Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat: Sysmon registry rule conversion #549

Merged
merged 9 commits into from
Dec 19, 2023
Merged

feat: Sysmon registry rule conversion #549

merged 9 commits into from
Dec 19, 2023

Conversation

fukusuket
Copy link
Collaborator

@fukusuket fukusuket commented Dec 17, 2023
edited
Loading

What Changed

Evidence

Test Environment

  • OS: macOS Sonoma version 14.0
  • Hard: MacBook Air(M1, 2020) , Memory 8GB, Core 8
  • Python 3.11.1
  • Hayabusa 2.12.0-dev

I would appreciate it if you could review when you have time🙏

@fukusuket fukusuket self-assigned this Dec 17, 2023
@fukusuket fukusuket added bug Something isn't working enhancement New feature or request labels Dec 17, 2023
@fukusuket
Copy link
Collaborator Author

fukusuket commented Dec 18, 2023
edited
Loading

Test1 (Sysmon 12/13/14 -> Sec 4657 field conversion works)

registry_add

hayabusa-rules/sigma/builtin/registry/registry_add/registry_add_malware_netwire.yml

Lines 1 to 2 in b8eb800

title: Potential NetWire RAT Activity - Registry
id: 1d218616-71b0-4c40-855b-9dbe75510f7f

before

detection:
    registry_add:
        EventID: 4657
        Channel: Security
    selection:
        EventType: CreateKey
        TargetObject|contains: \software\NetWire
    condition: registry_add and selection

after

detection:
    registry_add:
        EventID: 4657
        Channel: Security
    selection:
        OperationType: '%%1904'
        ObjectName|contains: \software\NetWire
    condition: registry_add and selection

registry_set

hayabusa-rules/sigma/builtin/registry/registry_set/registry_set_add_load_service_in_safe_mode.yml

Lines 1 to 2 in b8eb800

title: Registry Persistence via Service in Safe Mode
id: 1547e27c-3974-43e2-a7d7-7f484fb928ec

before

detection:
    registry_set:
        EventID: 4657
        Channel: Security
    selection:
        TargetObject|startswith:
            - HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\
            - HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\
        TargetObject|endswith: \(Default)
        Details: Service
    filter_sophos:
        Image: C:\WINDOWS\system32\msiexec.exe
        TargetObject:
            - HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\SAVService\(Default)
            - HKLM\System\CurrentControlSet\Control\SafeBoot\Network\SAVService\(Default)
    condition: registry_set and (selection and not 1 of filter_*)

after

detection:
    registry_set:
        EventID: 4657
        Channel: Security
    selection:
        ObjectName|startswith:
            - \REGISTRY\MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\
            - \REGISTRY\MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\
        ObjectName|endswith: \(Default)
        NewValue: Service
    filter_sophos:
        ProcessName: C:\WINDOWS\system32\msiexec.exe
        ObjectName:
            - \REGISTRY\MACHINE\System\CurrentControlSet\Control\SafeBoot\Minimal\SAVService\(Default)
            - \REGISTRY\MACHINE\System\CurrentControlSet\Control\SafeBoot\Network\SAVService\(Default)
    condition: registry_set and (selection and not 1 of filter_*)

registry_event

hayabusa-rules/sigma/builtin/registry/registry_event/registry_event_hybridconnectionmgr_svc_installation.yml

Lines 1 to 2 in b8eb800

title: HybridConnectionManager Service Installation - Registry
id: ac8866c7-ce44-46fd-8c17-b24acff96ca8

before

detection:
    registry_event:
        EventID: 4657
        Channel: Security
    selection1:
        TargetObject|contains: \Services\HybridConnectionManager
    selection2:
        EventType: SetValue
        Details|contains: Microsoft.HybridConnectionManager.Listener.exe
    condition: registry_event and (selection1 or selection2)

after

detection:
    registry_event:
        EventID: 4657
        Channel: Security
    selection1:
        ObjectName|contains: \Services\HybridConnectionManager
    selection2:
        OperationType: '%%1905'
        NewValue|contains: Microsoft.HybridConnectionManager.Listener.exe
    condition: registry_event and (selection1 or selection2)

Known issue

According to the investigation #476 (comment) , strictly speaking, TargetObject should be converted to a set of ObjectName and ObjectValueName ... but with the startswith/contains modifier, I think ObjectName seems to cover many cases. Also, the exact conversion logic to ObjectValueName is quite complex and is therefore not covered by this PR.

@fukusuket
Copy link
Collaborator Author

fukusuket commented Dec 18, 2023
edited
Loading

Test2 (There are no unnecessary rule file differences)

I confirmed that there are no differences in rules other than the registry before and after the fix, as shown below.

% diff -qr converted_sigma_rules_old converted_sigma_rules_new | wc -l
     240
% diff -qr converted_sigma_rules_old converted_sigma_rules_new | grep builtin/ | grep registry | wc -l
     240

hayabusa-sample-evtx

% ./hayabusa csv-timeline -d ../hayabusa-sample-evtx -o new.csv -r converted_sigma_rules_new -w -C
% ./hayabusa csv-timeline -d ../hayabusa-sample-evtx -o old.csv -r converted_sigma_rules_old -w -C
% diff old.csv new.csv
%

(There was no event log for EID 4657 in hayabusa-sample-evtx ...)

