search

Yamato-Security / hayabusa

Hayabusa (隼) is a sigma-based threat hunting and fast forensics timeline generator for Windows event logs.
GNU Affero General Public License v3.0
2.26k stars 200 forks source link

Support `windash` pipe modifier #1319

Closed YamatoSecurity closed 6 months ago

YamatoSecurity commented 7 months ago

There are now 56 sigma rules that use the pipe modifier |contains|windash.

Example:

detection:
    selection_img:
        - Image|endswith: '\certutil.exe'
        - OriginalFileName: 'CertUtil.exe'
    selection_cli_add:
        CommandLine|contains|windash: '-addstore'
    selection_cli_store:
        CommandLine|contains: 'root'
    condition: all of selection_*

From the sigma specification: Add a new variant where all - occurrences are replaced with /. The original variant is also kept unchanged.

From my understanding, this should be the same as the following rule:

detection:
    selection_img:
        - Image|endswith: '\certutil.exe'
        - OriginalFileName: 'CertUtil.exe'
    selection_cli_add:
        - CommandLine|contains: '-addstore'
        - CommandLine|contains: '/addstore'
    selection_cli_store:
        CommandLine|contains: 'root'
    condition: all of selection_*

where CommandLine has to contain the string -addstore OR /addstore

@fukusuket Until we can support this in Hayabusa directly, do you think we can support this by updating the converter by adding the variant where - characters are replaced with /? This would also allow users with older versions of Hayabusa to use these rules.

If this is difficult to do, we could temporarily just delete the |windash portion and search for the original -addstore string. (Ex: CommandLine|contains|windash: '-addstore' -> CommandLine|contains: '-addstore') It could be bypassed by an attacker changing - to / but is better to have these rules partially usable until we can fully support it.

fukusuket commented 7 months ago

@fukusuket Until we can support this in Hayabusa directly, do you think we can support this by updating the converter by adding the variant where - characters are replaced with /?

It seems possible, so I'll check it out!💪

YamatoSecurity commented 7 months ago

@hitenkoku Could I ask you to look into how to support the |contains|windash modifier in Hayabusa?

hitenkoku commented 6 months ago

@YamatoSecurity Sorry for late reply. I will check it.

YamatoSecurity commented 6 months ago

@hitenkoku Thanks so much! No hurry so whenever you have free time is completely fine!

YamatoSecurity commented 6 months ago

Note: There are also rules that use a |contains|all|windash modifier. We can create a different issue for this.

Example: https://github.com/SigmaHQ/sigma/blob/8894f912b801682fd8feabff44459f6df5fa3e6b/rules/windows/process_creation/proc_creation_win_rpcping_credential_capture.yml#L2