search

Yamato-Security / hayabusa

Hayabusa (隼) is a sigma-based threat hunting and fast forensics timeline generator for Windows event logs.
GNU Affero General Public License v3.0
2.29k stars 203 forks source link

Support sigma V2 `|re` sub-modifiers #1396

Closed YamatoSecurity closed 2 months ago

YamatoSecurity commented 2 months ago

https://github.com/SigmaHQ/sigma-specification/blob/main/appendix/sigma-modifiers-appendix.md

I'd like to support the V2 re sub-modifiers before they start being used. Currently they are not in use but will probably be soon. Example:

title: Potential Registry Reconnaissance Via PowerShell Script
id: 064060aa-09fb-4636-817f-020a32aa7e9e
detection:
    selection:
        # TODO: switch to |re|i: after sigma specification v2 is released
        ScriptBlockText|re: '(Get-Item|gci|Get-ChildItem).{1,64}-Path.{1,64}\\(currentcontrolset\\services|CurrentVersion\\Policies\\Explorer\\Run|CurrentVersion\\Run|CurrentVersion\\ShellServiceObjectDelayLoad|CurrentVersion\\Windows\winlogon)\\'
    condition: selection

|re|i: : (insensitive) to disable case-sensitive matching. (Note: the documentation says to enable it, but I think is a typo) |re|m: : (multi line) to match across multiple lines. ^ /$ match the start/end of line. |re|s: : (single line) to enable that dot (.) matches all characters, including the newline character.

@fukusuket Since you are our regular expressions master, do you want to do this? It is ok if it is not complete before HITCON.

fukusuket commented 2 months ago

@YamatoSecurity Thank you for mention :) Yes I would love to implement it!💪