Intergritylevel
fish-ghost opened this issue · 2 comments
Why can't I trigger a matching rule that contains Intergritylevel? Why is the Intergritylevel high or system in the rule, but it is detected as its SID?
Such as this,UAC Bypass Tools Using ComputerDefaults,proc_creation_win_uac_bypass_computerdefaults.I've met the match requirements, but It haven't been matched.
I've tried a lot of matches with Intergritylevel requirements. But none of them seem to work. Is it because it is displayed as a SID and is not matched.Akagi64.exe is invaild,too.
{"CommandLine":"C:\Windows\System32\ComputerDefaults.exe",
"CurrentDirectory":"",
"EventID":1,
"Event_Categories":["process_creation|_"],
"Event_Time":"2024-11-30T18:38:05.5688542+08:00",
"Event_Type":"procmonitor_process_creation",
"Hashes":"MD5=86BD981F55341273753AC42EA200A81E,SHA1=,SHA256=",
"Image":"C:\Windows\System32\ComputerDefaults.exe",
"ImageFileName":"ComputerDefaults.exe",
"IntegrityLevel":"S-1-16-12288",
"ParentCommandLine":"explorer.exe",
"ParentImage":"C:\Users\qy\Desktop\s2\Akagi64.exe",
"ParentProcessId":2228,
"ParentProcessKey":"2228_1732963021068",
"ParentUser":"STU1\qy",
"ProcImageUniqueKey":"C:\Windows\System32\ComputerDefaults.exe#37376#1247535541653",
"ProcStartTick":64,"ProcTreePathCommandLine":[""C:\Windows\System32\cmd.exe"","explorer.exe","C:\Windows\System32\ComputerDefaults.exe"],
"ProcTreePathImage":["C:\Windows\System32\cmd.exe","C:\Users\qy\Desktop\s2\Akagi64.exe","C:\Windows\System32\ComputerDefaults.exe"],
"ProcTreePathName":["cmd.exe","Akagi64.exe","ComputerDefaults.exe"],
"ProcTreePathStartPath":["C:\Users\qy\Desktop\s2","C:\Users\qy\Desktop\s2",""],
"ProcessId":2388,
"ProcessKey":"2388_1732963021115",
"ProcessName":"ComputerDefaults.exe",
"ProcessRoot":"cmd.exe_2868_1732963016538",
"ProcessStartTime":"2024-11-30 18:37:01",
"User":"STU1\qy",
"sigma_results":
[{"ID":"2d87d610-d760-45ee-a7e6-7a6f2a65de00","Title":"Mustang Panda Dropper","Level":"","Tags":["attack.t1587.001","attack.resource_development","detection.emerging_threats"],"Result":{"Match":true,"SearchResults":{"selection_cli":true,"selection_img":false},"MatchReasons":{"selection_cli":[{"Field":"CommandLine","Reasons":["contains|s"]}]},"ConditionResults":[true]}}]}
Sigma is meant to match on the exact string that is written in the rule. In your example the SID representation of an integrity level isn't part of the rule hence it won't match by default on your log source. The easiest solution for your would be to map/convert those SID into string if you're using splunk for example.
In the meantime i will update the rules to include SID representation as it's also valid.
OK,thanks.