search

Yamato-Security / hayabusa

Hayabusa (éš¼) is a sigma-based threat hunting and fast forensics timeline generator for Windows event logs.
GNU Affero General Public License v3.0
2.26k stars 200 forks source link

[bug] Rules with `4 backslashes` does not detect matching logs #897

Closed fukusuket closed 1 year ago

fukusuket commented 1 year ago

Describe the bug The following rule with 4 backslashes is not detected correctly 🤔

Step to Reproduce

  1. hayabusa.exe csv-timeline -d .\hayabusa-sample-evtx -o out.csv
  2. then check resutls.

Expected behavior A log containing 2 backslashes is detected by the above three rules.

Environment

Additional context In a test with other performance branches, I found that the following logs in thehayabusa-sample-evtx repository were not detected.

< 2016-08-19 05:03:18.175 +09:00,IE10Win7,Sys,Service Control Manager,7045,high,Persis ¦ PrivEsc,T1543.003,car.2013-09-005,6252,Suspicious Service Installation,pH-T,2022/03/18,2022/11/14,experimental,Svc: yagfag ¦ Path: cmd.exe /c echo yagfag > \\.\pipe\yagfag ¦ Acct: LocalSystem ¦ StartType: demand start,win_system_susp_service_installation.yml,C:\tmp\hayabusa-sample-evtx\DeepBlueCLI\many-events-system.evtx,AccountName: LocalSystem ¦ ImagePath: cmd.exe /c echo yagfag > \\.\pipe\yagfag ¦ ServiceName: yagfag ¦ ServiceType: user mode service ¦ StartType: demand start
< 2016-09-20 06:12:10.677 +09:00,IE10Win7,Sys,Service Control Manager,7045,high,Persis ¦ PrivEsc,T1543.003,car.2013-09-005,8174,Suspicious Service Installation,pH-T,2022/03/18,2022/11/14,experimental,Svc: adsymn ¦ Path: cmd.exe /c echo adsymn > \\.\pipe\adsymn ¦ Acct: LocalSystem ¦ StartType: demand start,win_system_susp_service_installation.yml,C:\tmp\hayabusa-sample-evtx\DeepBlueCLI\many-events-system.evtx,AccountName: LocalSystem ¦ ImagePath: cmd.exe /c echo adsymn > \\.\pipe\adsymn ¦ ServiceName: adsymn ¦ ServiceType: user mode service ¦ StartType: demand start
< 2016-09-20 06:13:04.090 +09:00,IE10Win7,Sys,Service Control Manager,7045,high,Persis ¦ PrivEsc,T1543.003,car.2013-09-005,8179,Suspicious Service Installation,pH-T,2022/03/18,2022/11/14,experimental,Svc: hmoopk ¦ Path: cmd.exe /c echo hmoopk > \\.\pipe\hmoopk ¦ Acct: LocalSystem ¦ StartType: demand start,win_system_susp_service_installation.yml,C:\tmp\hayabusa-sample-evtx\DeepBlueCLI\many-events-system.evtx,AccountName: LocalSystem ¦ ImagePath: cmd.exe /c echo hmoopk > \\.\pipe\hmoopk ¦ ServiceName: hmoopk ¦ ServiceType: user mode service ¦ StartType: demand start
< 2016-09-21 01:35:58.162 +09:00,IE10Win7,Sys,Service Control Manager,7045,high,Persis ¦ PrivEsc,T1543.003,car.2013-09-005,8426,Suspicious Service Installation,pH-T,2022/03/18,2022/11/14,experimental,Svc: genusn ¦ Path: cmd.exe /c echo genusn > \\.\pipe\genusn ¦ Acct: LocalSystem ¦ StartType: demand start,win_system_susp_service_installation.yml,C:\tmp\hayabusa-sample-evtx\DeepBlueCLI\metasploit-psexec-powershell-target-system.evtx,AccountName: LocalSystem ¦ ImagePath: cmd.exe /c echo genusn > \\.\pipe\genusn ¦ ServiceName: genusn ¦ ServiceType: user mode service ¦ StartType: demand start
