search

WithSecureLabs / chainsaw

Rapidly Search and Hunt through Windows Forensic Artefacts
GNU General Public License v3.0
2.7k stars 242 forks source link

Missing Sigma Base64 Encoding? #138

Closed L015H4CK closed 1 year ago

L015H4CK commented 1 year ago

Hello there,

recently I have started working with Chainsaw using the Sigma ruleset. After some time I noticed, that Chainsaw might be missing Base64 encoding as it is used by Sigma. The following example should clarify the problem and make it reproducable.

Used rule: proc_creation_win_powershell_base64_iex.yml:

(...)
    selection:
        - CommandLine|base64offset|contains:
            - 'IEX (['
            - 'iex (['
            - 'iex (New'
            - 'IEX (New'
            - 'IEX(['
            - 'iex(['
            - 'iex(New'
            - 'IEX(New'
            - "IEX(('"
            - "iex(('"
        # UTF16 LE
        - CommandLine|contains:
            - 'SQBFAFgAIAAoAFsA'
            - 'kARQBYACAAKABbA'
            - 'JAEUAWAAgACgAWw'
            - 'aQBlAHgAIAAoAFsA'
            - 'kAZQB4ACAAKABbA'
            - 'pAGUAeAAgACgAWw'
            - 'aQBlAHgAIAAoAE4AZQB3A'
            - 'kAZQB4ACAAKABOAGUAdw'
            - 'pAGUAeAAgACgATgBlAHcA'
            - 'SQBFAFgAIAAoAE4AZQB3A'
            - 'kARQBYACAAKABOAGUAdw'
            - 'JAEUAWAAgACgATgBlAHcA'
    condition: selection
(...)

According to the Sigma Specification the base64offset modifier should encode the respective strings to base64 using shifts of 0, 1 and 2 bytes. (The second selection shows these encoding for the first 4 elements in the first selection part (i.e. 'IEX ([' to 'IEX (New').) The encoding is done using UTF16-LE, as stated by the in-rule comment. When running Chainsaw with this rule, detections are found in the following event logs (only CommandLine field is shown):

The following event logs are not detected, but they should be:

Now the interesting part that suggests there is no encoding performed by chainsaw. The following events logs are detected but should not be detected:

To summarize, Chainsaw:

Best regards, Louis

alexkornitzer commented 1 year ago

Hi Louis,

Chainsaw is not aware of base64offset and is therefore ignoring it completely hence the outcomes you have listed in the summary. If this modifier is useful to you I can update the sigma parser in Chainsaw to handle this flag.

I will also update Chainsaw to not silently ignore modifiers it is not aware of, so its more obvious when this sort of stuff happens.

L015H4CK commented 1 year ago

Hello Alex,

thank you for your quick response!

Since many Sigma rules are being updated to also include the encoded Base64 strings themselves, it is not as critical to support the base64offset modifier as it may seem. Nonetheless, I think adding support for it would be really great.

I will also update Chainsaw to not silently ignore modifiers it is not aware of, so its more obvious when this sort of stuff happens.

This is definitely a good idea! :+1:

alexkornitzer commented 1 year ago

Thanks for the thorough description in the issue, yep all that makes sense. I'll find time to get it in sometime this week.