mapping hashes/hash to individual hashes

[wmetcalf]

Not sure if here is a more proper fix. I was looking at the 3cx sigma rules

https://github.com/SigmaHQ/sigma/blob/master/rules/windows/image_load/image_load_malware_3cx_compromise_susp_dll.yml

which look both in the hashes field or for a hash in a field associated with the algo i.e. sha256,md5,etc. The converted query causes Zircolite not to match because of the OR statement. This patch maps the individual hashes and allows these rules to fire.

index da24233..92bc36a 100755
--- a/zircolite.py
+++ b/zircolite.py
@@ -582,6 +582,22 @@ class JSONFlattener:
                             key = "".join(
                                 e for e in name[:-1].split(".")[-1] if e.isalnum()
                             )
+
+                        #Event 15 uses "Hash" instead of "Hashes". Hashing algo gets lower cased in rules
+                        if key == "Hashes" or key == "Hash":
+                            try:
+                                hashes = value.split(',')
+                                for fhash in hashes:
+                                    k,v = fhash.split('=')
+                                    kl = k.lower()
+                                    JSONLine[kl] = v
+                                    if kl not in self.keyDict:
+                                        self.keyDict[kl] = kl
+                                        fieldStmt += f"'{kl}' TEXT COLLATE NOCASE,\n"
+                            except Exception as e:
+                                self.logger.info(f"[+] Couldn't normalize out Hash list into individual hashes {e}")
+                                pass
+
                         JSONLine[key] = value
                         # Creating the CREATE TABLE SQL statement
                         if key.lower() not in self.keyDict:

python3 zircolite.py --evtx /opt/out//sysmon --debug --ruleset [+] Cleaning unused objects [+] Loading ruleset from : rules/rules_windows_sysmon_full.json [+] Executing ruleset - 2083 rules

• Malicious DLL Load By Compromised 3CXDesktopApp [critical] : 9 events
• Potential Compromised 3CXDesktopApp Execution [high] : 9 events
• Potential Configuration And Service Reconnaissance Via Reg.EXE [medium] : 1 events
• Suspicious Msiexec Quiet Install [medium] : 1 events
• CurrentVersion Autorun Keys Modification [medium] : 1 events
• Remote Thread Creation in Suspicious Targets [high] : 1 events

[wagga40]

Hi thanks. Sorry for delay I didn't have access to my computer.

Zircolite is supposed to be as much as possible agnostic to rules/format/... Your patch introduce a modification for 1 field, in my opinion it should be handled elsewhere. I can look into it to provide an other solution, Can you provide the matching sample ? even if it is only one event ?

NB : about that

Event 15 uses "Hash" instead of "Hashes".

Zircolite has its own field mapping if you need it (here).

[wagga40]

Implemented in : https://github.com/wagga40/Zircolite/commit/0dfaa7a171f923bc5bff4b36502740b502d13e88

[wmetcalf]

Somehow I missed your initial response. Thank you for implementing this!

[wagga40]

All thanks to you for the idea. It is implemented in a different branch for now, I will merge after some tests

[wagga40]

Merged in #58