Wildcard format issue

Question

Wildcard format issue

eliranDream opened this issue a year ago · 4 comments

Hello There,
I tried to convert the "proc_creation_win_susp_remote_desktop_tunneling.yml" sigma rule to elasticsearch via ecs_windows pipeline, as you can see here:

sigma convert --target elasticsearch -p ecs_windows "proc_creation_win_susp_remote_desktop_tunneling.yml" --format siem_rule

And I get the following answer as a response:
"process.command_line:*\\:3389* AND (process.command_line:(\"*\\ \\-L\\ *\" OR \"*\\ \\-P\\ *\" OR \"*\\ \\-R\\ *\" OR \"*\\ \\-pw\\ *\" OR \"*\\ \\-ssh\\ *\"))"

When I tried to check this query as "query_string" he doesn't find any hit.
I looked a little deeper into it and I find issue related to the first part of the query - "process.command_line:*\\:3389*"
I tried sending it in a few other permutations that worked:
"process.command_line:\\:3389"
"process.command_line:ֿֿֿ\"*\\:3389*\""

Do you know where the problem is? there is any workaround ?

Answer 1 · 2023-10-30T13:02:50.000Z

I am facing similar problem with * and "

sigma convert -t lucene -f siem_rule_ndjson -p ecs_windows ./proc_creation_win_certutil_decode.yml -o sigma.ndjson

Query from Sigma
(process.executable:*\\certutil.exe OR process.pe.original_file_name:CertUtil.exe) AND (process.command_line:("*\-decode\ *" OR "*\/decode\ *" OR "*\-decodehex\ *" OR "*\/decodehex\ *"))

No hits from above query on ELK 8.10

Some problem in command_line with " and * used at same time, after removing the double quote it's working fine

This one works
(process.executable:*\\certutil.exe OR process.pe.original_file_name:CertUtil.exe) AND (process.command_line:(*\-decode\ * OR *\/decode\ * OR *\-decodehex* OR *\/decodehex\ * ))

Some more details about wildcard and "
https://discuss.elastic.co/t/wildcard-query-not-working-as-expected/84447

Could you please check ?

Answer 2 · 2024-01-29T13:35:23.000Z

@Securityinbits and @eliranDream
I've just approved and merged the PR from @Koen1999 which may also solve your issues. A new version will be available soon.
Would you give it a try?

Answer 3 · 2024-01-30T15:10:47.000Z

@andurin Thank you for working on this . I checked the sigma-rules.zip and it looks good to me.

Sharing one more example for reference

Src:
https://github.com/SigmaHQ/sigma/blob/be359ef3f2a7962dfbdbc705c4f532d6b2f440a5/rules/windows/process_creation/proc_creation_win_bitsadmin_download.yml#L30

This one doesn't work
(process.executable:*\\bitsadmin.exe OR process.pe.original_file_name:bitsadmin.exe) AND (process.command_line:"*\ \/transfer\ *" OR ((process.command_line:("*\ \/create\ *" OR "*\ \/addfile\ *")) AND process.command_line:*http*))

This one works after removing " manually
(process.executable:*\\bitsadmin.exe OR process.pe.original_file_name:bitsadmin.exe) AND (process.command_line:*\ \/transfer\ * OR ((process.command_line:(*\ \/create\ * OR *\ \/addfile\ *)) AND process.command_line:*http*))

using this cmd to generate the ndjson file
sigma convert -t lucene -f siem_rule_ndjson -p ecs_windows ./rules/windows -o basic_windows.ndjson

Answer 4 · 2024-07-12T10:29:37.000Z

I added some more tests for this case but the rule you mentioned converts just fine (without quotes) to:

(Image:*\\bitsadmin.exe OR OriginalFileName:bitsadmin.exe) AND (CommandLine:*\ \/transfer\ * OR ((CommandLine:(*\ \/create\ * OR *\ \/addfile\ *)) AND CommandLine:*http*))

and will only present the expected two hits in the connect tests.