< 2016-09-21 12:41:13.070 +09:00,IE10Win7,Sys,Service Control Manager,7045,high,Persis ¦ PrivEsc,T1543.003,car.2013-09-005,8627,Suspicious Service Installation,pH-T,2022/03/18,2022/11/14,experimental,Svc: hgabms ¦ Path: cmd.exe /c echo hgabms > \\.\pipe\hgabms ¦ Acct: LocalSystem ¦ StartType: demand start,win_system_susp_service_installation.yml,C:\tmp\hayabusa-sample-evtx\DeepBlueCLI\metasploit-psexec-native-target-system.evtx,AccountName: LocalSystem ¦ ImagePath: cmd.exe /c echo hgabms > \\.\pipe\hgabms ¦ ServiceName: hgabms ¦ ServiceType: user mode service ¦ StartType: demand start
< 2019-05-12 21:52:43.702 +09:00,IEWIN7,Sys,Service Control Manager,7045,high,Persis ¦ PrivEsc,T1543.003,car.2013-09-005,10446,Suspicious Service Installation,pH-T,2022/03/18,2022/11/14,experimental,Svc: WinPwnage ¦ Path: %COMSPEC% /c ping -n 1 127.0.0.1 >nul && echo 'WinPwnage' > \\.\pipe\WinPwnagePipe ¦ Acct: LocalSystem ¦ StartType: demand start,win_system_susp_service_installation.yml,C:\tmp\hayabusa-sample-evtx\EVTX-ATTACK-SAMPLES\Privilege Escalation\System_7045_namedpipe_privesc.evtx,AccountName: LocalSystem ¦ ImagePath: %COMSPEC% /c ping -n 1 127.0.0.1 >nul && echo 'WinPwnage' > \\.\pipe\WinPwnagePipe ¦ ServiceName: WinPwnage ¦ ServiceType: user mode service ¦ StartType: demand start
< 2021-04-22 20:32:03.468 +09:00,fs03vuln.offsec.lan,Sec,Microsoft-Windows-Security-Auditing,4688,high,Exec ¦ LatMov,T1021.001,,436755,Hermetic Wiper TG Process Patterns,Florian Roth,2022/02/25,2022/09/09,experimental,CmdLine: cmd.exe /Q /c cd \ 1> \\127.0.0.1\ADMIN$\__1619090610.0007844 2>&1 ¦ Path: C:\Windows\System32\cmd.exe ¦ PID: 0x168 ¦ User: FS03VULN$ ¦ LID: 0x3e4,proc_creation_win_mal_hermetic_wiper_activity.yml,C:\tmp\hayabusa-sample-evtx\EVTX-to-MITRE-Attack\TA0002-Execution\T1047-Windows Management Instrumentation\ID4688-5145-WMIexec execution via SMB.evtx,CommandLine: cmd.exe /Q /c cd \ 1> \\127.0.0.1\ADMIN$\__1619090610.0007844 2>&1 ¦ NewProcessId: 0x168 ¦ NewProcessName: C:\Windows\System32\cmd.exe ¦ ProcessId: 0x5fc ¦ SubjectDomainName: OFFSEC ¦ SubjectLogonId: 0x3e4 ¦ SubjectUserName: FS03VULN$ ¦ SubjectUserSid: S-1-5-20 ¦ TokenElevationType: %%1936
< 2021-04-22 20:32:03.530 +09:00,fs03vuln.offsec.lan,Sec,Microsoft-Windows-Security-Auditing,4688,high,Exec ¦ LatMov,T1021.001,,436767,Hermetic Wiper TG Process Patterns,Florian Roth,2022/02/25,2022/09/09,experimental,CmdLine: cmd.exe /Q /c cd 1> \\127.0.0.1\ADMIN$\__1619090610.0007844 2>&1 ¦ Path: C:\Windows\System32\cmd.exe ¦ PID: 0x980 ¦ User: FS03VULN$ ¦ LID: 0x3e4,proc_creation_win_mal_hermetic_wiper_activity.yml,C:\tmp\hayabusa-sample-evtx\EVTX-to-MITRE-Attack\TA0002-Execution\T1047-Windows Management Instrumentation\ID4688-5145-WMIexec execution via SMB.evtx,CommandLine: cmd.exe /Q /c cd  1> \\127.0.0.1\ADMIN$\__1619090610.0007844 2>&1 ¦ NewProcessId: 0x980 ¦ NewProcessName: C:\Windows\System32\cmd.exe ¦ ProcessId: 0x5fc ¦ SubjectDomainName: OFFSEC ¦ SubjectLogonId: 0x3e4 ¦ SubjectUserName: FS03VULN$ ¦ SubjectUserSid: S-1-5-20 ¦ TokenElevationType: %%1936
