From 17df73765ed0f06b68afa019757c2a8d8d2618e0 Mon Sep 17 00:00:00 2001 From: Yamato Security <71482215+YamatoSecurity@users.noreply.github.com> Date: Mon, 25 Nov 2024 19:35:56 +0900 Subject: [PATCH 01/10] readme-2.19.0 --- README.md | 45 ++++++++++++++++++++----------------- config/closing_messages.txt | 17 +++++++++----- config/opening_messages.txt | 3 ++- 3 files changed, 38 insertions(+), 27 deletions(-) diff --git a/README.md b/README.md index 95f5f0e66..1cb8cd422 100644 --- a/README.md +++ b/README.md @@ -46,7 +46,7 @@ We also create new rules with converted field names and values for `process_crea - [Outputting field data from multiple field names with the same name](#outputting-field-data-from-multiple-field-names-with-the-same-name) - [Field Modifiers](#field-modifiers) - [Supported Sigma Field Modifiers](#supported-sigma-field-modifiers) - - [Extra Field Modifiers](#extra-field-modifiers) + - [Deprecated Field Modifiers](#deprecated-field-modifiers) - [Unsupported Field Modifiers](#unsupported-field-modifiers) - [Wildcards](#wildcards) - [null keyword](#null-keyword) @@ -520,45 +520,48 @@ This document is updated every time there is an update to Sigma or Hayabusa rule - 'Keyword-2' condition: keywords ``` - - `|base64offset|contains`: Data will be encoded to base64 in three different ways depending on its position in the encoded string. This modifier will encoded a string to all three variations and check if the string is encoded somewhere in the base64 string. -- `|cased`: Make the search case-sensitive. -- `|cidr`: Matches on a IPv4 or IPv6 CIDR notation (Ex: `192.0.2.0/24`) -- `|contains`: Checks if a word is contained in the data -- `|contains|all`: Checks if multiple words are contained in the data +- `|cased`: Makes the search case-sensitive. +- `|cidr`: Checks if a field value matches on a IPv4 or IPv6 CIDR notation. (Ex: `192.0.2.0/24`) +- `|contains`: Checks if a field value contains a certain string. +- `|contains|all`: Checks if multiple words are contained in the data. - `|contains|all|windash`: Same as `|contains|windash` but all of the keywords need to be present. - `|contains|windash`: Will check the string as-is, as well as convert the first `-` character to a `/` character and check that variation as well. -- `|endswith`: Checks the end of the string. +- `|endswith`: Checks if a field value ends with a certain string. - `|endswith|windash`: Checks the end of the string and performs variations for dashes. - `|exists`: Checks if a field exists. -- `|fieldref`: Checks to see if the values in two fields are the same. This is the same as the `|equalsfield` modifier. +- `|fieldref`: Checks to see if the values in two fields are the same. You can use `not` in the `condition` if you want to check if two fields are different. +- `|fieldref|contains`: Checks to see if the value of one field is contained in another field. +- `|fieldref|endswith`: Check if the field on the left ends with the string of the field on the right. You can use `not` in the `condition` to check if they are different. +- `|fieldref|startswith`: Check if the field on the left starts with the string of the field on the right. You can use `not` in the `condition` to check if they are different. +- `|gt`: Checks if a field value is greater than a certain number. +- `|gte`: Checks if a field value is greater than or equal to a certain number. +- `|lt`: Checks if a field value is less than a certain number. +- `|lte`: Checks if a field value is less than or equal to a certain number. - `|re`: Use case-sensitive regular expressions. (We are using the regex crate so please out the documentation at to learn how to write supported regular expressions.) > Caution: [Regular expression syntax in Sigma rules](https://github.com/SigmaHQ/sigma-specification/blob/main/appendix/sigma-modifiers-appendix.md#regular-expression) uses PCRE with certain metacharacters for character classes, lookbehind, atomic grouping, etc... being unsupported. The Rust regex crate should be able to use all regular expressions in Sigma rules but there is a possibility of incompatibility. - `|re|i`: (Insensitive) Use case-insensitive regular expressions. - `|re|m`: (Multi-line) Match across multiple lines. `^` / `$` match the start/end of line. - `|re|s`: (Single-line) dot (`.