-
Notifications
You must be signed in to change notification settings - Fork 3
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Some Sigma.Windows.Hayabusa.Rule
rules does not detect logs
#24
Comments
Defender Alert (High)sigma_rules.yamltitle: Defender Alert (High)
logsource:
product: windows
service: windefend
detection:
condition: []
selection:
Channel: Microsoft-Windows-Windows Defender/Operational
EventID: 1116
SeverityID: 4
status: test
author: Zach Mathis, Fukusuke Takahashi
level: high
references:
- https://github.com/Yamato-Security/hayabusa-rules/tree/main/hayabusa/hayabusa/builtin/WindowsDefender/Defender_1116_High_Alert.yml Hayabusa originalauthor: Zach Mathis, Fukusuke Takahashi
date: 2021/12/01
modified: 2023/6/17
title: 'Defender Alert (High)'
description: Windows defender malware detection
id: 1e11c0f0-aecd-45d8-9229-da679c0265ea
level: high
status: test
logsource:
product: windows
service: windefend
detection:
selection:
Channel: Microsoft-Windows-Windows Defender/Operational
EventID: 1116
SeverityID: 4 # High
falsepositives:
- bad signature
tags:
- malware
references:
- https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/troubleshoot-microsoft-defender-antivirus?view=o365-worldwide
ruletype: Hayabusa detected log sample{
"Timestamp": "2024-01-27T23:44:23.601016Z",
"RuleTitle": "Defender Alert (High)",
"Level": "high",
"Computer": "mouse",
"Channel": "Defender",
"EventID": 1116,
"RecordID": 2894,
"Details": {
"Threat": "HackTool:PowerShell/Mimikatz",
"Severity": "高",
"Type": "ツール",
"User": "mouse\\fukus",
"Path": "file:_C:\\Users\\fukus\\velociraptor-docs\\content\\knowledge_base\\tips\\decimaldecode.md",
"Proc": "C:\\Users\\fukus\\AppData\\Local\\Programs\\Microsoft VS Code\\resources\\app\\node_modules.asar.unpacked\\@vscode\\ripgrep\\bin\\rg.exe"
},
"ExtraFieldInfo": {
"Action ID": 9,
"Action Name": "該当なし",
"Additional Actions ID": 0,
"Additional Actions String": "No additional actions required",
"Category ID": 34,
"Detection ID": "{7F1E0949-2ACC-4813-840F-B58BECE84913}",
"Detection Time": "2024-01-27T23:44:23.284Z",
"Engine Version": "AM: 1.1.23110.2, NIS: 1.1.23110.2",
"Error Code": "0x00000000",
"Error Description": "この操作を正しく終了しました。",
"Execution ID": 1,
"Execution Name": "中断",
"FWLink": "https://go.microsoft.com/fwlink/?linkid=37020\u0026name=HackTool:PowerShell/Mimikatz\u0026threatid=2147725066\u0026enterprise=0",
"Origin ID": 1,
"Origin Name": "ローカル コンピューター",
"Post Clean Status": 0,
"Pre Execution Status": 0,
"Product Name": "Microsoft Defender ウイルス対策",
"Product Version": "4.18.23110.3",
"Remediation User": "",
"Security intelligence Version": "AV: 1.403.2791.0, AS: 1.403.2791.0, NIS: 1.403.2791.0",
"Severity ID": 4,
"Source ID": 3,
"Source Name": "リアルタイム保護",
"State": 1,
"Status Code": 1,
"Status Description": "",
"Threat ID": 2147725066,
"Type ID": 0,
"Type Name": "コンクリート",
"Unused2": "",
"Unused3": "",
"Unused4": "",
"Unused5": "",
"Unused6": "",
"Unused": ""
},
"EventTime": "2024-01-27T23:44:23.601016Z"
} |
A Rule Has Been Deleted From The Windows Firewall Exception Listsigma_rules.yamltitle: A Rule Has Been Deleted From The Windows Firewall Exception List
logsource:
product: windows
service: firewall-as
detection:
condition: (firewall_as and (selection and not 1 of filter_main_* and not 1 of filter_optional_*))
filter_main_empty:
ModifyingApplication: ""
filter_main_generic:
ModifyingApplication|startswith:
- C:\Program Files\
- C:\Program Files (x86)\
filter_main_null:
ModifyingApplication: null
filter_main_svchost:
ModifyingApplication: C:\Windows\System32\svchost.exe
filter_optional_msmpeng:
ModifyingApplication|startswith: C:\ProgramData\Microsoft\Windows Defender\Platform\
