Sigma rules with whitespace at the beginning or end of the contains

google / timesketch

Collaborative forensic timeline analysis

Apache License 2.0

2.59k stars 590 forks source link

Sigma rules with whitespace at the beginning or end of the contains #2007

Closed jaegeral closed 2 years ago

jaegeral commented 2 years ago

Sigma rules with CommandLine|contains: '-foobar ' are translated to something *foobar * which would be similar to: *foobar AND * which can be a different meaning

jaegeral commented 2 years ago

To give more context:

https://github.com/SigmaHQ/sigma/blob/master/rules/windows/builtin/win_alert_mimikatz_keywords.yml

This rule currently translates to:

(data_type:"windows:evtx:record" AND \*:( *mimikatz* OR *mimikatz.exe* OR *mimilib.dll* OR *<3 eo.oe* OR *eo.oe.kiwi* OR *privilege::debug* OR *sekurlsa::logonpasswords* OR *lsadump::sam* OR *mimidrv.sys* OR * p::d * OR * s::l * OR *gentilkiwi.com* OR *Kiwi Legit Printer*))

With the following results:

*mimikatz* → works
*mimikatz* OR *mimikatz.exe* → works
*mimikatz* OR *mimikatz.exe* OR *mimilib.dll* → works
*mimikatz* OR *mimikatz.exe* OR *mimilib.dll* OR *<3 eo.oe* → does not work

Whereas:

*mimikatz* OR *mimikatz.exe* OR *mimilib.dll* OR *<3\ eo.oe*

Would work

jaegeral commented 2 years ago

So tested a bit more:

title: This rule is full of test edge cases
description: Various edge cases in a rule
references:
    - https://github.com/google/timesketch/issues/2007
author: Alexander Jaeger
date: 2021/12/03
modified: 2021/12/03
detection:
    keywords:
        - 'Whitespace at'
        - ' beginning '
        - ' and extra text '
    condition: keywords
falsepositives:
    - Unknown
level: high

Is translated to: \*:(*Whitespace at* OR * beginning * OR * and extra text *) But should be: ("Whitespace at" OR " beginning " OR " and extra text ")

Whereas:

logsource:
    product: windows
detection:
    keywords:
        - ' lorem '
    condition: keywords

Is translated to: (data_type:"windows:evtx:record" AND " lorem ") which seem fine.

jaegeral commented 2 years ago

https://uncoder.io/ also gives two different results.

jaegeral commented 2 years ago

detection:
    keywords:
        - ' lorem '
        - ' ipsum '
    condition: keywords

--> \*:(* lorem * OR * ipsum *)

jaegeral commented 2 years ago

to debug that stuff:

modify the file you want to edit and add:

   from nose.tools import set_trace

    set_trace()

Go inside the docker container,

cd /usr/local/src/timesketch
nosetests timesketch/lib/sigma_util_test.py --pdb -s

jaegeral commented 2 years ago

The corresponding VT query is: https://www.virustotal.com/gui/search/sigma_rule%253A62e99f238afed27b43182594e90243db3ec17324c819a349f12ed55c015e5a71%2520have%253Aevtx%2520p%253A15%252B/files