`) matches all characters, including the newline character. -- `|startswith`: Checks the string from the beginning. +- `|startswith`: Checks if a field value starts with a certain string. +- `utf16|base64offset|contains`: Checks to see if a certain UTF-16 string is encoded inside a base64 string. +- `utf16be|base64offset|contains`: Checks to see if a certain UTF-16 big-endian string is encoded inside a base64 string. +- `utf16le|base64offset|contains`: Checks to see if a certain UTF-16 little-endian string is encoded inside a base64 string. +- `wide|base64offset|contains`: Alias for `utf16le|base64offset|contains`, checking for UTF-16 little-endian strings. -### Extra Field Modifiers +### Deprecated Field Modifiers -The following modifiers are not in the sigma specification but have been added for very specific use cases. +The following modifiers are now deprecated and replaced by modifiers that adhere more to the sigma specifications. -- `|equalsfield`: Check if two fields have the same value. You can use `not` in the `condition` if you want to check if two fields are different. -- `|endswithfield`: Check if the field on the left ends with the string of the field on the right. You can use `not` in the `condition` if they are different. +- `|equalsfield`: Now is replaced by `|fieldref`. +- `|endswithfield`: Now is replaced by `|fieldref|endswith`. ## Unsupported Field Modifiers -The following modifiers are currently not supported, but currently only the `|expand` and `|contains|expand` modifiers are actually used in rules: +The following modifiers are currently not supported: -- `base64ǀutf16be` -- `base64ǀutf16le` -- `base64ǀwide` - `contains|expand` - `expand` -- `gt` -- `gte` -- `lt` -- `lte` ## Wildcards diff --git a/config/closing_messages.txt b/config/closing_messages.txt index 83cd8692c..189dae94e 100644 --- a/config/closing_messages.txt +++ b/config/closing_messages.txt @@ -2,9 +2,9 @@ 初心忘るべからず - Shoshin Wasuru Bekarazu - Never forget the beginner's mind. 無事是貴人 - Buji Kore Kinin - Once you free yourself from attachment and aversion, you will be truly a noble person. 急がば回れ - Isogaba Maware - If you are in a hurry, take the long way. -一瞬一瞬を大切に - Isshun Isshun O Taisetu Ni - Treasure each moment. +一瞬一瞬を大切に - Isshun Isshun O Taisetsu Ni - Treasure each moment. 無念無想 - Munen Musou - No assumptions, no preconceptions. -臨機応変 - Rinki Ou Hen - Adapt to the situation. +臨機応変 - Rin Ki Ou Hen - Adapt to the situation. 日々是好日 - Nichinichi Kore Koujitsu - Everyday is a good day. 風林火山 - Fuu Rin Ka Zan - Swift as the wind, silent as the forest, fierce as fire, immovable as a mountain. 不動心 - Fudoushin - Immovable mind. @@ -26,7 +26,7 @@ 臨戦態勢 - Rinsen Taisei - Always ready for battle. 一事が万事 - Ichiji Ga Banji - One thing leads to everything. 難行苦行 - Nangyou Kugyou - Arduous and rigorous practice. -塞翁失馬 - Saiou Shitu Ba - The old man lost his horse. (A blessing in disguise.) +塞翁失馬 - Sai Ou Shitsu Ba - The old man lost his horse. (A blessing in disguise.) 時来たり - Toki Kitari - The time has come. 失敗は成功のもと - Shippai Wa Seikou No Moto - Failure is the root of success. 天の時、地の利、人の和 - Ten No Toki, Chi No Ri, Hito No Wa - Heavenly timing, earthly advantage, personal harmony @@ -35,9 +35,16 @@ 残心 - Zanshin - Stay vigilant even after your task is complete. 疾風勁草 - Shippuu Keisou - Strong grass withstands strong wind. 