sigma
sigma copied to clipboard
SigmaHQ
[STIX Backend] Rule partly converted bug
There are some rules which are converted partly to STIX pattern if config mapping is not available for one of the fields, for example, rule A and not B where A does not have mapping and B have mapping will be converted to just not B,
Example rule: https://github.com/Neo23x0/sigma/tree/master/rules/windows/process_creation/win_renamed_binary_highly_relevant.yml
detection:
selection:
OriginalFileName:
- "powershell.exe"
- "powershell_ise.exe"
- "psexec.exe"
- "psexec.c" # old versions of psexec (2016 seen)
- "cscript.exe"
- "wscript.exe"
- "mshta.exe"
- "regsvr32.exe"
- "wmic.exe"
- "certutil.exe"
- "rundll32.exe"
- "cmstp.exe"
- "msiexec.exe"
filter:
Image:
- '*\powershell.exe'
- '*\powershell_ise.exe'
- '*\psexec.exe'
- '*\psexec64.exe'
- '*\cscript.exe'
- '*\wscript.exe'
- '*\mshta.exe'
- '*\regsvr32.exe'
- '*\wmic.exe'
- '*\certutil.exe'
- '*\rundll32.exe'
- '*\cmstp.exe'
- '*\msiexec.exe'
condition: selection and not filter
after conversion (not filter)
"pattern": "[(((process:binary_ref.name NOT LIKE '%\\\\powershell.exe' AND process:binary_ref.name NOT LIKE '%\\\\powershell_ise.exe' AND process:binary_ref.name NOT LIKE '%\\\\psexec.exe' AND process:binary_ref.name NOT LIKE '%\\\\psexec64.exe' AND process:binary_ref.name NOT LIKE '%\\\\cscript.exe' AND process:binary_ref.name NOT LIKE '%\\\\wscript.exe' AND process:binary_ref.name NOT LIKE '%\\\\mshta.exe' AND process:binary_ref.name NOT LIKE '%\\\\regsvr32.exe' AND process:binary_ref.name NOT LIKE '%\\\\wmic.exe' AND process:binary_ref.name NOT LIKE '%\\\\certutil.exe' AND process:binary_ref.name NOT LIKE '%\\\\rundll32.exe' AND process:binary_ref.name NOT LIKE '%\\\\cmstp.exe' AND process:binary_ref.name NOT LIKE '%\\\\msiexec.exe')))]",
