search

Yamato-Security / hayabusa-rules

Curated Windows event log Sigma rules used in Hayabusa and Velociraptor.
Other
144 stars 23 forks source link

regex directory removed #730

Closed sdaaish closed 1 month ago

sdaaish commented 1 month ago

The commit 80a1561a4e882c0559c50aa8941d5031bbec7ad3 deletes the rules\config\regex directory despite the fact that 2 other rules depend on the LOLBAS_paths.txt regex file.

 dir -r -file .\rules\ -filter *.yml|sls "rules.config.regex"

rules\hayabusa\builtin\Security\DetailedTracking\ProcessCreation\Sec_4688_Low_ProcExec_PossibleLOLBIN-Abuse.yml:21:            regexes: ./rules/config/regex/LOLBAS_paths.txt
rules\hayabusa\sysmon\Sysmon_1_ProcExec_High_LOLBAS-Rename.yml:21:            regexes: './rules/config/regex/LOLBAS_paths.txt'
rules\hayabusa\sysmon\Sysmon_1_ProcExec_High_LOLBAS-Rename.yml:24:            regexes: './rules/config/regex/LOLBAS_paths.txt'

This creates an error when running Hayabusa with the csv-timeline option.

[WARN] Failed to parse rule file. (FilePath : C:\Users\xxx\Downloads\217\rules\hayabusa\sysmon\Sysmon_1_ProcExec_High_LOLBAS-Rename.yml)
[WARN] Cannot open file. [file:./rules/config/regex/LOLBAS_paths.txt]
[WARN] Cannot open file. [file:./rules/config/regex/LOLBAS_paths.txt]

After unzipping Hayabusa, both with 2.16.1 and 2.17.0, the regex directory exists. After the rules-update, the regex dir is gone, causing an error message.

So maybe the LOLBAS_paths.txt should be added back until the 2 rules have been modifed.

YamatoSecurity commented 1 month ago

Thanks for reporting this. I will update the rules so they do not use the external file reference anymore.