sigma icon indicating copy to clipboard operation
sigma copied to clipboard
verified publisher icon SigmaHQ

Rule Does Not Meet Current Sigma Capabilities

Open BalsamicSentry opened this issue 9 months ago • 1 comments

For rule f6de9536-0441-4b3f-a646-f4e00f300ffd "Weak Encryption Enabled and Kerberoast", the values specified will never detect on Windows Security Event Logs (At least from what I can see; I do not have Sysmon to compare). Real-world values are displayed as "0x" followed by numbers, but this rule is either expecting question marks or is expecting the user to do extra work to edit the rule.

Example:

03/03/2025 00:00:00 AM
LogName=Security
EventCode=4738
EventType=0
ComputerName=DESKTOP-1234
SourceName=Microsoft Windows security auditing.
Type=Information
RecordNumber=00000001
Keywords=Audit Success
TaskCategory=User Account Management
OpCode=Info
Message=A user account was changed.

Subject:
...

Target Account:
...

Changed Attributes:
...
Old UAC Value: 0x210
New UAC Value: 0x210
...

Additional Information:
...

Also, there is a dead link in the detection section.

BalsamicSentry avatar Mar 27 '25 15:03 BalsamicSentry

The selections match using the |endswith modifier. The question marks are one-character wildcards. Therefore I don't see a systematic issue with the rule. Your example, if it would use a different combination of flags, would match. Am I correct that this was just an issue about misunderstanding on how to read the rule or did you test it and it didn't work? If so please explain on how to reproduce this test.

phantinuss avatar May 19 '25 07:05 phantinuss

This issue seems to stem from a misunderstanding of how the ? character work in sigma.

The ? is used as a placeholder so the sigma backend converting the rule should account for that. The endswith modifier also adds a wildcard at the start to account for any value beforehand. Hence the rule is working as expected.

Feel free to re-open if you disagree

nasbench avatar Oct 19 '25 11:10 nasbench