Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Single quote escaping problem in query_string #50

Open
foxalfabravo opened this issue Feb 29, 2024 · 2 comments
Open

Single quote escaping problem in query_string #50

foxalfabravo opened this issue Feb 29, 2024 · 2 comments

Comments

@foxalfabravo
Copy link

Converted rule not accepted by elastalert

Pipeline configuration: -t lucene -p sysmon -p ecs_windows

For instance : posh_ps_amsi_null_bits_bypass.yml, result is

filter:
  - query:
      query_string:
        query: 'powershell.file.script_block_text:(*if\(0\)\{\{\{0\}\}\}'\ \-f\ $\(0\ \-as\ \[char\]\)\ \+* OR *#\<NULL\>*)'

The following rules have the problem (r2024-01-29):
posh_pm_susp_invocation_specific.yml
posh_ps_amsi_null_bits_bypass.yml
posh_ps_import_module_susp_dirs.yml
posh_ps_set_acl_susp_location.yml
posh_ps_set_policies_to_unsecure_level.yml
posh_ps_susp_invocation_specific.yml
posh_ps_user_profile_tampering.yml
proc_creation_win_cmd_redirection_susp_folder.yml
proc_creation_win_curl_download_direct_ip_exec.yml
proc_creation_win_curl_download_direct_ip_susp_extensions.yml
proc_creation_win_curl_download_susp_file_sharing_domains.yml
proc_creation_win_findstr_lnk.yml
proc_creation_win_findstr_recon_everyone.yml
proc_creation_win_hktl_crackmapexec_execution.yml
proc_creation_win_hktl_crackmapexec_powershell_obfuscation.yml
proc_creation_win_net_default_accounts_manipulation.yml
proc_creation_win_powershell_amsi_null_bits_bypass.yml
proc_creation_win_powershell_import_module_susp_dirs.yml
proc_creation_win_powershell_invocation_specific.yml
proc_creation_win_powershell_set_acl_susp_location.yml
proc_creation_win_powershell_xor_commandline.yml
proc_creation_win_regsvr32_susp_exec_path_2.yml
proc_creation_win_rundll32_uncommon_dll_extension.yml
proc_creation_win_schtasks_guid_task_name.yml
proc_creation_win_susp_office_token_search.yml
proc_creation_win_susp_privilege_escalation_cli_patterns.yml
proc_creation_win_wget_download_direct_ip.yml
proc_creation_win_wget_download_susp_file_sharing_domains.yml
@frack113
Copy link
Member

Hello,
As ' don't need to be escape in lucene I try to update my template

      index: {{ index() }}
      filter:
        - query:
            query_string:
              query: {% if "'" in query%}"{{ query }}"{% else %}'{{ query }}'{% endif %}
sigma convert -t lucene -p sysmon -p ecs_windows rules\windows\powershell\powershell_script\posh_ps_amsi_null_bits_bypass.yml -p elastalert_any_v2.yml
Parsing Sigma rules  [####################################]  100%
name: fa2559c8-1197-471d-9cdd-05a0273d4522
description: Potential AMSI Bypass Script Using NULL Bits
owner: Nasreddine Bencherchali (Nextron Systems)

type: any
priority: 2
alert:
  - debug

index: winlogbeat-*
filter:
  - query:
      query_string:
        query: "powershell.file.script_block_text:(*if\(0\)\{\{\{0\}\}\}'\ \-f\ $\(0\ \-as\ \[char\]\)\ \+* OR *#\<NULL\>*)"

Need to test on an elastalert 😔

@frack113
Copy link
Member

frack113 commented Apr 2, 2024

hi @foxalfabravo ,
with " rule fail,
So I try simply this

      filter:
        - query:
            query_string:
              query: {{ query }}

It's works , I think it is more an elastalert trouble than a backend one as the output lucene query is valid.
In a yaml the double quote are for escape sequences.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@foxalfabravo @frack113