\\r\\n\\r\\n\\tHostName=ConsoleHost\\r\\n\\tHostVersion=5.1.22621.1778\\r\\n\\tHostId=9dffc9dd-aafe-4b79-9376-1d6cf3004052\\r\\n\\tHostApplication=powershell -ExecutionPolicy Bypass -windowstyle hidden -command C:\\mcj\\software\\win10\\antivirus\\mcafee\\mcafee_install.ps1\\r\\n\\tEngineVersion=5.1.22621.1778\\r\\n\\tRunspaceId=26c18ad2-f3f2-400e-8425-362f1e73857c\\r\\n\\tPipelineId=\\r\\n\\tCommandName=\\r\\n\\tCommandType=\\r\\n\\tScriptName=\\r\\n\\tCommandPath=\\r\\n\\tCommandLine=", "None"],
        "EngineVersion": "5.1.22621.1778",
        "HostId": "9dffc9dd-aafe-4b79-9376-1d6cf3004052",
        "HostName": "ConsoleHost",
        "HostVersion": "5.1.22621.1778",
        "NewEngineState": "Available",
        "PipelineId": "",
        "PreviousEngineState": "None",
        "RunspaceId": "26c18ad2-f3f2-400e-8425-362f1e73857c",
        "ScriptName": "",
        "SequenceNumber": 13
    }
}

original evtx's xml

<Event>
    <System>
        <Provider Name="PowerShell" />
        <EventID Qualifiers="0">400</EventID>
        <Version>0</Version>
        <Level>4</Level>
        <Task>4</Task>
        <Opcode>0</Opcode>
        <Keywords>0x80000000000000</Keywords>
        <TimeCreated SystemTime="2023-10-12T07:29:10.3688565Z" />
        <EventRecordID>15</EventRecordID>
        <Correlation />
        <Execution ProcessID="11020" ThreadID="0" />
        <Channel>Windows PowerShell</Channel>
        <Computer>MyComputer</Computer>
        <Security />
    </System>
    <EventData>
        <Data>Available</Data>
        <Data>None</Data>
        <Data>NewEngineState=Available PreviousEngineState=None SequenceNumber=13
            HostName=ConsoleHost HostVersion=5.1.22621.1778
            HostId=9dffc9dd-aafe-4b79-9376-1d6cf3004052 HostApplication=powershell -ExecutionPolicy
            Bypass -windowstyle hidden -command
            C:\mcj\software\win10\antivirus\mcafee\mcafee_install.ps1 EngineVersion=5.1.22621.1778
            RunspaceId=26c18ad2-f3f2-400e-8425-362f1e73857c PipelineId= CommandName= CommandType=
            ScriptName= CommandPath= CommandLine=</Data>
    </EventData>
</Event>
fukusuket commented 6 months ago

This is because PwSh Engine Started rule operates with special specifications as shown below. (This is a special specification that only applies to Channel:PwShClassic)

FYI:

scudette commented 6 months ago

Thanks again for testing it!