ModifyingApplication|endswith: \MsMpEng.exe
firewall_as:
Channel: Microsoft-Windows-Windows Firewall With Advanced Security/Firewall
selection:
EventID:
- 2006
- 2052
status: experimental
author: frack113
level: medium
references:
- https://github.com/Yamato-Security/hayabusa-rules/tree/main/hayabusa/sigma/builtin/firewall_as/win_firewall_as_delete_rule.yml Hayabusa originaltitle: A Rule Has Been Deleted From The Windows Firewall Exception List
id: c187c075-bb3e-4c62-b4fa-beae0ffc211f
status: experimental
description: Detects when a single rules or all of the rules have been deleted from the Windows Defender Firewall
references:
- https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-r2-and-2008/dd364427(v=ws.10)
author: frack113
date: 2022/02/19
modified: 2023/06/12
tags:
- attack.defense_evasion
- attack.t1562.004
logsource:
product: windows
service: firewall-as
detection:
firewall_as:
Channel: Microsoft-Windows-Windows Firewall With Advanced Security/Firewall
selection:
EventID:
- 2006 # A rule has been deleted in the Windows Defender Firewall exception list
- 2052 # A rule has been deleted in the Windows Defender Firewall exception list. (Windows 11)
filter_main_generic:
ModifyingApplication|startswith:
- C:\Program Files\
- C:\Program Files (x86)\
filter_main_svchost:
ModifyingApplication: C:\Windows\System32\svchost.exe
filter_optional_msmpeng:
ModifyingApplication|startswith: C:\ProgramData\Microsoft\Windows Defender\Platform\
ModifyingApplication|endswith: \MsMpEng.exe
filter_main_null:
ModifyingApplication:
filter_main_empty:
ModifyingApplication: ''
condition: firewall_as and (selection and not 1 of filter_main_* and not 1 of filter_optional_*)
level: medium
ruletype: Sigma detected log sample{
"Timestamp": "2024-03-13T22:05:25.126032Z",
"RuleTitle": "A Rule Has Been Deleted From The Windows Firewall Exception List",
"Level": "med",
"Computer": "mouse",
"Channel": "Firewall",
"EventID": 2052,
"RecordID": 12812,
"Details": {},
"ExtraFieldInfo": {
"ErrorCode": 0,
"ModifyingApplication": "C:\\Windows\\SystemTemp\\chrome_Unpacker_BeginUnzipping4360_1830454617\\CR_8BAC2.tmp\\setup.exe",
"ModifyingUser": "S-1-5-18",
"RuleId": "{D7B81251-9069-467C-A54A-3AD41CE559FC}",
"RuleName": "b380f8ff-020d-464a-ad92-63d548cfc877"
},
"EventTime": "2024-03-13T22:05:25.126032Z"
} |
Thank you so much for testing and reporting these issues! I looked at the windows defender rule and the reason it is not triggering is because it uses the field
Based on the Hayabusa aliases file: But looking at the actual docs from Microsoft there is no such field: The field is actually called This may just be me misunderstand how Hayabusa maps the fields but this seems to be a bug in the Hayabusa event map? |
I also noticed another bug which might also be my misunderstanding of the Sigma format - the generated rule has no conditions ( |
@scudette Thank you for checking! <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="Microsoft-Windows-Windows Defender" Guid="{11cd958a-c507-4ef3-b3f2-5fd9dfbd2c78}" />
<EventID>1116</EventID>
<Version>0</Version>
<Level>3</Level>
<Task>0</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime="2024-03-20T00:20:22.7423487Z" />
<EventRecordID>4811</EventRecordID>
<Correlation />
<Execution ProcessID="5284" ThreadID="11304" />
<Channel>Microsoft-Windows-Windows Defender/Operational</Channel>
<Computer>mouse</Computer>
<Security UserID="S-1-5-18" />
</System>
<EventData>
<Data Name="Product Name">Microsoft Defender ウイルス対策</Data>
<Data Name="Product Version">4.18.24020.7</Data>
<Data Name="Detection ID">{03A695D0-DCC9-4237-942D-B3B1FE296A77}</Data>
<Data Name="Detection Time">2024-03-20T00:20:22.660Z</Data>
<Data Name="Unused" />
