Closed frack113 closed 2 years ago
Thanks, you're right ! a push is on the way. The typo was in the template and in the code.
In the same way get mamy FP.
I'm sorry, I didn't understand ? you have many FP ?
HI,
Sorry get my logs test in the other computer.
In the rule TargetFilename|contains: '.vhd'
but get alerts for '.tmp'
Will post a example tomorrow.
👍🏻
windows 10 sysmon 13.30
{
"Rule level":"medium",
"title":"Suspicious VHD Image Download From Browser",
"sigma_yml":"file_event_mal_vhd_download.yml",
"description":"Malware can use mountable Virtual Hard Disk .vhd file to encapsulate payloads and evade security controls",
"row_id":2066,
"Image":"C:\\Program Files\\Google\\Chrome\\Application\\chrome.exe",
"ProcessGuid":"F3880333-BF83-6114-2506-000000002C00",
"ProcessId":2420,
"RuleName":"Downloads",
"UtcTime":"2021-08-12 06:29:27.820",
"Channel":"Microsoft-Windows-Sysmon/Operational",
"Computer":"DESKTOP-SE2J842",
"EventID":11,
"EventRecordID":70514,
"ThreadID":4020,
"Keywords":"0x8000000000000000",
"Level":4,
"Opcode":0,
"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9",
"Name":"Microsoft-Windows-Sysmon",
"UserID":"S-1-5-18",
"Task":11,
"SystemTime":"2021-08-12T06:29:27.834272Z",
"Version":2,
"CreationUtcTime":"2021-08-12 06:29:27.820",
"TargetFileName":"C:\\Users\\Frack\\Downloads\\4f3b2fed-c8dd-47a8-bd5a-91eee4fb09b7.tmp"
},
{
"Rule level":"medium",
"title":"Suspicious VHD Image Download From Browser",
"sigma_yml":"file_event_mal_vhd_download.yml",
"description":"Malware can use mountable Virtual Hard Disk .vhd file to encapsulate payloads and evade security controls",
"row_id":2073,
"Image":"C:\\Program Files\\Google\\Chrome\\Application\\chrome.exe",
"ProcessGuid":"F3880333-BFC8-6114-4706-000000002C00",
"ProcessId":2420,
"RuleName":"Downloads",
"UtcTime":"2021-08-12 06:29:39.050",
"Channel":"Microsoft-Windows-Sysmon/Operational",
"Computer":"DESKTOP-SE2J842",
"EventID":11,
"EventRecordID":70521,
"ThreadID":4020,
"Keywords":"0x8000000000000000",
"Level":4,
"Opcode":0,
"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9",
"Name":"Microsoft-Windows-Sysmon",
"UserID":"S-1-5-18",
"Task":11,
"SystemTime":"2021-08-12T06:29:39.051711Z",
"Version":2,
"CreationUtcTime":"2021-08-12 06:29:27.820",
"TargetFileName":"C:\\Users\\Frack\\Downloads\\LittleCorporal.exe:Zone.Identifier"
},
Zircolite uses the SQLite Backend of Sigma and applies Sql queries to a database. So the problem should be on this part.
After conversion with sigmac
, your example rule gives this SQL Query :
SELECT *
FROM logs
WHERE ( ( eventid = "11"
AND channel = "microsoft-windows-sysmon/operational" )
AND ( ( image LIKE "%chrome.exe" ESCAPE '\'
OR image LIKE "%firefox.exe" ESCAPE '\'
OR image LIKE "%microsoftedge.exe" ESCAPE '\'
OR image LIKE "%microsoftedgecp.exe" ESCAPE '\'
OR image LIKE "%msedge.exe" ESCAPE '\'
OR image LIKE "%iexplorer.exe" ESCAPE '\'
OR image LIKE "%brave.exe" ESCAPE '\'
OR image LIKE "%opera.exe" ESCAPE '\' )
OR targetfilename LIKE "%.vhd%" ESCAPE '\' ) )
I didn't check thoroughly but it seems that there is an OR
before the "vhd" condition. Which seems normal since list in Sigma are by default OR
:
selection:
- Image|endswith:
[...]
- TargetFilename|contains:
May be I don't interpret the problem or your issue well enough ?
BIG Thanks for contributing.
My bad is my fault must be a AND, I make a correction ... get 3 correct file_event_mal_vhd_download.yml detection
HI, in MITRE it is "resource_development" not "ressource_development" Test with my vm get "file_event_mal_vhd_download.yml" match 0 Ressource development.
In the same way get mamy FP.