Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Possible evtx-sigma-checker Issue #6

Closed
cipher067 opened this issue Nov 11, 2023 · 6 comments
Closed

Possible evtx-sigma-checker Issue #6

cipher067 opened this issue Nov 11, 2023 · 6 comments

Comments

@cipher067
Copy link

Hello,

I've noticed that evtx-sigma-checker is not reading the value of ProcessId and AccessMask as strings, meanwhile Aurora detects the following example rule as string and works perfectly:

Sigma working with Aurora
EventID: 4663
ObjectType: 'File'
ObjectServer: 'Security'
ProcessId: '0x4'
AccessMask: '0x1'

Sigma working with evtx-sigma-checker
EventID: 4663
ObjectType: 'File'
ObjectServer: 'Security'
ProcessId: 0x4
AccessMask: 0x1

It could be an issue from my end or from the compiled evtx-sigma-checker

thanks in advance
@secDre4mer
Copy link

Hi,

This sounds interesting. Maybe there's a difference in formatting from different sources (ETW versus EVTX files)? Could you send me an EVTX file with the event you described?

@cipher067
Copy link
Author

cipher067 commented Nov 14, 2023
edited
Loading

Access-Password-File-TruePositive.zip
Thanks for your response.

EventID: 4663
ObjectType: 'File'
ObjectServer: 'Security'
ObjectName: 'C:\Windows\SYSVOL\domain\Password\password.txt'
ProcessId: '0x4'
AccessMask: '0x1'

exclude:
SubjectUserName|endswith: '$'
condition:
- selection and not exclude

@cipher067 cipher067 reopened this Nov 14, 2023
@secDre4mer
Copy link

Thanks for the file!
From the EVTX file, I think the "different formatting" hypothesis holds up. The raw event in the evtx-checker looks like:
... ObjectServer: Security ObjectType: File ObjectName: <redacted> HandleId: 8020 AccessList: %%4416 AccessMask: 1 ProcessId: 4 ProcessName: ResourceAttributes: S:AI Provider_Name: Microsoft-Windows-Security-Auditing ...

So access mask and process ID both get formatted as decimal numbers here, not as hex numbers. Probably the formatting information gets lost in the EVTX parser.
I'll need to talk to some colleagues about this. This is probably not trivial to fix; but the current evtx-sigma-checker behaviour results in differences between recorded baseline and live behaviour, which is also less than ideal.

@secDre4mer
Copy link

Okay, unfortunately, the formatting information isn't available in the EVTX file: it's part of the manifests that describe the events, which are separate and only available on Windows. The evtx-sigma-checker (since it's OS independent) can't use those.
I've built a workaround into the checker that essentially "mimics" the formatting for your case that is described by the manifest. However, this is obviously only a solution for this issue, not for this class of issue. If you come across similar issues, please let me know and I'll add more fixes.

@cipher067
Copy link
Author

@secDre4mer Thank you, appreciate your great support!

@secDre4mer
Copy link

New release that contains the fix is now available.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@cipher067 @secDre4mer