< 2021-04-26 17:25:37.258 +09:00,srvdefender01.offsec.lan,Sec,Microsoft-Windows-Security-Auditing,4688,high,Exec ¦ LatMov,T1021.001,,463010,Hermetic Wiper TG Process Patterns,Florian Roth,2022/02/25,2022/09/09,experimental,CmdLine: cmd.exe /Q /c cd \ 1> \\127.0.0.1\ADMIN$\__1619425227.894209 2>&1 ¦ Path: C:\Windows\System32\cmd.exe ¦ PID: 0xd44 ¦ User: SRVDEFENDER01$ ¦ LID: 0x3e4,proc_creation_win_mal_hermetic_wiper_activity.yml,"C:\tmp\hayabusa-sample-evtx\EVTX-to-MITRE-Attack\EVTX_full_APT_attack_steps\ID4688,5140,5145-WMIexec execution via SMB (GLOBAL).evtx",CommandLine: cmd.exe /Q /c cd \ 1> \\127.0.0.1\ADMIN$\__1619425227.894209 2>&1 ¦ MandatoryLabel: S-1-16-12288 ¦ NewProcessId: 0xd44 ¦ NewProcessName: C:\Windows\System32\cmd.exe ¦ ParentProcessName: C:\Windows\System32\wbem\WmiPrvSE.exe ¦ ProcessId: 0xac8 ¦ SubjectDomainName: OFFSEC ¦ SubjectLogonId: 0x3e4 ¦ SubjectUserName: SRVDEFENDER01$ ¦ SubjectUserSid: S-1-5-20 ¦ TargetDomainName: OFFSEC ¦ TargetLogonId: 0x4da32af ¦ TargetUserName: admmig ¦ TargetUserSid: S-1-0-0 ¦ TokenElevationType: %%1936
< 2021-04-26 17:25:38.435 +09:00,srvdefender01.offsec.lan,Sec,Microsoft-Windows-Security-Auditing,4688,high,Exec ¦ LatMov,T1021.001,,463048,Hermetic Wiper TG Process Patterns,Florian Roth,2022/02/25,2022/09/09,experimental,CmdLine: cmd.exe /Q /c cd 1> \\127.0.0.1\ADMIN$\__1619425227.894209 2>&1 ¦ Path: C:\Windows\System32\cmd.exe ¦ PID: 0x1b98 ¦ User: SRVDEFENDER01$ ¦ LID: 0x3e4,proc_creation_win_mal_hermetic_wiper_activity.yml,"C:\tmp\hayabusa-sample-evtx\EVTX-to-MITRE-Attack\EVTX_full_APT_attack_steps\ID4688,5140,5145-WMIexec execution via SMB (GLOBAL).evtx",CommandLine: cmd.exe /Q /c cd  1> \\127.0.0.1\ADMIN$\__1619425227.894209 2>&1 ¦ MandatoryLabel: S-1-16-12288 ¦ NewProcessId: 0x1b98 ¦ NewProcessName: C:\Windows\System32\cmd.exe ¦ ParentProcessName: C:\Windows\System32\wbem\WmiPrvSE.exe ¦ ProcessId: 0xac8 ¦ SubjectDomainName: OFFSEC ¦ SubjectLogonId: 0x3e4 ¦ SubjectUserName: SRVDEFENDER01$ ¦ SubjectUserSid: S-1-5-20 ¦ TargetDomainName: OFFSEC ¦ TargetLogonId: 0x4da32af ¦ TargetUserName: admmig ¦ TargetUserSid: S-1-0-0 ¦ TokenElevationType: %%1936
< 2021-12-13 21:55:45.250 +09:00,rootdc1.offsec.lan,Sys,Service Control Manager,7045,med,Persis ¦ PrivEsc,T1543.003,car.2013-09-005,1467331,Service Installation in Suspicious Folder,pH-T,2022/03/18,2022/10/12,experimental,Svc: BTOBTO ¦ Path: %COMSPEC% /Q /c echo cd ^> \\127.0.0.1\C$\__output 2^>^&1 > %TEMP%\execute.bat & %COMSPEC% /Q /c %TEMP%\execute.bat & del %TEMP%\execute.bat ¦ Acct: LocalSystem ¦ StartType: demand start,win_system_susp_service_installation_folder.yml,C:\tmp\hayabusa-sample-evtx\EVTX-to-MITRE-Attack\TA0003-Persistence\T1543.003-Create or Modify System Process-Windows Service\ID7045-4697-SMBexec service registration.evtx,AccountName: LocalSystem ¦ ImagePath: %COMSPEC% /Q /c echo cd  ^> \\127.0.0.1\C$\__output 2^>^&1 > %TEMP%\execute.bat & %COMSPEC% /Q /c %TEMP%\execute.bat & del %TEMP%\execute.bat ¦ ServiceName: BTOBTO ¦ ServiceType: user mode service ¦ StartType: demand start

