Sigma rule modifier `endswith` is not exported to LogQL
Closed this issue · 2 comments
I have deployed Sigma rules for Windows hosts in a testing environment, and I have a lot of false positives related to the endswith flag in Sigma rules being ignored by the Loki backend for Sigma. For example, the rule at https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_svchost_execution_with_no_cli_flags.yml states the following :
detection:
selection:
CommandLine|endswith: 'svchost.exe'
Image|endswith: '\svchost.exe'Here is the Loki ruler alerting rule I get when converting :
sigma convert -t loki -p sysmon -p loki_promtail_sysmon -f ruler rules/windows/process_creation/proc_creation_win_sysinternals_sysmon_config_update.ymlgroups:
- name: Sigma rules
rules:
- alert: Suspect_Svchost_Activity
annotations:
author: David Burkett, @signalblur
description: It is extremely abnormal for svchost.exe to spawn without any CLI
arguments and is normally observed when a malicious process spawns the process
and injects code into the process memory space.
summary: Suspect Svchost Activity
expr: 'sum(count_over_time({job=~"eventlog|winlog|windows|fluentbit.*"} | json
| label_format Message=`{{ .message | replace "\\" "\\\\" | replace "\"" "\\\""
}}` | line_format `{{ regexReplaceAll "([^:]+): ?((?:[^\\r]*|$))(\r\n|$)" .Message
"${1}=\"${2}\" "}}` | logfmt | event_id=1 and CommandLine=~`(?i).*svchost\.exe`
and Image=~`(?i).*\\svchost\.exe` and ParentImage!~`(?i).*\\rpcnet\.exe` and
ParentImage!~`(?i).*\\rpcnetp\.exe` and CommandLine!=`` | line_format "{{.CommandLine}}
{{.ParentCommandLine}}" [1m])) or vector(0) > 0'
labels:
severity: highThe core of the LogQL statement is :
event_id=1 and CommandLine=~`(?i).*svchost\.exe`
and Image=~`(?i).*\\svchost\.exe` and ParentImage!~`(?i).*\\rpcnet\.exe` and
ParentImage!~`(?i).*\\rpcnetp\.exe` and CommandLine!=``
With this statement, this rule will match whenever there is a string matching (?i).*svchost\.exe in the CommandLine field, whereas it should match on (?i).*svchost\.exe$ (note the $ at the end of the regexp) to comply with the endswith flag in the original rule. Same goes for the Image field, even if it's not a problem in this particular example.
Here is an example event that triggers with this rule, which should not :
Process Create:
RuleName: -
UtcTime: 2024-06-21 14:40:50.245
ProcessGuid: [...]
ProcessId: 6616
Image: C:\\Windows\\System32\\svchost.exe
FileVersion: 10.0.17763.3346 (WinBuild.160101.0800)
Description: Host Process for Windows Services
Product: Microsoft® Windows® Operating System
Company: Microsoft Corporation
OriginalFileName: svchost.exe
CommandLine: C:\\Windows\\system32\\svchost.exe -k wsappx -p
CurrentDirectory: C:\\Windows\\system32\\
User: NT AUTHORITY\\SYSTEM
LogonGuid: [...]
LogonId: 0x3E7
TerminalSessionId: 0
IntegrityLevel: System
Hashes: MD5=[...]
ParentProcessGuid: [...]
ParentProcessId: 600
ParentImage: C:\\Windows\\System32\\services.exe
ParentCommandLine: C:\\Windows\\system32\\services.exe
ParentUser: NT AUTHORITY\\SYSTEM
Thanks for the bug report! Yup, we should absolutely be adding start/end anchors to those regexes - thank you for pointing it out 🙏 👍
Just wanted to let you @bdubertret know this should be fixed in the latest release (v0.11.4) - please shout if you find our fix doesn't resolve the issue, or if you find any other issues. And thank you again for the bug report - much appreciated!