theflakes / sigma_to_wazuh

Convert Sigma rules to Wazuh rules
MIT License
57 stars 14 forks source link

Problem with " #15

Closed n0rthl1ght closed 1 year ago

n0rthl1ght commented 2 years ago

Have this rule.

<rule id="903166" level="13">
        <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_via_var.yml</info>
        <!--Sigma Rule Author: Timur Zinniatullin, oscd.community-->
        <!--Description: Detects Obfuscated Powershell via VAR++ LAUNCHER-->
        <!--Date: 2020/10/13-->
        <!--Status: experimental-->
        <!--ID: f3c89218-8c3d-4ba9-9974-f1d8e6a1b4a6-->
        <mitre>
            <id>attack.defense_evasion</id>
            <id>attack.t1027</id>
            <id>attack.execution</id>
            <id>attack.t1059.001</id>
        </mitre>
        <description>Invoke-Obfuscation VAR++ LAUNCHER OBFUSCATION</description>
        <options>no_full_log</options>
        <group>windows,ps_module,</group>
        <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
        <field name="win.eventdata.payload" negate="no" type="pcre2">(?i)\(\?i\)\..+\&amp;\&amp;set\..+\(\\\{\\d\\\}\)\{2,\}\\\\\\"\\s\+\?\\\-f\..+\&amp;\&amp;\..+cmd\..+\\/c</field>
    </rule>

After testing get:

image

I think error with validating xml connects with it

n0rthl1ght commented 2 years ago

https://regexr.com/ found this one. Pasted the code and got error image

theflakes commented 2 years ago

This should be fixed. Problem was Sigma regex logic being escaped instead of left alone.