I've noticed that some queries are wrongfully built that might lead to mismatches of the rule in OpenSearch.
Version: 2.0.0 (online pypi.org: 2.0.0)
Let's take the example: rules/windows/process_creation/proc_creation_win_pua_wsudo_susp_execution.yml
Running the command:
sigma convert -t elastalert --without-pipeline proc_creation_win_pua_wsudo_susp_execution.yml
It results in:
description: Detects usage of wsudo (Windows Sudo Utility). Which is a tool that let
the user execute programs with different permissions (System, Trusted Installer,
Administrator...etc)
filter:
- query:
query_string:
query: (Image:*\\wsudo.exe OR OriginalFileName:wsudo.exe OR Description:Windows\
sudo\ utility OR ParentImage:*\\wsudo\-bridge.exe) OR (CommandLine:(*\-u\
System* OR *\-uSystem* OR *\-u\ TrustedInstaller* OR *\-uTrustedInstaller*
OR *\ \-\-ti\ *))
index: '*'
name: PUA - Wsudo Suspicious Execution
priority: 3
type: any
If I run this query directly on OpenSearch (like elastalert would query) on my windows events indexes, it results in matches that has nothing to do with the rule:
"""(Image:*\\wsudo.exe OR OriginalFileName:wsudo.exe OR Description:Windows\ sudo\ utility OR ParentImage:*\\wsudo\-bridge.exe) OR (CommandLine:(*\-u\ System* OR *\-uSystem* OR *\-u\ TrustedInstaller* OR *\-uTrustedInstaller* OR *\ \-\-ti\ *))"""
And this would create alerts with these fields:
"fields": {
"ParentImage": [
"""C:\Windows\explorer.exe"""
],
"CommandLine": [
"\"C:\\Windows\\System32\\unregmp2.exe\" /FirstLogon /Shortcuts /RegBrowsers /ResetMUI"
],
"Description": [
"Microsoft Windows Media Player Setup Utility"
],
"OriginalFileName": [
"unregmp2.exe"
],
"Image": [
"""C:\Windows\System32\unregmp2.exe"""
]
}
I think this has to do with missing quotation marks. Using a simple query:
Description:Microsoft Edge Update
This would match:
- Microsoft Edge Update
- Microsoft OneDriveFile Co-Authoring Executable
- Microsoft .NET Framework optimization service
- ... and so on
And if I use quotation marks:
Description:"Microsoft Edge Update"
This will only match "Microsoft Edge Update".
Thanks,
I've noticed that some queries are wrongfully built that might lead to mismatches of the rule in OpenSearch.
Version:
2.0.0 (online pypi.org: 2.0.0)Let's take the example:
rules/windows/process_creation/proc_creation_win_pua_wsudo_susp_execution.ymlRunning the command:
sigma convert -t elastalert --without-pipeline proc_creation_win_pua_wsudo_susp_execution.ymlIt results in:
If I run this query directly on OpenSearch (like elastalert would query) on my windows events indexes, it results in matches that has nothing to do with the rule:
And this would create alerts with these fields:
I think this has to do with missing quotation marks. Using a simple query:
Description:Microsoft Edge UpdateThis would match:
And if I use quotation marks:
Description:"Microsoft Edge Update"This will only match "Microsoft Edge Update".
Thanks,