search

WithSecureLabs / chainsaw

Rapidly Search and Hunt through Windows Forensic Artefacts
GNU General Public License v3.0
2.65k stars 238 forks source link

BUG: Aggregate String Fields Not Coalescing #171

Closed import-pandas-as-numpy closed 1 month ago

import-pandas-as-numpy commented 1 month ago

Issue: It appears that indexing an array causes this behavior, and results in aggregate returning an empty field for Event.EventData.Data[2]. (Client)

┌──(remnux λ Remnux)-[~/chainsaw/event-logs/123SQL02]
└─$ chainsaw --no-banner hunt ~/chainsaw/rules/sudorem/mssql_failed_login.yml .
[+] Loading detection rules from: /home/remnux/chainsaw/rules/sudorem/mssql_failed_login.yml
[+] Loaded 1 detection rules
[+] Loading forensic artefacts from: . (extensions: .evt, .evtx)
[+] Loaded 11 forensic artefacts (118.6 MB)
[+] Hunting: [========================================] 11/11                                                                                                                                                        
[+] Group: MSSQL
┌─────────────────────┬──────────────────────┬───────┬──────────┬──────────────────────────────┬────────┐
│      timestamp      │      detections      │ count │ Event ID │           Computer           │ Client │
├─────────────────────┼──────────────────────┼───────┼──────────┼──────────────────────────────┼────────┤
│ 2024-06-10 18:23:10 │ ‣ Failed MSSQL Login │ 424   │ 18456    │ 123SQL01.corporateplaces.net │        │
└─────────────────────┴──────────────────────┴───────┴──────────┴──────────────────────────────┴────────┘

[+] 1 Detections found on 1 documents

Anticipated Behavior: This string obtained from Event.EventData[2] should be displayed in the 'Client' field of Chainsaw's output.

Rule:

---
title: Failed MSSQL Login
group: MSSQL
description: Failed login via MSSQL.
authors:
  - sudoREM

kind: evtx
level: critical
status: stable
timestamp: Event.System.TimeCreated

fields:
  - name: Event ID
    to: Event.System.EventID
  - name: Computer
    to: Event.System.Computer
  - name: Client
    to: Event.EventData.Data[2]

filter:
  condition: global and hack
  global:
    - Event.System.EventID: 18456
  hack:
    - Event.EventData.Data[1]: ' Reason: Password did not match that for the login provided.'

aggregate:
  count: '>1'
  fields:
    - Event.EventData.Data[2]
alexkornitzer commented 1 month ago

Nice, find and thank you for providing the example rule. I believe I have fixed this in the above commit. I will get this released asap.