風流韻事 - Fuuryuu Injin - The art of refinement and elegance. -知彼知己 - Chi HI Chi Ki - Know the enemy, know yourself. +知彼知己 - Chi Hi Chi Ki - Know thy enemy, know thyself. 百聞は一見に如かず - Hyakubun Wa Ikken Ni Shikazu - Seeing once is better than hearing a hundred times. 一難去ってまた一難 - Ichinan Satte Mata Ichinan - One difficulty after another. 居安思危 - Kyo An Shi Ki - In times of peace, think of danger. 苦あれば楽あり - Ku Areba Raku Ari - Positive outcomes come from enduring hardships. -禍福は糾える縄の如し - Kafuku Wa Azanaeru Nawa No Gotoshi - Good and bad fortune are intertwined like a rope. \ No newline at end of file +禍福は糾える縄の如し - Kafuku Wa Azanaeru Nawa No Gotoshi - Good and bad fortune are intertwined like a rope. +頑張ってや〜 - Gambatte Ya~ - Do your best! +笑う門には福来たる - Warau Kado Ni Wa Fuku Kitaru - Fortune comes to the house of those who laugh. +一笑一若 - Isshou Ichijaku - One laugh, one youthful spirit. +笑いは心の薬 - Warai Wa Kokoro No Kusuri - Laughter is medicine for the soul. +苦は楽の種 - Ku Wa Raku No Tane - Suffering is the seed of joy. +災い転じて福となす - Wazawai Tenjite Fuku To Nasu - Turn misfortune into fortune. +困難に道あり - Konnan Ni Michi Ari - The obstacle is the way. \ No newline at end of file diff --git a/config/opening_messages.txt b/config/opening_messages.txt index 23aa3bc66..6f1785908 100644 --- a/config/opening_messages.txt +++ b/config/opening_messages.txt @@ -14,4 +14,5 @@ Fine-tuned for the art of detection~ Forged for the modern-day digital detective~ Cutting through the noise, straight to the threats~ Finding needles in the hay stack~ -Collecting the gold specks in the desert~ \ No newline at end of file +Collecting the gold specks in the desert~ +Since 2021~ \ No newline at end of file From d27d96e4bd1b18b7af9d65543055990b9ac8bc0c Mon Sep 17 00:00:00 2001 From: Yamato Security <71482215+YamatoSecurity@users.noreply.github.com> Date: Mon, 25 Nov 2024 19:51:17 +0900 Subject: [PATCH 02/10] replace equalsfield use with fieldref --- ..._Logon-Type9-NewInteractive_PossibleTokenImpersonation.yml | 4 ++-- hayabusa/sysmon/Sysmon_1_Low_ExeFileRenamed.yml | 4 ++-- hayabusa/sysmon/Sysmon_1_ProcExec_High_LOLBAS-Rename.yml | 4 ++-- 3 files changed, 6 insertions(+), 6 deletions(-) diff --git a/hayabusa/builtin/Security/LogonLogoff/Logon/Sec_4624_Med_Logon-Type9-NewInteractive_PossibleTokenImpersonation.yml b/hayabusa/builtin/Security/LogonLogoff/Logon/Sec_4624_Med_Logon-Type9-NewInteractive_PossibleTokenImpersonation.yml index c8513d236..b659757e1 100644 --- a/hayabusa/builtin/Security/LogonLogoff/Logon/Sec_4624_Med_Logon-Type9-NewInteractive_PossibleTokenImpersonation.yml +++ b/hayabusa/builtin/Security/LogonLogoff/Logon/Sec_4624_Med_Logon-Type9-NewInteractive_PossibleTokenImpersonation.yml @@ -1,6 +1,6 @@ author: Zach Mathis date: 2022/04/18 -modified: 2022/12/16 +modified: 2024/11/25 title: Possible Token Impersonation description: Tries to detect token impersonation by tools like Cobalt Strike. @@ -18,7 +18,7 @@ detection: selection_TokenImpersonationCharacteristics: LogonType: 9 # New Interactive ImpersonationLevel|contains: 1833 # It is actually %%1833 for Impersonation level of "Impersonation". - SubjectUserName|equalsfield: TargetUserName + SubjectUserName|fieldref: TargetUserName condition: selection_basic and selection_TokenImpersonationCharacteristics falsepositives: - normal system usage diff --git a/hayabusa/sysmon/Sysmon_1_Low_ExeFileRenamed.yml b/hayabusa/sysmon/Sysmon_1_Low_ExeFileRenamed.yml index 6937fd448..f37708b30 100644 --- a/hayabusa/sysmon/Sysmon_1_Low_ExeFileRenamed.yml +++ b/hayabusa/sysmon/Sysmon_1_Low_ExeFileRenamed.yml @@ -1,6 +1,6 @@ author: Zach Mathis date: 2022/12/23 -modified: 2023/11/09 +modified: 2023/11/25 title: 'Renamed Exe File' description: 'This is to detect when an .exe file was renamed. Attackers will often rename malware and lolbas tools in order not to be detected. %OriginalFileName% is