Case sensitive Elastic/ELK #3003

amjcyber · 2022-05-10T10:47:43Z

amjcyber
May 10, 2022

Hi there!
I was translating and testing some rules and I notice that for the case insensitive the sigmac creates a pattern like [Aa][Bb]...
The point is that for having no case sensitive the field "process.command_line" can be convert into "process.command_line.text" where doesn't matter lower or upper case.
Example:
Input:
python tools/sigmac -t es-qs -c tools/config/winlogbeat-modules-enabled.yml --backend-option keyword_base_fields="*" --backend-option analyzed_sub_field_name=".text" --backend-option keyword_whitelist="winlog.channel,winlog.event_id" --backend-option case_insensitive_whitelist="*" --backend-option analyzed_sub_fields="TargetUserName, SourceUserName, TargetHostName, CommandLine, ProcessName, ParentProcessName, ParentImage, Image" .\rules\windows\process_creation\proc_creation_win_susp_firewall_disable.yml
Output:
((process.command_line:/.*[Nn][Ee][Tt][Ss][Hh].*/ AND process.command_line:/.*[Ff][Ii][Rr][Ee][Ww][Aa][Ll][Ll].*/ AND process.command_line:/.*[Ss][Ee][Tt].*/ AND process.command_line:/.*[Oo][Pp][Mm][Oo][Dd][Ee].*/ AND process.command_line:/.*[Mm][Oo][Dd][Ee]\=[Dd][Ii][Ss][Aa][Bb][Ll][Ee].*/) OR (process.command_line:/.*[Nn][Ee][Tt][Ss][Hh].*/ AND process.command_line:/.*[Aa][Dd][Vv][Ff][Ii][Rr][Ee][Ww][Aa][Ll][Ll].*/ AND process.command_line:/.*[Ss][Ee][Tt].*/ AND process.command_line:/.*[Ss][Tt][Aa][Tt][Ee].*/ AND process.command_line:/.*[Oo][Ff][Ff].*/))

Better solution:
((process.command_line.text:*netsh* AND process.command_line.text:*firewall* AND process.command_line:*set* AND process.command_line.text:*opmode* AND process.command_line.text:*mode\=disable*) OR (process.command_line.text:*netsh* AND process.command_line.text:*advfirewall* AND process.command_line.text:*set* AND process.command_line.text:*state* AND process.command_line.text:*off*))

frack113 · 2022-05-11T17:17:14Z

frack113
May 11, 2022
Maintainer

Elastic is very tricky
I used keyword_blacklist option

python tools/sigmac -t es-qs -c tools/config/winlogbeat-modules-enabled.yml
 --backend-option analyzed_sub_field_name=".text"
 --backend-option keyword_whitelist="winlog.channel,winlog.event_id"
 --backend-option case_insensitive_whitelist="*" 
 --backend-option analyzed_sub_fields="TargetUserName, SourceUserName, TargetHostName, CommandLine, ProcessName, ParentProcessName, ParentImage, Image"
 --backend-option keyword_blacklist="process.command_line" 
.\rules\windows\process_creation\proc_creation_win_susp_firewall_disable.yml

give

((process.command_line.text:*netsh* AND process.command_line.text:*firewall* AND process.command_line.text:*set* AND process.command_line.text:*opmode* AND process.command_line.text:*mode\=disable*) OR (process.command_line.text:*netsh* AND process.command_line.text:*advfirewall* AND process.command_line.text:*set* AND process.command_line.text:*state* AND process.command_line.text:*off*))

0 replies

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Case sensitive Elastic/ELK #3003

{{title}}

Replies: 1 comment

{{title}}

Select a reply

Case sensitive Elastic/ELK #3003

amjcyber May 10, 2022

Replies: 1 comment

frack113 May 11, 2022 Maintainer

amjcyber
May 10, 2022

frack113
May 11, 2022
Maintainer