search

Yamato-Security / hayabusa

Hayabusa (隼) is a sigma-based threat hunting and fast forensics timeline generator for Windows event logs.
GNU Affero General Public License v3.0
2.26k stars 200 forks source link

Bug: `windash` not working when there is a * wildcard #1327

Closed YamatoSecurity closed 6 months ago

YamatoSecurity commented 6 months ago

@hitenkoku Sorry I didn't notice this yesterday.

If I use the following sigma rule, I do not get a match:

title: File Enumeration Via Dir Command
id: 7c9340a9-e2ee-4e43-94c5-c54ebbea1006
status: test
description: |
    Detects usage of the "dir" command part of Widows CMD with the "/S" command line flag in order to enumerate files in a specified directory and all subdirectories.
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1217/T1217.md
author: frack113
date: 2021/12/13
modified: 2024/03/06
tags:
    - attack.discovery
    - attack.t1217
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        CommandLine|contains|windash: 'dir*-s'
    condition: selection
falsepositives:
    - Likely
level: low

However, if I do not use windash and turn - into /, I do get a match:

title: File Enumeration Via Dir Command
id: 7c9340a9-e2ee-4e43-94c5-c54ebbea1006
status: test
description: |
    Detects usage of the "dir" command part of Widows CMD with the "/S" command line flag in order to enumerate files in a specified directory and all subdirectories.
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1217/T1217.md
author: frack113
date: 2021/12/13
modified: 2024/03/06
tags:
    - attack.discovery
    - attack.t1217
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        CommandLine|contains: 'dir*/s'
    condition: all of selection*
falsepositives:
    - Likely
level: low

I think I should be able to detect this in the first rule with windash though.

I am testing like this: ./target/release/hayabusa csv-timeline -f ../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx -r ~/Desktop/test.yml -w -p verbose

YamatoSecurity commented 6 months ago

I think this is a separate issue, but when I use this test rule:

title: File Enumeration Via Dir Command
id: 7c9340a9-e2ee-4e43-94c5-c54ebbea1006
status: test
description: |
    Detects usage of the "dir" command part of Widows CMD with the "/S" command line flag in order to enumerate files in a specified directory and all subdirectories.
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1217/T1217.md
author: frack113
date: 2021/12/13
modified: 2024/03/06
tags:
    - attack.discovery
    - attack.t1217
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        CommandLine|contains: 'dir*/s'
    condition: all of selection*
falsepositives:
    - Likely
level: low

I get the following result:

2021-08-08 08:33:15.303 +09:00 · File Enumeration Via Dir Command · low · MSEDGEWIN10 · Sysmon · 1 · Disc · T1217 ·  · 557006 · Cmdline: cmd /c start /min C:\Users\Public\KDECO.bat reg delete hkcu\Environment /v windir /f && REM \system32\AppHostRegistrationVerifier.exe ¦ Proc: C:\Windows\System32\cmd.exe ¦ User: MSEDGEWIN10\IEUser ¦ ParentCmdline: ? ¦ LID: 0x7a857 ¦ LGUID: 747F3D96-1231-610F-0000-002057A80700 ¦ PID: 11324 ¦ PGUID: 747F3D96-183B-610F-0000-0010DC6CD400 ¦ ParentPID: 1108 ¦ ParentPGUID: 00000000-0000-0000-0000-000000000000 ¦ Description: Windows Command Processor ¦ Product: Microsoft® Windows® Operating System ¦ Company: Microsoft Corporation ¦ Hashes: SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18 · CurrentDirectory: C:\Windows\system32\ ¦ FileVersion: 10.0.17763.592 (WinBuild.160101.0800) ¦ IntegrityLevel: Medium ¦ OriginalFileName: Cmd.Exe ¦ RuleName:  ¦ TerminalSessionId: 1 ¦ UtcTime: 2021-08-07 23:33:15.285 · test.yml · ../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Other/maldoc_mshta_via_shellbrowserwind_rundll32.evtx

It seems that it is matching on dir in windir and \s from cmd /c start /min C:\Users\Public\KDECO.bat reg delete hkcu\Environment /v windir /f && REM \system32\AppHostRegistrationVerifier.exe

But shouldn't this not match because \s != /s ?

hitenkoku commented 6 months ago

@YamatoSecurity Thanks for your issue. I will check it.

YamatoSecurity commented 6 months ago

But shouldn't this not match because \s != /s ?

Now that I think of it, it may be intentional that we are treating them the same because it is possible to use both forward and backward slashes in paths to prevent signature bypass. Please forget about this one