search

Yamato-Security / hayabusa

Hayabusa (隼) is a sigma-based threat hunting and fast forensics timeline generator for Windows event logs.
GNU Affero General Public License v3.0
2.26k stars 200 forks source link

[bug] Field name gets duplicated when the next field is named `Details` #1229

Closed YamatoSecurity closed 10 months ago

YamatoSecurity commented 10 months ago

Describe the bug For Sysmon event ID 13 events, there is a field named Details that gets converted to a duplicate TgtObj (TargetObject). I am not sure if it is because the field name is Details or if there is some data inside TgtObj that is causing a parsing issue.

Step to Reproduce ./target/release/hayabusa json-timeline -L -d ../hayabusa-sample-evtx -o new-json.jsonl -w -C -p super-verbose

Expected behavior Here is an example of a JSON log:

{ "Timestamp": "2022-04-29 17:58:30.558 +09:00","Computer": "WIN","Channel": "Sysmon","EventID": 13,"Level": "med","RecordID": 159,"RuleTitle": "Reg Key Value Set (Sysmon Alert)","Details": {"EventType": "SetValue","PGUID": "668EA4EF-A8AD-626B-9601-000000001400","PID": 2760,"Proc": "C:\\Windows\\system32\\regsvr32.exe","Rule": "technique_id=T1543,technique_name=Service Creation","TgtObj": "Binary Data","TgtObj": "HKLM\\System\\CurrentControlSet\\Services\\bam\\UserSettings\\S-1-5-21-113448046-927799223-410490820-1001\\\\Device\\HarddiskVolume4\\Windows\\System32\\regsvr32.exe"},"ExtraFieldInfo": {"User": "WIN\\Admin","UtcTime": "2022-04-29 08:58:30.550"} }

As you can see, there is "TgtObj": "Binary Data" but it should be "Details": "Binary Data".

Screenshots Here is a screenshot of the original log: Screenshot 2023-12-15 132334

Environment (please complete the following information):

YamatoSecurity commented 10 months ago

@fukusuket This looks like a good bug you would be good at finding! =) @hitenkoku Is it ok if I assign @fukusuket to look at this since we don't have much time until the next release and I would like you to focus on the MITRE ATT&CK summary PR.

fukusuket commented 10 months ago

@YamatoSecurity @hitenkoku Thank you for the mention. Yes, I'd be happy to look into it :) First of all, I just looked into the cause! I confirmed that if I modify the details on the rule side as shown below, the output will be correct.

For example: Reg Key Value Set (Sysmon Alert)

Current rule's details

details: 'Rule: %RuleName% ¦ EventType: %EventType% ¦ TgtObj: %TargetObject%: %Details% ¦ Proc: %Image% ¦ PID: %ProcessId% ¦ PGUID: %ProcessGuid%'
{
    "Timestamp": "2019-05-15 13:18:40.474 +09:00",
    "Computer": "IEWIN7",
    "Channel": "Sysmon",
    "EventID": 13,
    "Level": "med",
    "RecordID": 17915,
    "RuleTitle": "Reg Key Value Set (Sysmon Alert)",
    "Details": {
        "EventType": "SetValue",
        "PGUID": "365ABB72-92DF-5CDB-0000-0010A15E1300",
        "PID": 3804,
        "Proc": "C:\\Windows\\system32\\wbem\\wmiprvse.exe",
        "Rule": "Defense Evasion - access to the VBA project object model in the Macro Settings changed",
        "TgtObj": "DWORD (0x00000001)",
        "TgtObj": "HKU\\S-1-5-21-3583694148-1414552638-2922671848-1000\\Software\\Microsoft\\Office\\16.0\\Excel\\Security\\AccessVBOM"
    },
    "ExtraFieldInfo": {
        "UtcTime": "2019-05-15 04:18:40.459"
    }
}

