search

Yamato-Security / hayabusa-rules

Curated Windows event log Sigma rules used in Hayabusa and Velociraptor.
Other
121 stars 20 forks source link

`Possible Hidden Shellcode` rule's `json-timeline` does not convert `Details` #598

Closed fukusuket closed 5 months ago

fukusuket commented 5 months ago

Describe the bug Possible Hidden Shellcode rule's json-timeline does not convert Details. This is because there is no string in Details that corresponds to the JSON key. https://github.com/Yamato-Security/hayabusa-rules/blob/89ff974e079aa9dac306759253dae5f23edfb9cc/hayabusa/builtin/UnkwnChannEID_Med_PossibleHiddenShellcode.yml#L6

Step to Reproduce Using the EVTX data below. https://github.com/NextronSystems/evtx-baseline/releases/tag/v0.8

Execute following command. ./hayabusa-2.12.0-mac-aarch64 json-timeline -d ../all-evtx -o out.json -C -r ./rules/hayabusa/builtin/UnkwnChannEID_Med_PossibleHiddenShellcode.yml -w

{
    "Timestamp": "2022-02-07 19:55:00.116 +09:00",
    "Computer": "DESKTOP-A8CALR3",
    "Channel": "MS-Win-Storage-Storport/Op",
    "EventID": 534,
    "Level": "med",
    "RecordID": 9,
    "RuleTitle": "Possible Hidden Shellcode",
    "Details": "%Data%",
    "ExtraFieldInfo": {
        "AdapterGuid": "00203450-8804-11EC-89AC-806E6F6E6963",
        "BootDevice": true,
        "ClassDeviceGuid": "D31F4BA4-F40B-5B89-0350-DD659A494BC2",
        "DataLength": 176,
        "Description": "Finished I/O with error",
        "Id": 52,
        "LUN": 0,
        "MiniportName": "storahci",
        "PathID": 0,
        "PortNumber": 0,
        "ProductId": "HARDDISK",
        "SerialNumber": "VB9b813559-ab2acdb0",
        "TargetID": 0,
        "VendorId": "VBOX"
    }
}
YamatoSecurity commented 5 months ago

@fukusuket Thanks so much! Closed by https://github.com/Yamato-Security/hayabusa-rules/pull/599