I've fixed this issue in the performance improvement branch, so I'm creating a separate PR.

fukusuket commented 1 year ago

win_system_susp_service_installation.yml

title: Suspicious Service Installation
ruletype: Sigma
author: pH-T
date: 2022/03/18
description: Detects suspicious service installation commands
detection:
    SELECTION_1:
        Channel: System
    SELECTION_2:
        Provider_Name: Service Control Manager
    SELECTION_3:
        EventID: 7045
    SELECTION_4:
        ImagePath:
        - '* -w hidden *'
        - '* -nop *'
        - '* -sta *'
        - '*\Users\Public\\*'
        - '*\Windows\Temp\\*'
        - '*\Perflogs\\*'
        - '*\\\\.\\pipe*'
        - '*\ADMIN$\\*'
        - '*C:\Temp\\*'
        - '*.downloadstring(*'
        - '*.downloadfile(*'
    SELECTION_5:
        ImagePath: '* -e*'
    SELECTION_6:
        ImagePath:
        - '* JAB*'
        - '* SUVYI*'
        - '* SQBFAFgA*'
        - '* aWV4I*'
        - '* IAB*'
        - '* PAA*'
        - '* aQBlAHgA*'
    SELECTION_7:
        ImagePath: C:\WINDOWS\TEMP\thor10-remote\thor64.exe*
    SELECTION_8:
        ImagePath: C:\ProgramData\Microsoft\Windows Defender\Definition Updates\\*
    condition: (SELECTION_1 and ((SELECTION_2 and SELECTION_3) and (SELECTION_4 or
        (SELECTION_5 and SELECTION_6))) and  not ((SELECTION_7) or (SELECTION_8)))
falsepositives:
- Unknown
id: 1d61f71d-59d2-479e-9562-4ff5f4ead16b
level: high
logsource:
    product: windows
    service: system
modified: 2022/11/14
status: experimental
tags:
- attack.persistence
- attack.privilege_escalation
- car.2013-09-005
- attack.t1543.003

Since this rule's *\\\\.\\pipe* part does not work correctly, the following high level 6 logs are not detected

