hitenkoku
commented
4 days ago The value modifier chain must not end with character set encoding modifiers (utf16, utf16le, utf16be and wide). The resulting values are internally represented as byte sequences instead of text strings and contain null characters which are usually difficult to handle in queries. Therefore the should be followed by an encoding modifier (base64, base64offset) Usually it doesn't makes sense to combine the re type modifier with any other modifier.
YamatoSecurity
Although not used in any rules yet, we would like to support the following modifiers for sigma support completeness:
utf16|base64offset|containsutf16be|base64offset|containsutf16le|base64offset|containswide|base64offset|containsProbably no need to support as
base64offsetis usually used instead ofbase64:utf16|base64|containsutf16be|base64|containsutf16le|base64|containswide|base64|containsExample:
Info: https://sigmahq.io/docs/basics/modifiers.html#wide
Prepends a byte order mark and encodes UTF16, (only used in combination with base64 modifiers)
Don't end with utf16, utf16le, utf16be or wide
The value modifier chain must not end with character set encoding modifiers (utf16, utf16le, utf16be and wide). The resulting values are internally represented as byte sequences instead of text strings and contain null characters which are usually difficult to handle in queries. Therefore the should be followed by an encoding modifier (base64, base64offset)
I think we should implement
utf16to check bothutf16beandutf16levariants.wideshould be an alias forutf16lein Windows.We should probably investigate if these encodings are being used inside base64 encoded payloads to begin with. If not, then it probably is not worth implementing.