pySigma-backend-elasticsearch icon indicating copy to clipboard operation
pySigma-backend-elasticsearch copied to clipboard

Published 20 hours ago verified publisher icon SigmaHQ

Wildcard format issue

Open eliranDream opened this issue 1 year ago • 3 comments

Hello There, I tried to convert the "proc_creation_win_susp_remote_desktop_tunneling.yml" sigma rule to elasticsearch via ecs_windows pipeline, as you can see here:

sigma convert --target elasticsearch -p ecs_windows "proc_creation_win_susp_remote_desktop_tunneling.yml" --format siem_rule

And I get the following answer as a response: "process.command_line:*\\:3389* AND (process.command_line:(\"*\\ \\-L\\ *\" OR \"*\\ \\-P\\ *\" OR \"*\\ \\-R\\ *\" OR \"*\\ \\-pw\\ *\" OR \"*\\ \\-ssh\\ *\"))"

When I tried to check this query as "query_string" he doesn't find any hit. I looked a little deeper into it and I find issue related to the first part of the query - "process.command_line:*\\:3389*" I tried sending it in a few other permutations that worked: "process.command_line:\\:3389" "process.command_line:ֿֿֿ\"*\\:3389*\""

Do you know where the problem is? there is any workaround ?

eliranDream avatar Jul 25 '23 13:07 eliranDream

I am facing similar problem with * and "

sigma convert -t lucene -f siem_rule_ndjson -p ecs_windows ./proc_creation_win_certutil_decode.yml -o sigma.ndjson

Query from Sigma (process.executable:*\\certutil.exe OR process.pe.original_file_name:CertUtil.exe) AND (process.command_line:("*\-decode\ *" OR "*\/decode\ *" OR "*\-decodehex\ *" OR "*\/decodehex\ *"))

No hits from above query on ELK 8.10

Some problem in command_line with " and * used at same time, after removing the double quote it's working fine

This one works (process.executable:*\\certutil.exe OR process.pe.original_file_name:CertUtil.exe) AND (process.command_line:(*\-decode\ * OR *\/decode\ * OR *\-decodehex* OR *\/decodehex\ * ))

Some more details about wildcard and " https://discuss.elastic.co/t/wildcard-query-not-working-as-expected/84447

Could you please check ?

Securityinbits avatar Oct 30 '23 13:10 Securityinbits

@Securityinbits and @eliranDream I've just approved and merged the PR from @Koen1999 which may also solve your issues. A new version will be available soon. Would you give it a try?

andurin avatar Jan 29 '24 13:01 andurin

@andurin Thank you for working on this . I checked the sigma-rules.zip and it looks good to me.

Sharing one more example for reference

Src: https://github.com/SigmaHQ/sigma/blob/be359ef3f2a7962dfbdbc705c4f532d6b2f440a5/rules/windows/process_creation/proc_creation_win_bitsadmin_download.yml#L30

This one doesn't work (process.executable:*\\bitsadmin.exe OR process.pe.original_file_name:bitsadmin.exe) AND (process.command_line:"*\ \/transfer\ *" OR ((process.command_line:("*\ \/create\ *" OR "*\ \/addfile\ *")) AND process.command_line:*http*))

This one works after removing " manually (process.executable:*\\bitsadmin.exe OR process.pe.original_file_name:bitsadmin.exe) AND (process.command_line:*\ \/transfer\ * OR ((process.command_line:(*\ \/create\ * OR *\ \/addfile\ *)) AND process.command_line:*http*))

using this cmd to generate the ndjson file sigma convert -t lucene -f siem_rule_ndjson -p ecs_windows ./rules/windows -o basic_windows.ndjson

Securityinbits avatar Jan 30 '24 15:01 Securityinbits

I added some more tests for this case but the rule you mentioned converts just fine (without quotes) to:

(Image:*\\bitsadmin.exe OR OriginalFileName:bitsadmin.exe) AND (CommandLine:*\ \/transfer\ * OR ((CommandLine:(*\ \/create\ * OR *\ \/addfile\ *)) AND CommandLine:*http*))

and will only present the expected two hits in the connect tests.

andurin avatar Jul 12 '24 10:07 andurin