the original filename in the PE header when the .exe was compiled.' @@ -18,7 +18,7 @@ detection: EventID: 1 OriginalFileName|endswith: '.exe' FileNameAndOriginalNameAreSame: - Image|endswithfield: OriginalFileName + Image|fieldref|endswith: OriginalFileName FilterUnknown: - OriginalFileName: '\?' - OriginalFileName: '-' diff --git a/hayabusa/sysmon/Sysmon_1_ProcExec_High_LOLBAS-Rename.yml b/hayabusa/sysmon/Sysmon_1_ProcExec_High_LOLBAS-Rename.yml index 256115e12..17e19bdba 100644 --- a/hayabusa/sysmon/Sysmon_1_ProcExec_High_LOLBAS-Rename.yml +++ b/hayabusa/sysmon/Sysmon_1_ProcExec_High_LOLBAS-Rename.yml @@ -1,6 +1,6 @@ author: Zach Mathis date: 2022/04/17 -modified: 2024/10/03 +modified: 2024/11/25 title: 'LOLBAS Renamed' description: This is to detect when a LOLBAS (default Windows binary or script) was renamed in order to hide its execution. OringalFileName is the original filename in the PE header. From my tests, false positives should be low so I rated this as high. @@ -136,7 +136,7 @@ detection: - OriginalFileName|endswith: 'xcopy.exe' - OriginalFileName|endswith: 'RoboCopy.exe' filter_OriginalFilenameAndProcessNameIsSame: - Image|endswithfield: OriginalFileName + Image|fieldref|endswith: OriginalFileName condition: selection_basic and selection_OriginalFilenameIsLOLBIN and not filter_OriginalFilenameAndProcessNameIsSame falsepositives: tags: From dbd0dfb223d9a0d43a01172fd14cf927a682ee2d Mon Sep 17 00:00:00 2001 From: fukusuket <41001169+fukusuket@users.noreply.github.com> Date: Mon, 25 Nov 2024 20:35:36 +0900 Subject: [PATCH 03/10] doc: update japanese readme --- README-Japanese.md | 33 ++++++++++++++++++--------------- README.md | 8 ++++---- 2 files changed, 22 insertions(+), 19 deletions(-) diff --git a/README-Japanese.md b/README-Japanese.md index d4786cf35..120c23880 100644 --- a/README-Japanese.md +++ b/README-Japanese.md @@ -46,7 +46,7 @@ Windowsのイベントログから攻撃を検出するキュレーションさ - [同じ名前の複数のフィールド名からフィールドデータを出力する](#同じ名前の複数のフィールド名からフィールドデータを出力する) - [フィールド修飾子 (Field Modifiers)](#フィールド修飾子-field-modifiers) - [対応しているSigmaのフィールド修飾子](#対応しているsigmaのフィールド修飾子) - - [追加のフィールド修飾子](#追加のフィールド修飾子) + - [非推奨のフィールド修飾子](#非推奨のフィールド修飾子) - [対応していないフィールド修飾子](#対応していないフィールド修飾子) - [ワイルドカード](#ワイルドカード) - [null keyword](#null-keyword) @@ -522,7 +522,7 @@ detection: ``` - `|base64offset|contains`: データは、エンコードされた文字列内の位置によって、3つの異なる方法でbase64にエンコードされます。この修飾子は、文字列を3つのバリエーションにエンコードし、その文字列がbase64文字列のどこかにエンコードされているかどうかをチェックします。 -- `|cased`: Make the search case-sensitive. +- `|cased`: 大文字と小文字を区別して検索します。 - `|cidr`: IPv4またはIPv6のCIDR表記をチェックします。(例:`192.0.2.0/24`) - `|contains`: 指定された文字列が含まれることをチェックします。 - `|contains|all`: 指定された複数の文字列が含まれることをチェックします。 @@ -532,34 +532,37 @@ detection: - `|endswith|windash`: 指定された文字列で終わることをチェックし、最初の`-`文字を`/`文字に変換し、そのバリエーションもチェックします。 - `|exists`: フィールドが存在するかをチェックします。 - `|fieldref`: 2つのフィールドの値が同じかどうかをチェックする。これは `|equalsfield` 修飾子と同じです。 +- `|fieldref|contains`: 一方のフィールドの値がもう一方のフィールドに含まれているかどうかをチェックします。 +- `|fieldref|endswith`: 左側のフィールドが右側のフィールドの文字列で終わっているかどうかをチェックします。`condition` で `not` を使用することで、それらが異なるかどうかをチェックできます。 +- `|fieldref|startswith`: 左側のフィールドが右側のフィールドの文字列で始まっているかどうかをチェックします。`condition` で `not` を使用することで、それらが異なるかどうかをチェックできます。 +- `|gt`: フィールドの値が指定した数値より大きいかどうかをチェックします。 +- `|gte`: フィールドの値が指定した数値以上かどうかをチェックします。 +- `|lt`: フィールドの値が指定した数値より小さいかどうかをチェックします。 +- `|lte`: フィールドの値が指定した数値以下かどうかをチェックします。 - `|re`: 大文字と小文字を区別する正規表現を使用する。 (regexクレートを使用しているので、サポートされている正規表現の書き方は以下のドキュメントを参照してください。 ) > 注意: [Sigma ルールにおける正規表現の構文](https://github.com/SigmaHQ/sigma-specification/blob/main/appendix/sigma-modifiers-appendix.md#regular-expression) PCREを使用しており、文字クラス、ルックビハインド、アトミック・グルーピングなどの特定のメタ文字はサポートされていません。Rust regex crateはSigmaルールですべての正規表現を使用できるはずですが、互換性がない可能性があります。 - `|re|i`: (Insensitive) 大文字小文字を区別しない正規表現を使用する。 - `|re|m`: (Multi-line) 複数行にまたがってマッチする。`^` / `$` は行頭/行末にマッチする。 - `|re|s`: (Single-line) ドット (`.`) は改行文字を含むすべての文字にマッチする。 - `|startswith`: 指定された文字列で始まることをチェックします。 +- `|utf16|base64offset|contains`: UTF-16文字列がBase64文字列内にエンコードされているかどうかをチェックします。 +- `|utf16be|base64offset|contains`: UTF-16ビッグエンディアンの文字列がBase64文字列内にエンコードされているかどうかをチェックします。 +- `|utf16le|base64offset|contains`: UTF-16リトルエンディアン文字列がBase64文字列内にエンコードされているかどうかをチェックします。 +- `|wide|base64offset|contains`: `utf16le|base64offset|contains` のエイリアスで、UTF-16リトルエンディアンの文字列をチェックします。 -### 追加のフィールド修飾子 +### 非推奨のフィールド修飾子 -以下の修飾子はsigmaの仕様にはないが、特殊な使用例のために追加されたものであります: - -- `|equalsfield`: 指定されたイベントキーと合致することをチェックします。2つのフィールドの値が一致しないことをチェックしたい場合は`condition`で`not`を使ってください。 -- `|endswithfield`: 指定されたイベントキーが指定された文字列で終わることをチェックします。指定されたイベントキーが指定された文字列で終わらないことをチェックしたい場合は`condition`で`not`を使ってください。 +以下の修飾子は非推奨となり、Sigma仕様の修飾子に置き換えられました。 +- `|equalsfield`: 現在は`|fieldref`に置き換えられています。 +- `|endswithfield`: 現在は `|fieldref|endswith`に置き換えられています。 ## 対応していないフィールド修飾子 -以下の修飾子は、現在サポートされていないため、Sigmaリポジトリでこれらの修飾子を使用するルールは含まれていません: +以下の修飾子は現在サポートされていません: -- `base64ǀutf16be` -- `base64ǀutf16le` -- `base64ǀwide` - `contains|expand` - `expand` -- `gt` -- `gte` -- `lt` -- `lte` ## ワイルドカード diff --git a/README.md b/README.md index 1cb8cd422..2bda76430 100644 --- a/README.md +++ b/README.md @@ -544,10 +544,10 @@ This document is updated every time there is an update to Sigma or Hayabusa rule - `|re|m`: (Multi-line) Match across multiple lines. `^` / `$` match the start/end of line. - `|re|s`: (Single-line) dot (`.`) matches all characters, including the newline character. - `|startswith`: Checks if a field value starts with a certain string. -- `utf16|base64offset|contains`: Checks to see if a certain UTF-16 string is encoded inside a base64 string. -- `utf16be|base64offset|contains`: Checks to see if a certain UTF-16 big-endian string is encoded inside a base64 string. -- `utf16le|base64offset|contains`: Checks to see if a certain UTF-16 little-endian string is encoded inside a base64 string. -- `wide|base64offset|contains`: Alias for `utf16le|base64offset|contains`, checking for UTF-16 little-endian strings. +- `|utf16|base64offset|contains`: Checks to see if a certain UTF-16 string is encoded inside a base64 string. +- `|utf16be|base64offset|contains`: Checks to see if a certain UTF-16 big-endian string is encoded inside a base64 string. +- `|utf16le|base64offset|contains`: Checks to see if a certain UTF-16 little-endian string is encoded inside a base64 string. +- `|wide|base64offset|contains`: Alias for `utf16le|base64offset|contains`, checking for UTF-16 little-endian strings. ### Deprecated Field Modifiers From b504bf5380e114590dcb5f162f71fab81463d878 Mon Sep 17 00:00:00 2001 From: fukusuket <41001169+fukusuket@users.noreply.github.com> Date: Mon, 25 Nov 2024 20:41:17 +0900 Subject: [PATCH 04/10] doc: update supported-modifier.py --- doc/SupportedSigmaFieldModifiers.md | 54 +++++++++---------- .../supported-modifier.py | 2 +- 2 files changed, 28 insertions(+), 28 deletions(-) diff --git a/doc/SupportedSigmaFieldModifiers.md b/doc/SupportedSigmaFieldModifiers.md index 9909f4705..e21e350a8 100644 --- a/doc/SupportedSigmaFieldModifiers.md +++ b/doc/SupportedSigmaFieldModifiers.md @@ -1,41 +1,41 @@ # Hayabusa supported field modifiers -| Field Modifier | Sigma Count | Hayabusa Count | -|:----------------------|--------------:|-----------------:| -| all | 13 | 0 | -| base64offsetǀcontains | 7 | 0 | -| cased | 0 | 0 | -| cidr | 34 | 0 | -| contains | 2763 | 21 | -| containsǀall | 977 | 0 | -| containsǀallǀwindash | 4 | 0 | -| containsǀwindash | 78 | 0 | -| endswith | 2915 | 271 | -| endswithfield | 0 | 2 | -| endswithǀwindash | 2 | 0 | -| equalsfield | 0 | 1 | -| exists | 0 | 0 | -| fieldref | 1 | 0 | -| fieldrefǀendswith | 0 | 0 | -| re | 167 | 11 | -| reǀi | 0 | 0 | -| reǀm | 0 | 0 | -| reǀs | 0 | 0 | -| startswith | 443 | 6 | - -# Hayabusa