<Data Name="Unused2" />
<Data Name="Threat ID">2147720558</Data>
<Data Name="Threat Name">TrojanDownloader:PowerShell/Plasti.A</Data>
<Data Name="Severity ID">5</Data>
<Data Name="Severity Name">重大</Data>
<Data Name="Category ID">4</Data>
<Data Name="Category Name">ダウンローダー型のトロイの木馬</Data>
<Data Name="FWLink">https://go.microsoft.com/fwlink/?linkid=37020&name=TrojanDownloader:PowerShell/Plasti.A&threatid=2147720558&enterprise=0</Data>
<Data Name="Status Code">1</Data>
<Data Name="Status Description" />
<Data Name="State">1</Data>
<Data Name="Source ID">3</Data>
<Data Name="Source Name">リアルタイム保護</Data>
<Data Name="Process Name">C:\tmp\takajo-2.4.0-win\takajo.exe</Data>
<Data Name="Detection User">mouse\fukus</Data>
<Data Name="Unused3" />
<Data Name="Path">file:_C:\tmp\takajo-2.4.0-win\case-1\StackServices.csv</Data>
<Data Name="Origin ID">1</Data>
<Data Name="Origin Name">ローカル コンピューター</Data>
<Data Name="Execution ID">1</Data>
<Data Name="Execution Name">中断</Data>
<Data Name="Type ID">0</Data>
<Data Name="Type Name">コンクリート</Data>
<Data Name="Pre Execution Status">0</Data>
<Data Name="Action ID">9</Data>
<Data Name="Action Name">該当なし</Data>
<Data Name="Unused4" />
<Data Name="Error Code">0x00000000</Data>
<Data Name="Error Description">この操作を正しく終了しました。</Data>
<Data Name="Unused5" />
<Data Name="Post Clean Status">0</Data>
<Data Name="Additional Actions ID">0</Data>
<Data Name="Additional Actions String">No additional actions required</Data>
<Data Name="Remediation User" />
<Data Name="Unused6" />
<Data Name="Security intelligence Version">AV: 1.407.561.0, AS: 1.407.561.0, NIS: 1.407.561.0</Data>
<Data Name="Engine Version">AM: 1.1.24020.9, NIS: 1.1.24020.9</Data>
</EventData>
</Event> |
Yes you are correct! I just generated a similar event on a live system. This looks to be an issue of us not handling a missing condition field properly - I could not determine from https://sigmahq.io/docs/basics/rules.html#detection if it is event allowed to omit the condition clause. I suppose we can just add one in case. |
Yes, it is not clear from the specifications whether the condition clause is required... I will check whether it is better to add the condition clause on the Hayabusa rule side! |
It seems that the condition section was probably omitted (because other rules do not omit the condition clause ), |
The following detection may also be a problem on Hayabusa's(or Sigma) side, so I will check it.... |
In the above case, Hayabusa was able to detect the logs as expected :) |
Looking closer at the firewall rule above I get the following error from the engine:
That search is
Im not really sure what its supposed to say here? Is it meant to match the empty string? |
Actually in the version of the rule we use it actually says null
Do you know what it's supposed to mean? |
Yes, the The specifications of |
The bug which |
It looks like the latest Hayabusa rules have been merged, so I'll close this issue and check the latest version! |
Hello :)
I am trying
Sigma.Windows.Hayabusa.Rules
on0.72 RC1
and some rules were not working, so I would like to report.(I noticed this when I was comparing the results withExchange.Windows.EventLogs.Hayabusa
)Although I have only confirmed this on medium level or higher, the following rules did not detect logs in
Sigma.Windows.Hayabusa.Rules
.MSI Installation From Suspicious Locations... Maybe this can be resolved by using the latest rule?Suspicious Non PowerShell WSMAN COM Provider... Maybe this can be resolved by using the latest rule?Uncommon AppX Package Locations... Maybe this can be resolved by using the latest rule?Thank you for your time.
The text was updated successfully, but these errors were encountered: