Closed fukusuket closed 5 months ago
Describe the bug Possible Hidden Shellcode rule's json-timeline does not convert Details. This is because there is no string in Details that corresponds to the JSON key. https://github.com/Yamato-Security/hayabusa-rules/blob/89ff974e079aa9dac306759253dae5f23edfb9cc/hayabusa/builtin/UnkwnChannEID_Med_PossibleHiddenShellcode.yml#L6
Possible Hidden Shellcode
json-timeline
Details
Step to Reproduce Using the EVTX data below. https://github.com/NextronSystems/evtx-baseline/releases/tag/v0.8
Execute following command. ./hayabusa-2.12.0-mac-aarch64 json-timeline -d ../all-evtx -o out.json -C -r ./rules/hayabusa/builtin/UnkwnChannEID_Med_PossibleHiddenShellcode.yml -w
./hayabusa-2.12.0-mac-aarch64 json-timeline -d ../all-evtx -o out.json -C -r ./rules/hayabusa/builtin/UnkwnChannEID_Med_PossibleHiddenShellcode.yml -w
{ "Timestamp": "2022-02-07 19:55:00.116 +09:00", "Computer": "DESKTOP-A8CALR3", "Channel": "MS-Win-Storage-Storport/Op", "EventID": 534, "Level": "med", "RecordID": 9, "RuleTitle": "Possible Hidden Shellcode", "Details": "%Data%", "ExtraFieldInfo": { "AdapterGuid": "00203450-8804-11EC-89AC-806E6F6E6963", "BootDevice": true, "ClassDeviceGuid": "D31F4BA4-F40B-5B89-0350-DD659A494BC2", "DataLength": 176, "Description": "Finished I/O with error", "Id": 52, "LUN": 0, "MiniportName": "storahci", "PathID": 0, "PortNumber": 0, "ProductId": "HARDDISK", "SerialNumber": "VB9b813559-ab2acdb0", "TargetID": 0, "VendorId": "VBOX" } }
@fukusuket Thanks so much! Closed by https://github.com/Yamato-Security/hayabusa-rules/pull/599
Describe the bug
Possible Hidden Shellcode
rule'sjson-timeline
does not convertDetails
. This is because there is no string in Details that corresponds to the JSON key. https://github.com/Yamato-Security/hayabusa-rules/blob/89ff974e079aa9dac306759253dae5f23edfb9cc/hayabusa/builtin/UnkwnChannEID_Med_PossibleHiddenShellcode.yml#L6Step to Reproduce Using the EVTX data below. https://github.com/NextronSystems/evtx-baseline/releases/tag/v0.8
Execute following command.
./hayabusa-2.12.0-mac-aarch64 json-timeline -d ../all-evtx -o out.json -C -r ./rules/hayabusa/builtin/UnkwnChannEID_Med_PossibleHiddenShellcode.yml -w