White space handling works

cyberphor · Aug 17, 2023 · f2573ea · f2573ea
1 parent 28cb0d6
commit f2573ea
Show file tree

Hide file tree

Showing 4 changed files with 69 additions and 6 deletions.
diff --git a/rules/net_connection_win_wscript.yml b/rules/net_connection_win_wscript.yml
@@ -5,6 +5,6 @@ detection:
   selection:
     Image|endswith: '\wscript.exe'
     Initiated: 'true'
-    DestinationPort:
+    Destination Port:
       - 25
   condition: selection
diff --git a/rules/win_alert_mimikatz_keywords.yml b/rules/win_alert_mimikatz_keywords.yml
@@ -0,0 +1,51 @@
+title: Mimikatz Use
+id: 06d71506-7beb-4f22-8888-e2e5e2ca7fd8
+status: test
+description: This method detects mimikatz keywords in different Eventlogs (some of them only appear in older Mimikatz version that are however still used by different threat groups)
+references:
+    - https://tools.thehacker.recipes/mimikatz/modules
+author: Florian Roth (Nextron Systems), David ANDRE (additional keywords)
+date: 2017/01/10
+modified: 2022/01/05
+tags:
+    - attack.s0002
+    - attack.lateral_movement
+    - attack.credential_access
+    - car.2013-07-001
+    - car.2019-04-004
+    - attack.t1003.002
+    - attack.t1003.004
+    - attack.t1003.001
+    - attack.t1003.006
+logsource:
+    product: windows
+detection:
+    keywords:
+        - 'dpapi::masterkey'
+        - 'eo.oe.kiwi'
+        - 'event::clear'
+        - 'event::drop'
+        - 'gentilkiwi.com'
+        - 'kerberos::golden'
+        - 'kerberos::ptc'
+        - 'kerberos::ptt'
+        - 'kerberos::tgt'
+        - 'Kiwi Legit Printer'
+        - 'lsadump::'
+        - 'mimidrv.sys'
+        - '\mimilib.dll'
+        - 'misc::printnightmare'
+        - 'misc::shadowcopies'
+        - 'misc::skeleton'
+        - 'privilege::backup'
+        - 'privilege::debug'
+        - 'privilege::driver'
+        - 'sekurlsa::'
+    filter:
+        EventID: 15  # Sysmon's FileStream Events (could cause false positives when Sigma rules get copied on/to a system)
+    condition: keywords and not filter
+falsepositives:
+    - Naughty administrators
+    - AV Signature updates
+    - Files with Mimikatz in their filename
+level: high
diff --git a/sigma/backends/powershell/powershell.py b/sigma/backends/powershell/powershell.py
@@ -23,8 +23,6 @@ class PowerShellBackend(TextQueryBackend):
         ProcessingPipeline
     )
 
-    # Operator precedence: tuple of Condition{AND,OR,NOT} in order of precedence.
-    # The backend generates grouping if required
     precedence: ClassVar[Tuple[ConditionItem, ConditionItem, ConditionItem]] = (ConditionNOT, ConditionAND, ConditionOR)
     group_expression: ClassVar[str] = "({expr})"
     parenthesize: bool = True 

diff --git a/sigma/pipelines/powershell/powershell.py b/sigma/pipelines/powershell/powershell.py
@@ -2,21 +2,31 @@
 from sigma.pipelines.common import logsource_windows, logsource_windows_network_connection, windows_logsource_mapping 
 from sigma.processing.conditions import IncludeFieldCondition, LogsourceCondition
 from sigma.processing.pipeline import ProcessingPipeline, ProcessingItem
-from sigma.processing.transformations import AddConditionTransformation, AddFieldnamePrefixTransformation, ChangeLogsourceTransformation, DetectionItemFailureTransformation, DropDetectionItemTransformation, FieldMappingTransformation, RuleFailureTransformation, SetStateTransformation, Transformation
+from sigma.processing.transformations import AddFieldnamePrefixTransformation, ChangeLogsourceTransformation, DropDetectionItemTransformation, RuleFailureTransformation, Transformation
 from sigma.rule import SigmaRule
 
 @dataclass
 class PromoteDetectionItemTransformation(Transformation):
-    """Promote a detection item to the rule component level."""
+    """Promotes a detection item to the rule component level."""
     field: str
     def apply(self, pipeline, rule: SigmaRule) -> None:
         super().apply(pipeline, rule)
         for detection in rule.detection.detections.values():
             for detection_item in detection.detection_items:
                 if detection_item.field == self.field:
-                    # TODO: address situations where the detection item has more than one value
                     setattr(rule, self.field.lower(), detection_item.value[0])
 
+@dataclass
+class RemoveWhiteSpaceTransformation(Transformation):
+    """Removes white space characters from detection item field names."""
+    def apply(self, pipeline, rule: SigmaRule) -> None:
+        super().apply(pipeline, rule)
+        for detection in rule.detection.detections.values():
+            for detection_item in detection.detection_items:
+                if detection_item.field != None:
+                    if len(detection_item.field.split()) > 1:
+                        detection_item.field = "".join(detection_item.field.split())
+
 def powershell_pipeline() -> ProcessingPipeline:
     return ProcessingPipeline(
         name = "PowerShell pipeline",
@@ -37,6 +47,10 @@ def powershell_pipeline() -> ProcessingPipeline:
                 rule_conditions = [logsource_windows_network_connection()], # TODO: scale this so all sysmon event categories are covered
                 transformation = ChangeLogsourceTransformation(service = windows_logsource_mapping['sysmon']) 
             )
+        ] + [
+            ProcessingItem(
+                transformation = RemoveWhiteSpaceTransformation()
+            )
         ] + [
             ProcessingItem(
                 # field name conditions are evaluated against fields in detection items and in the component-level field list of a rule