< 2016-08-19 05:03:18.175 +09:00,IE10Win7,Sys,Service Control Manager,7045,high,Persis ¦ PrivEsc,T1543.003,car.2013-09-005,6252,Suspicious Service Installation,pH-T,2022/03/18,2022/11/14,experimental,Svc: yagfag ¦ Path: cmd.exe /c echo yagfag > \\.\pipe\yagfag ¦ Acct: LocalSystem ¦ StartType: demand start,win_system_susp_service_installation.yml,C:\tmp\hayabusa-sample-evtx\DeepBlueCLI\many-events-system.evtx,AccountName: LocalSystem ¦ ImagePath: cmd.exe /c echo yagfag > \\.\pipe\yagfag ¦ ServiceName: yagfag ¦ ServiceType: user mode service ¦ StartType: demand start
< 2016-09-20 06:12:10.677 +09:00,IE10Win7,Sys,Service Control Manager,7045,high,Persis ¦ PrivEsc,T1543.003,car.2013-09-005,8174,Suspicious Service Installation,pH-T,2022/03/18,2022/11/14,experimental,Svc: adsymn ¦ Path: cmd.exe /c echo adsymn > \\.\pipe\adsymn ¦ Acct: LocalSystem ¦ StartType: demand start,win_system_susp_service_installation.yml,C:\tmp\hayabusa-sample-evtx\DeepBlueCLI\many-events-system.evtx,AccountName: LocalSystem ¦ ImagePath: cmd.exe /c echo adsymn > \\.\pipe\adsymn ¦ ServiceName: adsymn ¦ ServiceType: user mode service ¦ StartType: demand start
< 2016-09-20 06:13:04.090 +09:00,IE10Win7,Sys,Service Control Manager,7045,high,Persis ¦ PrivEsc,T1543.003,car.2013-09-005,8179,Suspicious Service Installation,pH-T,2022/03/18,2022/11/14,experimental,Svc: hmoopk ¦ Path: cmd.exe /c echo hmoopk > \\.\pipe\hmoopk ¦ Acct: LocalSystem ¦ StartType: demand start,win_system_susp_service_installation.yml,C:\tmp\hayabusa-sample-evtx\DeepBlueCLI\many-events-system.evtx,AccountName: LocalSystem ¦ ImagePath: cmd.exe /c echo hmoopk > \\.\pipe\hmoopk ¦ ServiceName: hmoopk ¦ ServiceType: user mode service ¦ StartType: demand start
< 2016-09-21 01:35:58.162 +09:00,IE10Win7,Sys,Service Control Manager,7045,high,Persis ¦ PrivEsc,T1543.003,car.2013-09-005,8426,Suspicious Service Installation,pH-T,2022/03/18,2022/11/14,experimental,Svc: genusn ¦ Path: cmd.exe /c echo genusn > \\.\pipe\genusn ¦ Acct: LocalSystem ¦ StartType: demand start,win_system_susp_service_installation.yml,C:\tmp\hayabusa-sample-evtx\DeepBlueCLI\metasploit-psexec-powershell-target-system.evtx,AccountName: LocalSystem ¦ ImagePath: cmd.exe /c echo genusn > \\.\pipe\genusn ¦ ServiceName: genusn ¦ ServiceType: user mode service ¦ StartType: demand start
< 2016-09-21 12:41:13.070 +09:00,IE10Win7,Sys,Service Control Manager,7045,high,Persis ¦ PrivEsc,T1543.003,car.2013-09-005,8627,Suspicious Service Installation,pH-T,2022/03/18,2022/11/14,experimental,Svc: hgabms ¦ Path: cmd.exe /c echo hgabms > \\.\pipe\hgabms ¦ Acct: LocalSystem ¦ StartType: demand start,win_system_susp_service_installation.yml,C:\tmp\hayabusa-sample-evtx\DeepBlueCLI\metasploit-psexec-native-target-system.evtx,AccountName: LocalSystem ¦ ImagePath: cmd.exe /c echo hgabms > \\.\pipe\hgabms ¦ ServiceName: hgabms ¦ ServiceType: user mode service ¦ StartType: demand start
< 2019-05-12 21:52:43.702 +09:00,IEWIN7,Sys,Service Control Manager,7045,high,Persis ¦ PrivEsc,T1543.003,car.2013-09-005,10446,Suspicious Service Installation,pH-T,2022/03/18,2022/11/14,experimental,Svc: WinPwnage ¦ Path: %COMSPEC% /c ping -n 1 127.0.0.1 >nul && echo 'WinPwnage' > \\.\pipe\WinPwnagePipe ¦ Acct: LocalSystem ¦ StartType: demand start,win_system_susp_service_installation.yml,C:\tmp\hayabusa-sample-evtx\EVTX-ATTACK-SAMPLES\Privilege Escalation\System_7045_namedpipe_privesc.evtx,AccountName: LocalSystem ¦ ImagePath: %COMSPEC% /c ping -n 1 127.0.0.1 >nul && echo 'WinPwnage' > \\.\pipe\WinPwnagePipe ¦ ServiceName: WinPwnage ¦ ServiceType: user mode service ¦ StartType: demand start
fukusuket commented 1 year ago