unsupported field modifiers | Field Modifier | Sigma Count | Hayabusa Count | |:------------------------------|--------------:|-----------------:| -| containsǀexpand | 1 | 0 | -| expand | 9 | 0 | +| all | 13 | 0 | +| base64offsetǀcontains | 7 | 0 | +| cased | 0 | 0 | +| cidr | 34 | 0 | +| contains | 2761 | 21 | +| containsǀall | 977 | 0 | +| containsǀallǀwindash | 4 | 0 | +| containsǀwindash | 78 | 0 | +| endswith | 2915 | 271 | +| endswithfield | 0 | 0 | +| endswithǀwindash | 2 | 0 | +| equalsfield | 0 | 0 | +| exists | 0 | 0 | +| fieldref | 1 | 1 | +| fieldrefǀendswith | 0 | 2 | | gt | 0 | 0 | | gte | 0 | 0 | | lt | 0 | 0 | | lte | 0 | 0 | +| re | 167 | 11 | +| reǀi | 0 | 0 | +| reǀm | 0 | 0 | +| reǀs | 0 | 0 | +| startswith | 443 | 6 | | utf16beǀbase64offsetǀcontains | 0 | 0 | | utf16leǀbase64offsetǀcontains | 0 | 0 | | utf16ǀbase64offsetǀcontains | 0 | 0 | | wideǀbase64offsetǀcontains | 0 | 0 | +# Hayabusa unsupported field modifiers +| Field Modifier | Sigma Count | Hayabusa Count | +|:-----------------|--------------:|-----------------:| +| containsǀexpand | 1 | 0 | +| expand | 9 | 0 | + # Hayabusa supported correlation rules | Correlation Rule | Sigma Count | Hayabusa Count | |:----------------------------|--------------:|-----------------:| @@ -51,5 +51,5 @@ | temporal_count (with group-by) | 0 | 0 | This document is being dynamically updated based on the latest rules. -Last Update: 2024/11/19 +Last Update: 2024/11/25 Author: Fukusuke Takahashi \ No newline at end of file diff --git a/scripts/supported_modifiers_check/supported-modifier.py b/scripts/supported_modifiers_check/supported-modifier.py index 96ef95ecd..9893b9c9a 100644 --- a/scripts/supported_modifiers_check/supported-modifier.py +++ b/scripts/supported_modifiers_check/supported-modifier.py @@ -103,7 +103,7 @@ def categorize_modifiers(sigma_key_counter, hayabusa_key_counter, hayabusa_suppo sigma_mod_counter, sigma_col_counter = get_yml_detection_counts(args.sigma_path) hayabusa_mod_counter, hayabusa_col_counter = get_yml_detection_counts(args.hayabusa_path) - hayabusa_supported_modifiers = {"all", "base64offset", "contains", "cidr", "windash", "endswith", "startswith", "re", "exists", "cased", "re", "re|i", "re|m", "re|s" , 'equalsfield', 'endswithfield', 'fieldref'} + hayabusa_supported_modifiers = {"all", "base64offset", "contains", "cidr", "windash", "endswith", "startswith", "re", "exists", "cased", "re", "re|i", "re|m", "re|s" , 'equalsfield', 'endswithfield', 'fieldref', 'gt', 'gte', 'lt', 'lte', 'utf16', 'utf16be', 'utf16le', 'wide'} mod_supported, mod_unsupported = categorize_modifiers(sigma_mod_counter, hayabusa_mod_counter, hayabusa_supported_modifiers) hayabusa_supported_modifiers = {"event_count", "event_count (with group-by)", "value_count", "value_count (with group-by)"} From c8676fdefc269d88c3f79409b8aa1e694d046865 Mon Sep 17 00:00:00 2001 From: fukusuket <41001169+fukusuket@users.noreply.github.com> Date: Mon, 25 Nov 2024 20:45:02 +0900 Subject: [PATCH 05/10] doc: update supported-modifier.py --- doc/SupportedSigmaFieldModifiers.md | 2 ++ scripts/supported_modifiers_check/supported-modifier.py | 2 +- 2 files changed, 3 insertions(+), 1 deletion(-) diff --git a/doc/SupportedSigmaFieldModifiers.md b/doc/SupportedSigmaFieldModifiers.md index e21e350a8..33fd1b486 100644 --- a/doc/SupportedSigmaFieldModifiers.md +++ b/doc/SupportedSigmaFieldModifiers.md @@ -15,7 +15,9 @@ | equalsfield | 0 | 0 | | exists | 0 | 0 | | fieldref | 1 | 1 | +| fieldrefǀcontains | 0 | 0 | | fieldrefǀendswith | 0 | 2 | +| fieldrefǀstartswith | 0 | 0 | | gt | 0 | 0 | | gte | 0 | 0 | | lt | 0 | 0 | diff --git a/scripts/supported_modifiers_check/supported-modifier.py b/scripts/supported_modifiers_check/supported-modifier.py index 9893b9c9a..84658c02b 100644 --- a/scripts/supported_modifiers_check/supported-modifier.py +++ b/scripts/supported_modifiers_check/supported-modifier.py @@ -64,7 +64,7 @@ def get_yml_detection_counts(dir_path: str) -> (Counter, Counter): sigma_modifiers = [ 'all', 'startswith', 'endswith', 'contains', 'exists', 'cased', 'windash', 're', 're|i', 're|m', 're|s', 'base64', 'base64offset', 'utf16le|base64offset|contains', 'utf16be|base64offset|contains', 'utf16|base64offset|contains', 'wide|base64offset|contains', - 'lt', 'lte', 'gt', 'gte', 'cidr', 'expand', 'fieldref', 'fieldref|endswith', 'equalsfield', 'endswithfield' + 'lt', 'lte', 'gt', 'gte', 'cidr', 'expand', 'fieldref', 'fieldref|startswith', 'fieldref|contains','fieldref|endswith', 'equalsfield', 'endswithfield' ] sigma_correlations = [ "value_count", "value_count (with group-by)", "event_count", "event_count (with group-by)", From 7c6fc8ef932d23d7c834c68282c366ed83aca38b Mon Sep 17 00:00:00 2001 From: Yamato Security <71482215+YamatoSecurity@users.noreply.github.com> Date: Mon, 25 Nov 2024 20:45:46 +0900 Subject: [PATCH 06/10] markdown formatting --- scripts/supported_modifiers_check/README.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/scripts/supported_modifiers_check/README.md b/scripts/supported_modifiers_check/README.md index 56187ffe1..911f93a46 100644 --- a/scripts/supported_modifiers_check/README.md +++ b/scripts/supported_modifiers_check/README.md @@ -16,5 +16,5 @@ This script will create a markdown table of the field modifiers being used by Si # Authors -Fukusuke Takahashi -Zach Mathis \ No newline at end of file +* Fukusuke Takahashi +* Zach Mathis \ No newline at end of file From 3e7a081da330c9e1cc7c5313397090277e21e546 Mon Sep 17 00:00:00 2001 From: Yamato Security <71482215+YamatoSecurity@users.noreply.github.com> Date: Mon, 25 Nov 2024 20:52:35 +0900 Subject: [PATCH 07/10] add cased to supported modifiers --- README.md | 3 +++ 1 file changed, 3 insertions(+) diff --git a/README.md b/README.md index 2bda76430..0e6583124 100644 --- a/README.md +++ b/README.md @@ -526,8 +526,10 @@ This document is updated every time there is an update to Sigma or Hayabusa rule - `|contains`: Checks if a field value contains a certain string. - `|contains|all`: Checks if multiple words are contained in the data. - `|contains|all|windash`: Same as `|contains|windash` but all of the keywords need to be present. +- `|contains|cased`: Checks if a field value contains a certain case-sensitive string. - `|contains|windash`: Will check the string as-is, as well as convert the first `-` character to a `/` character and check that variation as well. - `|endswith`: Checks if a field value ends with a certain string. +- `|endswith|cased`: Checks if a field value ends with a certain case-sensitive string. - `|endswith|windash`: Checks the end of the string and performs variations for dashes. - `|exists`: Checks if a field exists. - `|fieldref`: Checks to see if the values in two fields are the same. You can use `not` in the `condition` if you want to check if two fields are different. @@ -544,6 +546,7 @@ This document is updated every time there is an update to Sigma or Hayabusa rule - `|re|m`: (Multi-line) Match across multiple lines. `^` / `$` match the start/end of line. - `|re|s`: (Single-line) dot (`.`) matches all characters, including the newline character. - `|startswith`: Checks if a field value starts with a certain string. +- `|startswith|cased`: Checks if a field value starts with a certain case-sensitive string. - `|utf16|base64offset|contains`: Checks to see if a certain UTF-16 string is encoded inside a base64 string. - `|utf16be|base64offset|contains`: Checks to see if a certain UTF-16 big-endian string is encoded inside a base64 string. - `|utf16le|base64offset|contains`: Checks to see if a certain UTF-16 little-endian string is encoded inside a base64 string. From 51ff3604b518d547c7678ced81d26ea12bd60842 Mon Sep 17 00:00:00 2001 From: fukusuket <41001169+fukusuket@users.noreply.github.com> Date: Mon, 25 Nov 2024 21:11:44 +0900 Subject: [PATCH 08/10] doc: update japanese readme --- README-Japanese.md | 3 +++ 1 file changed, 3 insertions(+) diff --git a/README-Japanese.md b/README-Japanese.md index 120c23880..503b0efa7 100644 --- a/README-Japanese.md +++ b/README-Japanese.md @@ -527,8 +527,10 @@ detection: - `|contains`: 指定された文字列が含まれることをチェックします。 - `|contains|all`: 指定された複数の文字列が含まれることをチェックします。 - `|contains|all|windash`: `contains|windash`と同じですが、すべてのキーワードが存在する必要があります。 +- `|contains|cased`: フィールドの値が指定された大文字小文字を区別する文字列を含むかをチェックします。 - `|contains|windash`: 文字列をそのままチェックするだけでなく、最初の`-`文字を`/`文字に変換し、そのバリエーションもチェックします。 - `|endswith`: 指定された文字列で終わることをチェックします。 +- `|endswith|cased`: フィールドの値が指定された大文字小文字を区別する文字列で終わることをチェックします。 - `|endswith|windash`: 指定された文字列で終わることをチェックし、最初の`-`文字を`/`文字に変換し、そのバリエーションもチェックします。 - `|exists`: フィールドが存在するかをチェックします。 - `|fieldref`: 2つのフィールドの値が同じかどうかをチェックする。これは `|equalsfield` 修飾子と同じです。 @@ -545,6 +547,7 @@ detection: - `|re|m`: (Multi-line) 複数行にまたがってマッチする。`^` / `$` は行頭/行末にマッチする。 - `|re|s`: (Single-line) ドット (`.`) は改行文字を含むすべての文字にマッチする。 - `|startswith`: 指定された文字列で始まることをチェックします。 +- `|startswith|cased`: フィールドの値が指定された大文字小文字を区別する文字列で始まるかをチェックします。 - `|utf16|base64offset|contains`: UTF-16文字列がBase64文字列内にエンコードされているかどうかをチェックします。 - `|utf16be|base64offset|contains`: UTF-16ビッグエンディアンの文字列がBase64文字列内にエンコードされているかどうかをチェックします。 - `|utf16le|base64offset|contains`: UTF-16リトルエンディアン文字列がBase64文字列内にエンコードされているかどうかをチェックします。 From 03aa64e27a64c0cdc6d7df483eb919fb6bba0991 Mon Sep 17 00:00:00 2001 From: Yamato Security <71482215+YamatoSecurity@users.noreply.github.com> Date: Mon, 25 Nov 2024 21:13:03 +0900 Subject: [PATCH 09/10] explain windash more --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 0e6583124..d6555dcbe 100644 --- a/README.md +++ b/README.md @@ -527,7 +527,7 @@ This document is updated every time there is an update to Sigma or Hayabusa rule - `|contains|all`: Checks if multiple words are contained in the data. - `|contains|all|windash`: Same as `|contains|windash` but all of the keywords need to be present. - `|contains|cased`: Checks if a field value contains a certain case-sensitive string. -- `|contains|windash`: Will check the string as-is, as well as convert the first `-` character to a `/` character and check that variation as well. +- `|contains|windash`: Will check the string as-is, as well as convert the first `-` character to `/`, `–` (en dash), `—` (em dash), and `―` (horizontal bar) character permutations. - `|endswith`: Checks if a field value ends with a certain string. - `|endswith|cased`: Checks if a field value ends with a certain case-sensitive string. - `|endswith|windash`: Checks the end of the string and performs variations for dashes. From 37cf0761abbd9fa4aeed8f4fd102751006ac72a4 Mon Sep 17 00:00:00 2001 From: Yamato Security <71482215+YamatoSecurity@users.noreply.github.com> Date: Mon, 25 Nov 2024 21:16:02 +0900 Subject: [PATCH 10/10] update windash JP --- README-Japanese.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README-Japanese.md b/README-Japanese.md index 503b0efa7..05090f87a 100644 --- a/README-Japanese.md +++ b/README-Japanese.md @@ -531,7 +531,7 @@ detection: - `|contains|windash`: 文字列をそのままチェックするだけでなく、最初の`-`文字を`/`文字に変換し、そのバリエーションもチェックします。 - `|endswith`: 指定された文字列で終わることをチェックします。 - `|endswith|cased`: フィールドの値が指定された大文字小文字を区別する文字列で終わることをチェックします。 -- `|endswith|windash`: 指定された文字列で終わることをチェックし、最初の`-`文字を`/`文字に変換し、そのバリエーションもチェックします。 +- `|endswith|windash`: 指定された文字列で終わることをチェックし、最初の`-`文字を`/`、`–` (en dash)、`—` (em dash)、`―` (horizontal bar)文字のバリエーションに変換し、チェックします。 - `|exists`: フィールドが存在するかをチェックします。 - `|fieldref`: 2つのフィールドの値が同じかどうかをチェックする。これは `|equalsfield` 修飾子と同じです。 - `|fieldref|contains`: 一方のフィールドの値がもう一方のフィールドに含まれているかどうかをチェックします。