search

WithSecureLabs / chainsaw

Rapidly Search and Hunt through Windows Forensic Artefacts
GNU General Public License v3.0
2.7k stars 242 forks source link

v2.4+ seems to be unable to recognize Sigma alerts #131

Closed Maspital closed 1 year ago

Maspital commented 1 year ago

Chainsaw version 2.4 and higher is unable to catch Sigma alerts which 2.3 successfully found. Assume the following minimal example

Some Sigma rule:

title: Some title
id: c5b20776-639a-49bf-94c7-84f912b91c15
description: Some description
logsource:
    product: windows
    category: ps_classic_start
    definition: fields have to be extract from event
detection:
    selection:
        HostApplication|contains:
            - 'powercat '
            - 'powercat.ps1'
    condition: selection

Some random logs. The seconds one contains the string "powercat " in the process.command_line field

{"@timestamp": "2022-12-19T08:43:44.612Z", "agent": {"ephemeral_id": "f998276c-afe4-4463-aba7-6d1241c5c07f", "hostname": "CLIENT2", "id": "a5ea4d3e-40c5-43d5-9a2e-ed2c48327430", "name": "CLIENT2", "type": "winlogbeat", "version": "7.10.2"}, "ecs": {"version": "1.5.0"}, "event": {"action": "User Account Management", "code": 5379, "created": "2022-12-19T08:46:33.404Z", "kind": "event", "outcome": "success", "provider": "Microsoft-Windows-Security-Auditing"}, "host": {"name": "CLIENT2"}, "log": {"level": "information"}, "message": "Credential Manager credentials were read.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-19\n\tAccount Name:\t\tLOCAL SERVICE\n\tAccount Domain:\t\tNT AUTHORITY\n\tLogon ID:\t\t0x3E5\n\tRead Operation:\t\tEnumerate Credentials\n\nThis event occurs when a user performs a read operation on stored credentials in Credential Manager.", "winlog": {"activity_id": "{f92de682-1385-0001-ffe6-2df98513d901}", "api": "wineventlog", "channel": "Security", "computer_name": "CLIENT2", "event_data": {"ClientProcessId": "416", "CountOfCredentialsReturned": "0", "ProcessCreationTime": "2022-12-19T08:43:34.6289740Z", "ReadOperation": "%%8100", "ReturnCode": "3221226021", "SubjectDomainName": "NT AUTHORITY", "SubjectLogonId": "0x3e5", "SubjectUserName": "LOCAL SERVICE", "SubjectUserSid": "S-1-5-19", "TargetName": "MicrosoftAccount:user=02lyfnrzcjxeyuvu", "Type": "0"}, "event_id": 5379, "keywords": ["Audit Success"], "opcode": "Info", "process": {"pid": 640, "thread": {"id": 676}}, "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", "provider_name": "Microsoft-Windows-Security-Auditing", "record_id": 4466, "task": "User Account Management"}}
{"@timestamp": "2022-12-19T08:45:21.331Z", "agent": {"ephemeral_id": "9f267527-6a01-4adf-bfdd-37fe019af17c", "hostname": "CLIENT3", "id": "a5ea4d3e-40c5-43d5-9a2e-ed2c48327430", "name": "CLIENT3", "type": "winlogbeat", "version": "7.10.2"}, "ecs": {"version": "1.5.0"}, "event": {"action": "Executing Pipeline", "category": ["process"], "code": 4103, "created": "2022-12-19T08:46:35.588Z", "kind": "event", "module": "powershell", "provider": "Microsoft-Windows-PowerShell", "sequence": 16, "type": ["info"]}, "host": {"name": "CLIENT"}, "log": {"level": "information"}, "message": "CommandInvocation(Rename-Computer): \"Rename-Computer\"\nParameterBinding(Rename-Computer): name=\"NewName\"; value=\"CLIENT3\"\nParameterBinding(Rename-Computer): name=\"Restart\"; value=\"True\"\nParameterBinding(Rename-Computer): name=\"Force\"; value=\"True\"\n\n\nContext:\n        Severity = Informational\n        Host Name = ConsoleHost\n        Host Version = 5.1.19041.1237\n        Host ID = 9ae884a4-bf81-466b-a359-a1ee23742f8f\n        Host Application = powershell $new_name = 'CLIENT3'; Rename-Computer -NewName $new_name -Restart -Force\n        Engine Version = 5.1.19041.1237\n        Runspace ID = 198331d2-5eb7-4c0a-bae6-369f8c0a7b56\n        Pipeline ID = 1\n        Command Name = Rename-Computer\n        Command Type = Cmdlet\n        Script Name = \n        Command Path = \n        Sequence Number = 16\n        User = CLIENT\\setup\n        Connected User = \n        Shell ID = Microsoft.PowerShell\n\n\nUser Data:", "powershell": {"command": {"invocation_details": [{"related_command": "Rename-Computer", "type": "CommandInvocation", "value": "\"Rename-Computer\""}, {"name": "\"NewName\"", "related_command": "Rename-Computer", "type": "ParameterBinding", "value": "\"CLIENT3\""}, {"name": "\"Restart\"", "related_command": "Rename-Computer", "type": "ParameterBinding", "value": "\"True\""}, {"name": "\"Force\"", "related_command": "Rename-Computer", "type": "ParameterBinding", "value": "\"True\""}], "name": "Rename-Computer", "type": "Cmdlet"}, "engine": {"version": "5.1.19041.1237"}, "id": "Microsoft.PowerShell", "pipeline_id": "1", "process": {"executable_version": "5.1.19041.1237"}, "runspace_id": "198331d2-5eb7-4c0a-bae6-369f8c0a7b56"}, "process": {"args": ["powershell", "$new_name", "=", "'CLIENT3';", "Rename-Computer", "-NewName", "$new_name", "-Restart", "-Force"], "args_count": 9, "command_line": "evil evil powercat $new_name = 'CLIENT3'; Rename-Computer -NewName $new_name -Restart -Force", "entity_id": "9ae884a4-bf81-466b-a359-a1ee23742f8f", "title": "ConsoleHost"}, "related": {"user": "setup"}, "user": {"domain": "CLIENT", "name": "setup"}, "winlog": {"activity_id": "{c98abb53-1385-0000-f6c6-8ac98513d901}", "api": "wineventlog", "channel": "Microsoft-Windows-PowerShell/Operational", "computer_name": "CLIENT", "event_id": 4103, "opcode": "To be used when operation is just executing a method", "process": {"pid": 6628, "thread": {"id": 6748}}, "provider_guid": "{a0c1853b-5c40-4b15-8766-3cf1c58f985a}", "provider_name": "Microsoft-Windows-PowerShell", "record_id": 6176, "task": "Executing Pipeline", "user": {"domain": "CLIENT3", "identifier": "S-1-5-21-1007433295-766092996-2957732838-1002", "name": "setup", "type": "User"}, "version": 1}}