win_system_susp_service_installation_folder.yml

title: Service Installation in Suspicious Folder
ruletype: Sigma
author: pH-T
date: 2022/03/18
description: Detects service installation in suspicious folder appdata
detection:
    SELECTION_1:
        Channel: System
    SELECTION_2:
        Provider_Name: Service Control Manager
    SELECTION_3:
        EventID: 7045
    SELECTION_4:
        ImagePath:
        - '*\AppData\\*'
        - '*\\\\127.0.0.1*'
        - '*\\\\localhost*'
    SELECTION_5:
        ServiceName: Zoom Sharing Service
    SELECTION_6:
        ImagePath: '"C:\Program Files\Common Files\Zoom\Support\CptService.exe*'
    condition: (SELECTION_1 and (SELECTION_2 and SELECTION_3 and SELECTION_4) and  not
        ((SELECTION_5 and SELECTION_6)))
falsepositives:
- Unknown
id: 5e993621-67d4-488a-b9ae-b420d08b96cb
level: medium
logsource:
    product: windows
    service: system
modified: 2022/10/12
status: experimental
tags:
- attack.persistence
- attack.privilege_escalation
- car.2013-09-005
- attack.t1543.003

Since this rule's *\\\\127.0.0.1* part does not work correctly, the following med level 1 log is not detected

< 2021-12-13 21:55:45.250 +09:00,rootdc1.offsec.lan,Sys,Service Control Manager,7045,med,Persis ¦ PrivEsc,T1543.003,car.2013-09-005,1467331,Service Installation in Suspicious Folder,pH-T,2022/03/18,2022/10/12,experimental,Svc: BTOBTO ¦ Path: %COMSPEC% /Q /c echo cd ^> \\127.0.0.1\C$\__output 2^>^&1 > %TEMP%\execute.bat & %COMSPEC% /Q /c %TEMP%\execute.bat & del %TEMP%\execute.bat ¦ Acct: LocalSystem ¦ StartType: demand start,win_system_susp_service_installation_folder.yml,C:\tmp\hayabusa-sample-evtx\EVTX-to-MITRE-Attack\TA0003-Persistence\T1543.003-Create or Modify System Process-Windows Service\ID7045-4697-SMBexec service registration.evtx,AccountName: LocalSystem ¦ ImagePath: %COMSPEC% /Q /c echo cd  ^> \\127.0.0.1\C$\__output 2^>^&1 > %TEMP%\execute.bat & %COMSPEC% /Q /c %TEMP%\execute.bat & del %TEMP%\execute.bat ¦ ServiceName: BTOBTO ¦ ServiceType: user mode service ¦ StartType: demand start
fukusuket commented 1 year ago

