Frequent SIGMA Errors Collection – Supply: socprime.com

Half 2: Setting-Dependent Phrases

Overview of Collection

That is half 2 of a multi-part series that can cowl frequent errors SOC Prime observes frequently in SIGMA. We’ll cowl every little thing from frequent rule logic errors to frequent schema issues, and even some extra obscure “gotchas” to consider. A few of these concepts will prolong past SIGMA and into normal detection engineering.

Downside #2: Setting-Dependent Phrases

It is not uncommon for SIGMA authors to write down detections primarily based on malware sandbox environments. These environments will include phrases that will not exist in some other atmosphere. As an example, if the consumer that’s used on the sandbox is named “Admin”, it will be incorrect to write down a rule that appears for execution from “C:usersAdmindownloads”.

Common Expression to Determine Impacted Guidelines through Grep or Comparable Instrument:

Under are some examples to make the issue extra clear:

Incorrect Instance 1: Person Profile

On this instance, an analyst meant to match malware working from a consumer profile’s appdataroaming folder. Nonetheless, it will solely match in environments the place customers are named “admin”.

title: Incorrect Non-Agnostic Person Profile
description: This rule has been stripped all the way down to minimal fields for instance.
detection:
  choice:
    Picture|endswith: ‘usersadminappdataroamingmalware.exe’
  situation: choice

The Resolution 1: Agnostic Person Profile Path

The corrected model of this rule will match any consumer profile by counting on |endswith to match the distinctive a part of the top of the trail.

title: Right Matches on Any Person Profile
description: This rule has been stripped all the way down to minimal fields for instance.
detection:
  choice:
    Picture|endswith: ‘appdataroamingmalware.exe’
  situation: choice

Incorrect Instance 2: Person SID

On this instance, a SID belonging to the native system administrator account of a particular host means this rule will solely work for a single consumer on a single machine.

title: Incorrect - SID Dependant Rule
description: This rule has been stripped all the way down to minimal fields for instance.
detection:
  choice:
    TargetObject|comprises: ‘userS-1-5-21-6841020553-7100022413-6101150552-500SoftwareMicrosoftWindowsCurrentVersionRun’
  situation: choice

The Resolution 2: SID Agnostic

On this corrected model of the rule, we’ve used |endswith to permit the rule to match impartial of a consumer’s SID.

title: Right - SID Agnostic
description: This rule has been stripped all the way down to minimal fields for instance.
detection:
  choice:
    TargetObject|endswith: ‘SoftwareMicrosoftWindowsCurrentVersionRun’
situation: choice

Attempt Uncoder AI to engineer detections sooner and smarter, apply SIGMA and MITRE ATT&CK autocompletion as your code assistants, and validate guidelines with built-in syntax and logic checks to keep away from frequent errors in an automatic vogue.

Author: Adam Swan
Date: 2023-09-28 07:46:22

Source link

spot_imgspot_img

Subscribe

Related articles

spot_imgspot_img
Alina A, Toronto
Alina A, Torontohttp://alinaa-cybersecurity.com
Alina A, an UofT graduate & Google Certified Cyber Security analyst, currently based in Toronto, Canada. She is passionate for Research and to write about Cyber-security related issues, trends and concerns in an emerging digital world.

LEAVE A REPLY

Please enter your comment!
Please enter your name here