Some mapping file:

---
name: Small mapping example
kind: jsonl
rules: sigma

groups:
  - name: Sigma
    timestamp: "@timestamp"
    filter:
      Provider: "*"
    fields:
      - from: Provider
        to: winlog.provider_name
      - name: Event ID
        from: EventID
        to: winlog.event_id

      - from: HostApplication
        to: process.command_line

Running the command

./chainsaw hunt log.jsonl --sigma rules/ --mapping mapping.yml --load-unknown

with Chainsaw 2.3, this works as intended (1 detection), but all higher versions fail to detect anything.

In addition to this, all versions seem to be unable to handle Sigma rules that, instead of looking for a value in a particular field, trigger if something is present anywhere in the log (see specification) like this rule, though this probably warrants a separate issue.

Any help with this would be greatly appreciated

alexkornitzer commented 1 year ago

Hi @Maspital,

Thanks for such a thorough example that made it really easy to bisect and fix that is now done, i'll get the build out later today.

On the second note you have, I think I answered it somewhere in the issues or discussions before, but keyless rules are not supported because I can't see any valid usecase for having them. If we look a the rule posted it is very very badly written, all of those keywords are command line arguments within the context of a process execution. Happy to reopen the discussion for this but my opinion atm is that the rule should be 'fixed'.