sigma icon indicating copy to clipboard operation
sigma copied to clipboard

Published 20 hours ago verified publisher icon SigmaHQ

[sigmac] [splunk] literal * is not escaped

Open phantinuss opened this issue 2 years ago • 0 comments

Hi,

I think we found another bug in the Splunk back-end, best seen in rule rules/windows/process_creation/proc_creation_win_susp_schtasks_delete_all.yml

detection:
    selection:
        Image|endswith: '\schtasks.exe'
        CommandLine|contains|all:
            - ' /delete '
            - '/tn \*'
            - ' /f'
    condition: selection

the * is escaped correctly in sigma.

$ sigmac -t splunk -c tools/config/splunk-windows.yml rules/windows/process_creation/proc_creation_win_susp_schtasks_delete_all.yml 
((Image="*\\schtasks.exe" CommandLine="* /delete *" CommandLine="*/tn \*" CommandLine="* /f*"))

but \* is not a valid escape for * in SPL.

From a quick search there seems to be no easy way to escape the * character in SPL. The most convenient solution I have seen is to transform the search to a regex search.

phantinuss avatar Oct 21 '22 11:10 phantinuss