frack113
frack113
I haven't found any rules with `contains: '\*'` so I'm not sure it's useful to change the code for this specific case. Otherwise I can work on it .
Hi, - Sigma rule is universal and it is not written for a backend/SIEM - Sigma rule use original field name from the event only (here sysmon) Elastic beat split...
Find this in SwiftOnSecurity sysmonconfig-export.xml: `` But filter will never work on `NewName` ```yml detection: selection_rename: NewName|endswith: - '\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_Dlls' - '\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_Dlls' selection_set: TargetObject|endswith: - '\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_Dlls' - '\SOFTWARE\Wow6432Node\Microsoft\Windows...
HI , did you succed to translate it? I go ``` PS D:\rootme\sigma\tools> python sigmac -t es-qs -c .\config\generic\sysmon.yml ..\rules\file_event_susp_rtlo.yml (TargetFilename.keyword:/.*[\w\d]{2,5}\.(exe|bat|js|vbs|hta|vbe|jse|sct|wsf|xsl|cpl|xll)/ OR CommandLine.keyword:/.*[\w\d]{2,5}\.(exe|bat|js|vbs|hta|vbe|jse|sct|wsf|xsl|cpl|xll)/) ```
Hi, There are already 2 generic rules : rules/windows/process_creation/proc_creation_win_lolbin_wfc.yml (49be8799-7b4d-4fda-ad23-cafbefdebbc5) rules/windows/process_creation/proc_creation_win_lolbin_fsharp_interpreters.yml (b96b2031-7c17-4473-afe7-a30ce714db29)
Hi, the sigma rule ref are waitting in the PR : - https://github.com/LOLBAS-Project/LOLBAS/pull/226 - https://github.com/LOLBAS-Project/LOLBAS/pull/225 - https://github.com/LOLBAS-Project/LOLBAS/pull/223 Try the rule with aurora (fix errors : double status, references not a...
It is more like ```Yaml detection: select_wfc: Image|endswith: '\wfc.exe' CommandLine|contains: '.xoml' select_fsi: Image|endswith: - '\fsi.exe' - 'fsianycpu.exe' CommandLine|contains: - '.fsscript' - '.fsx' condition: 1 of select* ``` `CommandLine` is what...
The pattern for a valid file name is \'[a-z0-9_]{10,70}\.yml\' . So should be like `proc_creation_win_lolbin_proxied_payload_script.yml` start with `proc_creation_win_` like other in the folder and `.yml` as file extension
Hi, The modifier `re` check if it is a valid regex and give it to the backend. Not every backend can handle regex. Some have they way to deal with...
currently it is the **backend** that manages the regex. So the way `es-qs` manages it is a full match because **elactic** is fullmatch. Test in Kibana - Event.Image:/.*\\.exe/ OK -...