Error when importing with TechniqueSigmaRules plugin

[0xFustang]

Hi,

I am experiencing an issue when I am trying to update an existing technique administration file using the plugin TechniqueSigmaRules. However, it works fine when I am generating a new administration file (dettect = DettectTechniquesAdministration()). The technique administration file is standard and was generated using DeTTECT.

Do you happen to have the same issue?

Code:

import_sigma = TechniqueSigmaRules(parameters)
techniques = import_sigma.get_attack_techniques(['Windows', 'all'])
print(json.dumps(techniques, indent=4))
#dettect = DettectTechniquesAdministration()
dettect = DettectTechniquesAdministration('test.yaml')
dettect.update_detections(techniques, False, False, '', False, False)
#dettect.save_yaml_file('hi.yaml')

Content of techniques:

{
    "Accesschk Usage To Check Privileges": {
        "applicable_to": [
            "Windows",
            "all"
        ],
        "location_prefix": "",
        "techniques": [
            "T1069.001"
        ]
    }
}

Error:

  File "/usr/local/lib/python3.10/site-packages/dettectinator/dettectinator.py", line 303, in update_detections
    warnings, results = self._add_rules(detection_rules, date_today)
  File "/usr/local/lib/python3.10/site-packages/dettectinator/dettectinator.py", line 329, in _add_rules
    applicable_to_list = [d['applicable_to'] for d in yaml_technique['detection']]
  File "/usr/local/lib/python3.10/site-packages/dettectinator/dettectinator.py", line 329, in <listcomp>
    applicable_to_list = [d['applicable_to'] for d in yaml_technique['detection']]
TypeError: string indices must be integers

[rubinatorz]

hi @AlphaCorvus

I tried to reproduce the error with your code, but on my side both the creation of a new file as updating a file works fine.

However I am able to reproduce the error when consciously introducing a semantic error in the YAML. So I would advise you to check the exusting test.yaml file for errors. Especially checking if all techniques does have a detection object and that all detection objects do have one or more applicable_to objects. You can also use DeTT&CT to check the health of a YAML file:

$ python dettect.py d -ft test.yaml --health

It will then give you an overview of existing errors in the YAML file.

Please let me know if this will tackles your problem.

[0xFustang]

Hi @rubinatorz,

Thanks for reviewing this issue. Actually, I am generating the techniques administration file out of the command from DeTTECT ds -fd /opt/DeTTECT/input/datasources_file.yaml --yaml --yaml-all-techniques. It appears that the YAML could be different than one YAML created from dettectinator. By any chance, do you observe the same?

As a workaround, I am considering to create my techniques admin file from dettectinator, than update the visibility using the datasources file.

[0xFustang]

Quick update @rubinatorz,

Unfortunately, it didn't do the trick. I am unable to update a file created from DeTT&CK (--yaml --yaml-all-techniques) using dettectinator (admin file). I checked for semantic errors and health of the YAML is fine.

My workaround can be applied, some visibility are missing where no detection is available for a given techniques.

[rubinatorz]

Hi @AlphaCorvus

I just found the error and I'm trying to fix it. Within the next hour I expect a fix to be pushed. I'll let you know.

Cheers

[rubinatorz]

hi @AlphaCorvus

The thing was that DeTT&CT supports a detection object in the YAML file being a list or a dict (just one entry). Dettectinator only supported detection objects being a list. I fixed it on both sides. So in DeTT&CT by default detection objects are now lists. So when pulling the latest changes from DeTT&CT repo and then generating your YAML file again will give you a proper YAML file having detection objects that are lists. I also fixed it in dettectinator. Dettectinator now converts single entry detection objects (dict) to a list. So you can also pull the latest version from dettectinator repo.

Good luck!

[0xFustang]

Thank you so much @rubinatorz! - It runs smoothly, nice work! 👍