WithSecureLabs / chainsaw

Rapidly Search and Hunt through Windows Forensic Artefacts

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

Rule seemingly not matching certain event IDs

michaeljgoodman opened this issue · comments

Upon attempting to create some test rules, I could not get a simple contains condition to hit on a type 400 powershell event. So I removed everything from the condition but the event ID and tried again, and still got no hits.

Tried removing as much as possible to isolate the problem, changing the log source service and product between the various "powershell", "powershell-classic" etc... used across pre-existing sigma rules.

Whilst I tried a large number of variants, see below the rule I believe should be most likely to work based off of existing rules in the 'sigma_rules' ruleset. this rule does not hit on any of the 400 events within a "Windows PowerShell.evtx" log:

title: test
id: 30a8cb77-8eb3-4cfb-8e79-ad447c5a4592
description: test
status: experimental
author: Michael
date: 2021/11/19
modified: 2021/11/19
tags:
    - attack.execution
    - attack.t1086
logsource:
    product: windows
    service: powershell-classic
detection:
    selection:
        EventID: 400
    condition: selection
falsepositives:
    - unknown
level: low

So this appears to be a limitation of the mapping design in chainsaw. As there is no mapping for EventID 400, chainsaw is returning no results. I will confer with @fscc-jamesd so we can decide how we wanna handle this.

Is this to say that if there is no mapping for an event id within the mapping file, then no rules can match on those log entries?

*edit: read more into how the mapping correlates to the sigma rules and makes complete sense. perhaps will create a pull request to contribute some common mappings for popular event ids soon, depending on false positives versus value

This is addressed in v2.0.0-alpha.0