proc_creation_win_mal_hermetic_wiper_activity.yml

title: Hermetic Wiper TG Process Patterns
ruletype: Sigma
author: Florian Roth
date: 2022/02/25
description: Detects process execution patterns found in intrusions related to the
    Hermetic Wiper malware attacks against Ukraine in February 2022
detection:
    SELECTION_1:
        EventID: 1
    SELECTION_2:
        Channel: Microsoft-Windows-Sysmon/Operational
    SELECTION_3:
        Image: '*\policydefinitions\postgresql.exe'
    SELECTION_4:
        CommandLine:
        - '*CSIDL_SYSTEM_DRIVE\temp\sys.tmp*'
        - '* 1> \\\\127.0.0.1\ADMIN$\__16*'
    SELECTION_5:
        CommandLine: '*powershell -c *'
    SELECTION_6:
        CommandLine: '*\comsvcs.dll MiniDump *'
    SELECTION_7:
        CommandLine: '*\winupd.log full*'
    condition: ((SELECTION_1 and SELECTION_2) and (SELECTION_3 or SELECTION_4 or (SELECTION_5
        and SELECTION_6 and SELECTION_7)))
falsepositives:
- Unknown
id: 2f974656-6d83-4059-bbdf-68ac5403422f
level: high
logsource:
    category: process_creation
    product: windows
modified: 2022/09/09
references:
- https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/ukraine-wiper-malware-russia
status: experimental
tags:
- attack.execution
- attack.lateral_movement
- attack.t1021.001

Since this rule's *1> \\\\127.0.0.1\ADMIN$\__16* part does not work correctly, the following high level 4 log was not detected

