search

theflakes / sigma_to_wazuh

Convert Sigma rules to Wazuh rules
MIT License
57 stars 14 forks source link

Some Rules Duplicated #14

Closed n00bsteam closed 1 year ago

n00bsteam commented 2 years ago

Have some rules duplicated. Example:

    <rule id="113814" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_comsvcs_procdump.yml</info>
        <!--Sigma Rule Author: Modexp (idea)-->
        <!--Description: Detects process memory dump via comsvcs.dll and rundll32-->
        <!--Date: 2019/09/02-->
        <!--Status: test-->
        <!--ID: 09e6d5c0-05b8-4ff8-9eeb-043046ec774c-->
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1218.011</id>
            <id>attack.credential_access</id>
            <id>attack.t1003.001</id>
        </mitre>
        <description>Process Dump via Comsvcs DLL</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_group>sysmon</if_group>
        <field name="win.eventdata.image" negate="no" type="pcre2">(?i)(?:\\rundll32\.exe)$</field>
    </rule>
    <rule id="113815" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_comsvcs_procdump.yml</info>
        <!--Sigma Rule Author: Modexp (idea)-->
        <!--Description: Detects process memory dump via comsvcs.dll and rundll32-->
        <!--Date: 2019/09/02-->
        <!--Status: test-->
        <!--ID: 09e6d5c0-05b8-4ff8-9eeb-043046ec774c-->
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1218.011</id>
            <id>attack.credential_access</id>
            <id>attack.t1003.001</id>
        </mitre>
        <description>Process Dump via Comsvcs DLL</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_group>sysmon</if_group>
        <field name="win.eventdata.originalFileName" negate="no" type="pcre2">(?i)RUNDLL32\.EXE</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)comsvcs</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)MiniDump</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)full</field>
    </rule>
theflakes commented 2 years ago

yeah, this has to do with the logic conversion. I still have not figured it out. Problem is that Sigma can use more logic combinations than Wazuh; mostly problems are with OR logic.

theflakes commented 2 years ago

Here's the detection section of that Sigma rule:

detection:
  rundll_image:
    Image|endswith: '\rundll32.exe'
  rundll_ofn:
    OriginalFileName: 'RUNDLL32.EXE'
  selection:
    CommandLine|contains|all:
      - 'comsvcs'
      - 'MiniDump'       #Matches MiniDump and MinidumpW
      - 'full'
  condition: (rundll_image or rundll_ofn) and selection

It should create two rules that contains the below from the sigma rule: rundll_image and selection rundll_ofn and selection

Not sure how to fix this atm, will be working on it as I can.

n00bsteam commented 2 years ago

Ok, then 

        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)comsvcs</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)MiniDump</field>
        <field name="win.eventdata.commandLine" negate="no" type="pcre2">(?i)full</field>

must be at first rule?

theflakes commented 1 year ago

I believe this is fixed, but the rule no longer exists.