@fukusuket
Copy link
Collaborator Author

fukusuket commented Dec 18, 2023
edited
Loading

Test3 (benchmark)

I took a benchmark with evtx-baseline v0.8 and got the following results. (and csv result has no diff)

Rule Elapsed time Memory hits / Total
main 00:07:21.603 2.0 GiB 38,048 / 6,611,184
This PR 00:07:29.369 2.0 GiB 38,048 / 6,611,184

@fukusuket fukusuket marked this pull request as ready for review December 18, 2023 13:54
@fukusuket
Copy link
Collaborator Author

fukusuket commented Dec 19, 2023
edited
Loading

Test4

Since there is no log for EID4657 in hayabusa-sample-evtx, I checked the following output in my Windows11 with regedit

registry_set (HKU)

logsource:
    product: windows
    category: registry_set
detection:
    registry_set:
        EventID: 4657
        Channel: Security
        OperationType: '%%1905'
    condition: registry_set
{
    "Timestamp": "2023-12-16 15:11:45.452 +09:00",
    "Computer": "DESKTOP-BPR17M9",
    "Channel": "Sec",
    "EventID": 4657,
    "Level": "info",
    "RecordID": 1700,
    "RuleTitle": "TEST",
    "Details": {
        "HandleId": "0x2c8",
        "NewValue": "bbb",
        "NewValueType": "%%1873",
        "ObjectName": "\\REGISTRY\\USER\\S-1-5-21-2638832841-851990822-580981174-1001\\Software\\MyCo\\bar",
        "ObjectValueName": "ssss",
        "OldValue": "",
        "OldValueType": "%%1873",
        "OperationType": "%%1905",
        "ProcessId": "0x1808",
        "ProcessName": "C:\\Windows\\regedit.exe",
        "SubjectDomainName": "DESKTOP-BPR17M9",
        "SubjectLogonId": "0xb026b",
        "SubjectUserName": "user1",
        "SubjectUserSid": "S-1-5-21-2638832841-851990822-580981174-1001"
    },
    "ExtraFieldInfo": {
    }
}

registry_add (HKLM)

detection:
    registry_add:
        EventID: 4657
        Channel: Security
        OperationType: '%%1904'
    condition: registry_add

{
    "Timestamp": "2023-12-16 13:04:46.861 +09:00",
    "Computer": "DESKTOP-BPR17M9",
    "Channel": "Sec",
    "EventID": 4657,
    "Level": "info",
    "RecordID": 1622,
    "RuleTitle": "TEST",
    "Details": {
        "HandleId": "0x374",
        "NewValue": "",
        "NewValueType": "%%1873",
        "ObjectName": "\\REGISTRY\\MACHINE\\SOFTWARE\\MyCo",
        "ObjectValueName": "str",
        "OldValue": "-",
        "OldValueType": "-",
        "OperationType": "%%1904",
        "ProcessId": "0x8a4",
        "ProcessName": "C:\\Windows\\regedit.exe",
        "SubjectDomainName": "DESKTOP-BPR17M9",
        "SubjectLogonId": "0x11cc83",
        "SubjectUserName": "user1",
        "SubjectUserSid": "S-1-5-21-2638832841-851990822-580981174-1001"
    },
    "ExtraFieldInfo": {
    }
}

registry_delete(HKLM)

detection:
    registry_add:
        EventID: 4657
        Channel: Security
        OperationType: '%%1904'
    condition: registry_add
{
    "Timestamp": "2023-12-16 13:00:41.239 +09:00",
    "Computer": "DESKTOP-BPR17M9",
    "Channel": "Sec",
    "EventID": 4657,
    "Level": "info",
    "RecordID": 1598,
    "RuleTitle": "TEST",
    "Details": {
        "HandleId": "0x340",
        "NewValue": "-",
        "NewValueType": "-",
        "ObjectName": "\\REGISTRY\\MACHINE\\SOFTWARE\\MyCo",
        "ObjectValueName": "str",
        "OldValue": "val",
        "OldValueType": "%%1873",
        "OperationType": "%%1906",
        "ProcessId": "0x17f4",
        "ProcessName": "C:\\Windows\\regedit.exe",
        "SubjectDomainName": "DESKTOP-BPR17M9",
        "SubjectLogonId": "0x11cc83",
        "SubjectUserName": "user1",
        "SubjectUserSid": "S-1-5-21-2638832841-851990822-580981174-1001"
    },
    "ExtraFieldInfo": {
    }
}

@YamatoSecurity YamatoSecurity merged commit 1929efd into main Dec 19, 2023
2 checks passed
@YamatoSecurity YamatoSecurity deleted the 476-sysmon-registry-conversion branch December 19, 2023 10:15
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@YamatoSecurity YamatoSecurity Awaiting requested review from YamatoSecurity

Assignees

@fukusuket fukusuket

Labels
bug Something isn't working enhancement New feature or request
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Incomplete field conversion in registry_xx rules
2 participants
@fukusuket @YamatoSecurity