< 2021-04-22 20:32:03.468 +09:00,fs03vuln.offsec.lan,Sec,Microsoft-Windows-Security-Auditing,4688,high,Exec ¦ LatMov,T1021.001,,436755,Hermetic Wiper TG Process Patterns,Florian Roth,2022/02/25,2022/09/09,experimental,CmdLine: cmd.exe /Q /c cd \ 1> \\127.0.0.1\ADMIN$\__1619090610.0007844 2>&1 ¦ Path: C:\Windows\System32\cmd.exe ¦ PID: 0x168 ¦ User: FS03VULN$ ¦ LID: 0x3e4,proc_creation_win_mal_hermetic_wiper_activity.yml,C:\tmp\hayabusa-sample-evtx\EVTX-to-MITRE-Attack\TA0002-Execution\T1047-Windows Management Instrumentation\ID4688-5145-WMIexec execution via SMB.evtx,CommandLine: cmd.exe /Q /c cd \ 1> \\127.0.0.1\ADMIN$\__1619090610.0007844 2>&1 ¦ NewProcessId: 0x168 ¦ NewProcessName: C:\Windows\System32\cmd.exe ¦ ProcessId: 0x5fc ¦ SubjectDomainName: OFFSEC ¦ SubjectLogonId: 0x3e4 ¦ SubjectUserName: FS03VULN$ ¦ SubjectUserSid: S-1-5-20 ¦ TokenElevationType: %%1936
< 2021-04-22 20:32:03.530 +09:00,fs03vuln.offsec.lan,Sec,Microsoft-Windows-Security-Auditing,4688,high,Exec ¦ LatMov,T1021.001,,436767,Hermetic Wiper TG Process Patterns,Florian Roth,2022/02/25,2022/09/09,experimental,CmdLine: cmd.exe /Q /c cd 1> \\127.0.0.1\ADMIN$\__1619090610.0007844 2>&1 ¦ Path: C:\Windows\System32\cmd.exe ¦ PID: 0x980 ¦ User: FS03VULN$ ¦ LID: 0x3e4,proc_creation_win_mal_hermetic_wiper_activity.yml,C:\tmp\hayabusa-sample-evtx\EVTX-to-MITRE-Attack\TA0002-Execution\T1047-Windows Management Instrumentation\ID4688-5145-WMIexec execution via SMB.evtx,CommandLine: cmd.exe /Q /c cd  1> \\127.0.0.1\ADMIN$\__1619090610.0007844 2>&1 ¦ NewProcessId: 0x980 ¦ NewProcessName: C:\Windows\System32\cmd.exe ¦ ProcessId: 0x5fc ¦ SubjectDomainName: OFFSEC ¦ SubjectLogonId: 0x3e4 ¦ SubjectUserName: FS03VULN$ ¦ SubjectUserSid: S-1-5-20 ¦ TokenElevationType: %%1936
< 2021-04-26 17:25:37.258 +09:00,srvdefender01.offsec.lan,Sec,Microsoft-Windows-Security-Auditing,4688,high,Exec ¦ LatMov,T1021.001,,463010,Hermetic Wiper TG Process Patterns,Florian Roth,2022/02/25,2022/09/09,experimental,CmdLine: cmd.exe /Q /c cd \ 1> \\127.0.0.1\ADMIN$\__1619425227.894209 2>&1 ¦ Path: C:\Windows\System32\cmd.exe ¦ PID: 0xd44 ¦ User: SRVDEFENDER01$ ¦ LID: 0x3e4,proc_creation_win_mal_hermetic_wiper_activity.yml,"C:\tmp\hayabusa-sample-evtx\EVTX-to-MITRE-Attack\EVTX_full_APT_attack_steps\ID4688,5140,5145-WMIexec execution via SMB (GLOBAL).evtx",CommandLine: cmd.exe /Q /c cd \ 1> \\127.0.0.1\ADMIN$\__1619425227.894209 2>&1 ¦ MandatoryLabel: S-1-16-12288 ¦ NewProcessId: 0xd44 ¦ NewProcessName: C:\Windows\System32\cmd.exe ¦ ParentProcessName: C:\Windows\System32\wbem\WmiPrvSE.exe ¦ ProcessId: 0xac8 ¦ SubjectDomainName: OFFSEC ¦ SubjectLogonId: 0x3e4 ¦ SubjectUserName: SRVDEFENDER01$ ¦ SubjectUserSid: S-1-5-20 ¦ TargetDomainName: OFFSEC ¦ TargetLogonId: 0x4da32af ¦ TargetUserName: admmig ¦ TargetUserSid: S-1-0-0 ¦ TokenElevationType: %%1936
< 2021-04-26 17:25:38.435 +09:00,srvdefender01.offsec.lan,Sec,Microsoft-Windows-Security-Auditing,4688,high,Exec ¦ LatMov,T1021.001,,463048,Hermetic Wiper TG Process Patterns,Florian Roth,2022/02/25,2022/09/09,experimental,CmdLine: cmd.exe /Q /c cd 1> \\127.0.0.1\ADMIN$\__1619425227.894209 2>&1 ¦ Path: C:\Windows\System32\cmd.exe ¦ PID: 0x1b98 ¦ User: SRVDEFENDER01$ ¦ LID: 0x3e4,proc_creation_win_mal_hermetic_wiper_activity.yml,"C:\tmp\hayabusa-sample-evtx\EVTX-to-MITRE-Attack\EVTX_full_APT_attack_steps\ID4688,5140,5145-WMIexec execution via SMB (GLOBAL).evtx",CommandLine: cmd.exe /Q /c cd  1> \\127.0.0.1\ADMIN$\__1619425227.894209 2>&1 ¦ MandatoryLabel: S-1-16-12288 ¦ NewProcessId: 0x1b98 ¦ NewProcessName: C:\Windows\System32\cmd.exe ¦ ParentProcessName: C:\Windows\System32\wbem\WmiPrvSE.exe ¦ ProcessId: 0xac8 ¦ SubjectDomainName: OFFSEC ¦ SubjectLogonId: 0x3e4 ¦ SubjectUserName: SRVDEFENDER01$ ¦ SubjectUserSid: S-1-5-20 ¦ TargetDomainName: OFFSEC ¦ TargetLogonId: 0x4da32af ¦ TargetUserName: admmig ¦ TargetUserSid: S-1-0-0 ¦ TokenElevationType: %%1936
fukusuket commented 1 year ago

This line generates an escaped backslash string. https://github.com/Yamato-Security/hayabusa/blob/v2.1.0/src/detections/rule/matchers.rs#L525 Then this string is used when compiling the regular expression, this seems to be the cause.

It seems to be the same situation as the repro code below.

use regex::Regex;

fn main() {
    // Actual behavior
    let s = regex::escape(r"\\\\127.0.0.1"); // s is  \\\\\\\\127.0.0.1
    let r = Regex::new(&s).unwrap();
    assert!(!r.is_match(r"\\127.0.0.1")); // false

    // Expected behavior
    let s = r"\\\\127.0.0.1";
    let r = Regex::new(&s).unwrap();
    assert!(r.is_match(r"\\127.0.0.1")); // true
}