search

oasis-open / cti-pattern-matcher

OASIS TC Open Repository: Match STIX content against STIX patterns
https://github.com/oasis-open/cti-pattern-matcher
BSD 3-Clause "New" or "Revised" License
44 stars 20 forks source link

[Question] `AND` between two `MATCH` fields won't return `MATCH` #65

Closed barvhaim closed 4 years ago

barvhaim commented 4 years ago

My pattern combines two matching patterns, but return no match, what am I missing?

~/barha/obs# stix2-matcher -p p -f o.json

NO MATCH:  [(windows-registry-key:key = 'HKLM\\\\SYSTEM\\\\CurrentControlSet\\\\Control\\\\MiniNt' AND x-event:action = 'CreateKey')]

MATCH:  [(x-event:action = 'CreateKey')]

MATCH:  [(windows-registry-key:key = 'HKLM\\\\SYSTEM\\\\CurrentControlSet\\\\Control\\\\MiniNt')]

AND pattern: 

"[(windows-registry-key:key = 'HKLM\\SYSTEM\\CurrentControlSet\\Control\\MiniNt' AND x-event:action = 'CreateKey')]"

pattern 1:

"[(windows-registry-key:key = 'HKLM\\SYSTEM\\CurrentControlSet\\Control\\MiniNt')]"

pattern 2:

"[(x-event:action = 'CreateKey')]"

using the following observed data -

     {
            "id": "observed-data--107c9a2d-12e9-4599-8a0c-2021a88b472d",
            "type": "observed-data",
            "created_by_ref": "identity--f431f809-377b-45e0-aa1c-6a4751cae3ee",
            "created": "2020-08-26T13:23:57.728Z",
            "modified": "2020-08-26T13:23:57.728Z",
            "objects": {
                "0": {
                    "type": "windows-registry-key",
                    "key": "HKLM\\SYSTEM\\CurrentControlSet\\Control\\MiniNt"
                },
                "1": {
                    "type": "process",
                    "name": "powershell.exe",
                    "pid": 8816,
                    "x_ecs_entity_id": "{747f3d96-6e04-5f45-9d00-000000003800}",
                    "binary_ref": "3",
                    "x_ecs_event_ref": "6"
                },
                "2": {
                    "type": "process",
                    "child_refs": [
                        "1"
                    ]
                },
                "3": {
                    "type": "file",
                    "name": "powershell.exe",
                    "parent_directory_ref": "4"
                },
                "4": {
                    "type": "directory",
                    "path": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0"
                },
                "5": {
                    "type": "x-ecs-host",
                    "hostname": "MSEDGEWIN10",
                    "os_name": "Windows 10 Enterprise Evaluation",
                    "os_version": "10.0",
                    "os_platform": "windows",
                    "ip": [
                        "fe80::c50d:519f:96a4:e108",
                        "10.0.2.15"
                    ],
                    "name": "MSEDGEWIN10",
                    "id": "747f3d96-68a7-43f1-8cbe-e8d6dadd0358",
                    "mac": [
                        "08:00:27:e6:e5:59"
                    ],
                    "architecture": "x86_64"
                },
                "6": {
                    "type": "x-event",
                    "code": 12,
                    "provider": "Microsoft-Windows-Sysmon",
                    "created": "2020-08-25T20:01:28.591Z",
                    "kind": "event",
                    "module": "sysmon",
                    "action": "CreateKey"
                }
            },
            "first_observed": "2020-08-25T20:01:28.567Z",
            "last_observed": "2020-08-25T20:01:28.567Z",
            "number_observed": 1
        }
clslgrnc commented 4 years ago

From the spec:

When matching an Observation against an Observation Expression, all Comparison Expressions contained within the Observation Expression MUST start matching against same SCO in the Observation. That is, when resolving object paths of each Comparison Expression, the : MUST start from the same SCO. Different SCO's may ultimately be used in matching, but they MUST be referenced from the same, single SCO.

For example, the following observed data does not match this example observation clause because although these IP addresses are both part of the same observed-data object, there is not a single network-traffic SCO that references each IP address, and therefore does not satisfy the condition in the preceding paragraph:

[ network-traffic:src_ref.value = '203.0.113.10' AND network-traffic:dst_ref.value = '198.51.100.58' ]
{
  "type": "observed-data",
  "id": "observed-data--0960319a-3cab-4258-a143-4dbb25525bb1",
  "first_observed": "2019-10-20T00:12:01.000000Z",
  "last_observed": "2019-10-20T00:51:02.000000Z",
  "number_observed": 1,
  "objects": {
    "0": {
        "type": "network-traffic",
        "src_ref": "1"
    },
    "1": {
        "type": "ipv4-addr",
        "value": "203.0.113.10"
    },
    "2": {
        "type": "network-traffic",
        "dst_ref": "3"
    },
    "3": {
        "type": "ipv4-addr",
        "value": "198.51.100.58"
    }
  }
}

An Observation Expression MAY contain Comparison Expressions with Object Paths that start with different object types, but such Comparison Expressions MUST be joined by OR. The Comparison Expressions of an Observation Expression that use AND MUST use the same base Object Path

Your combined pattern is not a valid STIX pattern since you use AND on different object types. Moreover your SDO is not a valid observed-data since, if I am not mistaken, the first SCO, "0", is not linked to others:

Multiple objects not related to each other via cyber observable Relationships MUST NOT be contained within the same Observed Data instance.

Ideally you want to start from a single SCO and walk to the property of interest:

process:x_ecs_event_ref.action = 'CreateKey'

And find another path from process to windows-registry-key (or you can try starting from somewhere else).