Closed YamatoSecurity closed 10 months ago
@fukusuket This looks like a good bug you would be good at finding! =) @hitenkoku Is it ok if I assign @fukusuket to look at this since we don't have much time until the next release and I would like you to focus on the MITRE ATT&CK summary PR.
@YamatoSecurity @hitenkoku
Thank you for the mention. Yes, I'd be happy to look into it :) First of all, I just looked into the cause!
I confirmed that if I modify the details
on the rule side as shown below, the output will be correct.
For example: Reg Key Value Set (Sysmon Alert)
details
details: 'Rule: %RuleName% ¦ EventType: %EventType% ¦ TgtObj: %TargetObject%: %Details% ¦ Proc: %Image% ¦ PID: %ProcessId% ¦ PGUID: %ProcessGuid%'
{
"Timestamp": "2019-05-15 13:18:40.474 +09:00",
"Computer": "IEWIN7",
"Channel": "Sysmon",
"EventID": 13,
"Level": "med",
"RecordID": 17915,
"RuleTitle": "Reg Key Value Set (Sysmon Alert)",
"Details": {
"EventType": "SetValue",
"PGUID": "365ABB72-92DF-5CDB-0000-0010A15E1300",
"PID": 3804,
"Proc": "C:\\Windows\\system32\\wbem\\wmiprvse.exe",
"Rule": "Defense Evasion - access to the VBA project object model in the Macro Settings changed",
"TgtObj": "DWORD (0x00000001)",
"TgtObj": "HKU\\S-1-5-21-3583694148-1414552638-2922671848-1000\\Software\\Microsoft\\Office\\16.0\\Excel\\Security\\AccessVBOM"
},
"ExtraFieldInfo": {
"UtcTime": "2019-05-15 04:18:40.459"
}
}
details
details: 'Rule: %RuleName% ¦ EventType: %EventType% ¦ TgtObj: %TargetObject% ¦ Details: %Details% ¦ Proc: %Image% ¦ PID: %ProcessId% ¦ PGUID: %ProcessGuid%'
{
"Timestamp": "2019-05-15 13:18:40.474 +09:00",
"Computer": "IEWIN7",
"Channel": "Sysmon",
"EventID": 13,
"Level": "med",
"RecordID": 17915,
"RuleTitle": "Reg Key Value Set (Sysmon Alert)",
"Details": {
"Details ": "DWORD (0x00000001)",
"EventType": "SetValue",
"PGUID": "365ABB72-92DF-5CDB-0000-0010A15E1300",
"PID": 3804,
"Proc": "C:\\Windows\\system32\\wbem\\wmiprvse.exe",
"Rule": "Defense Evasion - access to the VBA project object model in the Macro Settings changed",
"TgtObj": "HKU\\S-1-5-21-3583694148-1414552638-2922671848-1000\\Software\\Microsoft\\Office\\16.0\\Excel\\Security\\AccessVBOM"
},
"ExtraFieldInfo": {
"UtcTime": "2019-05-15 04:18:40.459"
}
}
Therefore, split processing with the ¦
character in rule's details
seems to be the cause of this event🤔
I think the code below is probably related to the split processing of ¦
.
@YamatoSecurity @hitenkoku
I would like to discuss how to fix this issue🙏
If I modify only the logic in https://github.com/Yamato-Security/hayabusa/issues/1229#issuecomment-1858755197 , the following JSON will be output. But isn't this an expected value ... ?
(because Details
and TargetObject
is output in ExtraFieldInfo
... 🤔)
{
"Timestamp": "2019-03-18 05:18:05.086 +09:00",
"Computer": "PC04.example.corp",
"Channel": "Sysmon",
"EventID": 13,
"Level": "med",
"RecordID": 5265,
"RuleTitle": "ServiceDll Hijack",
"Details": {
"EventType": "SetValue",
"PGUID": "365ABB72-AB70-5C8E-0000-0010DF1F0A00",
"PID": 3700,
"Proc": "C:\\Users\\IEUser\\Desktop\\RDPWrap-v1.6.2\\RDPWInst.exe",
"TgtObj": "HKLM\\System\\CurrentControlSet\\services\\TermService\\Parameters\\ServiceDll: %%ProgramFiles%%\\RDP Wrapper\\rdpwrap.dll"
},
"ExtraFieldInfo": {
"Details": "%%ProgramFiles%%\\RDP Wrapper\\rdpwrap.dll",
"RuleName": "",
"TargetObject": "HKLM\\System\\CurrentControlSet\\services\\TermService\\Parameters\\ServiceDll",
"UtcTime": "2019-03-17 20:18:05.086"
}
}
Therefore, I thought of the following three ways to fix it.
details
on hayabusa_rule
side. There are only two things that need to be fixed:
:
and ¦
)What do you think is the best way to fix it? It would be helpful if you could let me know if there is another method🙏
@fukusuket I'm very sorry! I just noticed your comments. Sorry for the understanding, this is an issue 100% with the rules, not on Hayabusa's side so I updated the rules here: https://github.com/Yamato-Security/hayabusa-rules/pull/557
Describe the bug For Sysmon event ID 13 events, there is a field named
Details
that gets converted to a duplicateTgtObj (TargetObject)
. I am not sure if it is because the field name isDetails
or if there is some data insideTgtObj
that is causing a parsing issue.Step to Reproduce
./target/release/hayabusa json-timeline -L -d ../hayabusa-sample-evtx -o new-json.jsonl -w -C -p super-verbose
Expected behavior Here is an example of a JSON log:
As you can see, there is
"TgtObj": "Binary Data"
but it should be"Details": "Binary Data"
.Screenshots Here is a screenshot of the original log:
Environment (please complete the following information):