sigma_to_wazuh icon indicating copy to clipboard operation
sigma_to_wazuh copied to clipboard

Published 20 hours ago verified publisher icon theflakes

Logic conversion issues

Open theflakes opened this issue 2 years ago • 4 comments

See: https://github.com/SigmaHQ/sigma/blob/b4cb047ae720b37b11f8506de7965dc29d5920be/rules/windows/registry/registry_set/registry_set_outlook_registry_todaypage.yml

detection: selection1: TargetObject|contains: - 'Software\Microsoft\Office' - '\Outlook\Today' selectionStamp: EventType: SetValue TargetObject|endswith: Stamp Details: DWORD (0x00000001) selectionUserDefined: TargetObject|endswith: UserDefinedUrl filter_office: Image|startswith: - 'C:\Program Files\Common Files\Microsoft Shared\ClickToRun' - 'C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates' Image|endswith: '\OfficeClickToRun.exe' condition: selection1 and (selectionStamp or selectionUserDefined) and not 1 of filter_*

theflakes avatar Apr 11 '22 00:04 theflakes

Also see: https://github.com/SigmaHQ/sigma/blob/master/rules/windows/registry/registry_set/registry_set_persistence_search_order.yml

Problem is with lists and negation being converted correctly to Wazuh AND negation logic.

theflakes avatar Apr 12 '22 14:04 theflakes

Also: https://github.com/SigmaHQ/sigma/blob/master/rules/windows/registry/registry_set/registry_set_globalflags_persistence.yml

theflakes avatar Apr 14 '22 03:04 theflakes

Need to add check for detection token to see if it is a list (OR logic) or dictionary (AND logic).

OR Logic:
See: https://github.com/SigmaHQ/sigma/blob/master/rules/windows/registry/registry_set/registry_set_globalflags_persistence.yml

   {
      "selection_reg1": {
         "TargetObject|contains": [
            "\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion"
         ]
      },
      "selection_reg2": [
         {
            "TargetObject|contains|all": [
               "\\Image File Execution Options\\",
               "\\GlobalFlag"
            ]
         },
         {
            "TargetObject|contains|all": [
               "SilentProcessExit\\",
               "\\ReportingMode"
            ]
         },
         {
            "TargetObject|contains|all": [
               "SilentProcessExit\\",
               "\\MonitorProcess"
            ]
         }
      ],
      "condition": "selection_reg1 and selection_reg2"
   }

AND Logic:
See: https://github.com/SigmaHQ/sigma/blob/b4cb047ae720b37b11f8506de7965dc29d5920be/rules/windows/registry/registry_set/registry_set_outlook_registry_todaypage.yml

   {
      "selection1": {
         "TargetObject|contains": [
            "Software\\Microsoft\\Office\\",
            "\\Outlook\\Today\\"
         ]
      },
      "selectionStamp": {
         "EventType": "SetValue",
         "TargetObject|endswith": "Stamp",
         "Details": "DWORD (0x00000001)"
      },
      "selectionUserDefined": {
         "TargetObject|endswith": "UserDefinedUrl"
      },
      "filter_office": {
         "Image|startswith": [
            "C:\\Program Files\\Common Files\\Microsoft Shared\\ClickToRun\\",
            "C:\\Program Files\\Common Files\\Microsoft Shared\\ClickToRun\\Updates\\"
         ],
         "Image|endswith": "\\OfficeClickToRun.exe"
      },
      "condition": "selection1 and (selectionStamp or selectionUserDefined) and not 1 of filter_*"
   }

theflakes avatar Apr 14 '22 16:04 theflakes

Verify and fix: https://github.com/SigmaHQ/sigma/blob/master/rules/windows/builtin/security/win_security_susp_lsass_dump_generic.yml

theflakes avatar Feb 19 '23 22:02 theflakes