Fixed rule's details

details: 'Rule: %RuleName% ¦ EventType: %EventType% ¦ TgtObj: %TargetObject% ¦ Details: %Details% ¦ Proc: %Image% ¦ PID: %ProcessId% ¦ PGUID: %ProcessGuid%'
{
    "Timestamp": "2019-05-15 13:18:40.474 +09:00",
    "Computer": "IEWIN7",
    "Channel": "Sysmon",
    "EventID": 13,
    "Level": "med",
    "RecordID": 17915,
    "RuleTitle": "Reg Key Value Set (Sysmon Alert)",
    "Details": {
        "Details ": "DWORD (0x00000001)",
        "EventType": "SetValue",
        "PGUID": "365ABB72-92DF-5CDB-0000-0010A15E1300",
        "PID": 3804,
        "Proc": "C:\\Windows\\system32\\wbem\\wmiprvse.exe",
        "Rule": "Defense Evasion - access to the VBA project object model in the Macro Settings changed",
        "TgtObj": "HKU\\S-1-5-21-3583694148-1414552638-2922671848-1000\\Software\\Microsoft\\Office\\16.0\\Excel\\Security\\AccessVBOM"
    },
    "ExtraFieldInfo": {
        "UtcTime": "2019-05-15 04:18:40.459"
    }
}

Therefore, split processing with the ¦ character in rule's details seems to be the cause of this event🤔 I think the code below is probably related to the split processing of ¦ .

https://github.com/Yamato-Security/hayabusa/blob/d1ca42871853441139fe51029920253a8eb4a929/src/detections/message.rs#L294

https://github.com/Yamato-Security/hayabusa/blob/d1ca42871853441139fe51029920253a8eb4a929/src/detections/message.rs#L359-L371

fukusuket commented 10 months ago

@YamatoSecurity @hitenkoku I would like to discuss how to fix this issue🙏 If I modify only the logic in https://github.com/Yamato-Security/hayabusa/issues/1229#issuecomment-1858755197 , the following JSON will be output. But isn't this an expected value ... ? (because Details and TargetObject is output in ExtraFieldInfo... 🤔)

{
    "Timestamp": "2019-03-18 05:18:05.086 +09:00",
    "Computer": "PC04.example.corp",
    "Channel": "Sysmon",
    "EventID": 13,
    "Level": "med",
    "RecordID": 5265,
    "RuleTitle": "ServiceDll Hijack",
    "Details": {
        "EventType": "SetValue",
        "PGUID": "365ABB72-AB70-5C8E-0000-0010DF1F0A00",
        "PID": 3700,
        "Proc": "C:\\Users\\IEUser\\Desktop\\RDPWrap-v1.6.2\\RDPWInst.exe",
        "TgtObj": "HKLM\\System\\CurrentControlSet\\services\\TermService\\Parameters\\ServiceDll: %%ProgramFiles%%\\RDP Wrapper\\rdpwrap.dll"
    },
    "ExtraFieldInfo": {
        "Details": "%%ProgramFiles%%\\RDP Wrapper\\rdpwrap.dll",
        "RuleName": "",
        "TargetObject": "HKLM\\System\\CurrentControlSet\\services\\TermService\\Parameters\\ServiceDll",
        "UtcTime": "2019-03-17 20:18:05.086"
    }
}

Therefore, I thought of the following three ways to fix it.

  1. Modify only the logic in 1229#issuecomment-1858755197
    • In this case, after fix, you will get the above JSON output
  2. Modify details on hayabusa_rule side. There are only two things that need to be fixed:
  3. Modify not only the logic in 1229#issuecomment-1858755197 but also some other related processes.
    • In this case, it will likely take some time to fix it due to the following points:
      • Consideration of specifications (Fixed multiple parts of processing that assumes splitting of : and ¦)
      • The number of corrections is not in one place.

What do you think is the best way to fix it? It would be helpful if you could let me know if there is another method🙏

YamatoSecurity commented 10 months ago

@fukusuket I'm very sorry! I just noticed your comments. Sorry for the understanding, this is an issue 100% with the rules, not on Hayabusa's side so I updated the rules here: https://github.com/Yamato-Security/hayabusa-rules/pull/557