Compliance with DRL 1.1
Neo23x0 opened this issue Β· comments
First of all, great tool π
Would it be possible to display the rule author somewhere whenever a rule matches on an eventlog entry to comply with the Detection Rule License?
Maybe in brackets behind the rule title in the column detection_rules
?
https://github.com/SigmaHQ/sigma/blob/master/LICENSE.Detection.Rules.md
I guess this would be the right location:
https://github.com/countercept/chainsaw/blob/0a4b0f22427985a6cd0af1b1fd559933e5adf6f7/src/hunt/modules.rs#L50
Hi @Neo23x0
Thanks for raising this issue. I must have mis-understood the DRL as my interpretation was that as long as the sigma rule base remained unmodified, referenced and linked then showing the matching detections was okay without explicity naming the author for each detection.
My thought process for how the analyst workflow would work was:
Run Chainsaw -> View Detections -> Read Detection Logic -> Verify Chainsaw Detections Against Raw Data
The author information would be visible in the "Read Detection Logic" step when the analyst goes to the specific Sigma rule.
Regardless, I'm more than happy to add support for your requirements. I've opened PR #5 which adds --authors
as an optional flag to the hunt
module. Using this flag will add a new column to the table/CSV output which will include the author information. For example:
[+] Detection: (External Rule) - Suspicious File Creation
βββββββββββββββββββββββ¬βββββ¬βββββββββββββββββββββββββββββββββ¬ββββββββββββββββββββββββββββββββββββ¬βββββββββββββββββββββββββββββ¬βββββββββββββββββββββββββββββββββββββββββββ¬βββββββββββββββββββββββββββββββββββββββββββ
β system_time β id β detection_rules β rule_authors β computer_name β Event.EventData.TargetFilename β image β
βββββββββββββββββββββββΌβββββΌβββββββββββββββββββββββββββββββββΌββββββββββββββββββββββββββββββββββββΌβββββββββββββββββββββββββββββΌβββββββββββββββββββββββββββββββββββββββββββΌβββββββββββββββββββββββββββββββββββββββββββ€
β 2019-03-17 19:09:41 β 11 β β£ LSASS Memory Dump File β β£ Teymur Kheirkhabarov β "PC04.example.corp" β C:\Users\IEUser\Desktop\lsass.exe_190317 β C:\Users\IEUser\Desktop\procdump.exe β
β β β Creation β oscd.community β β _120941.dmp β β
βββββββββββββββββββββββΌβββββΌβββββββββββββββββββββββββββββββββΌββββββββββββββββββββββββββββββββββββΌβββββββββββββββββββββββββββββΌβββββββββββββββββββββββββββββββββββββββββββΌβββββββββββββββββββββββββββββββββββββββββββ€
β 2019-03-17 19:10:03 β 11 β β£ LSASS Memory Dump File β β£ Teymur Kheirkhabarov β "PC04.example.corp" β C:\Users\IEUser\AppData\Local\Temp\lsass β C:\Windows\system32\taskmgr.exe β
β β β Creation β oscd.community β β (2).DMP β β
βββββββββββββββββββββββΌβββββΌβββββββββββββββββββββββββββββββββΌββββββββββββββββββββββββββββββββββββΌβββββββββββββββββββββββββββββΌβββββββββββββββββββββββββββββββββββββββββββΌβββββββββββββββββββββββββββββββββββββββββββ€
β 2019-05-14 14:04:05 β 11 β β£ Hijack Legit RDP Session β β£ Samir Bousseaden β "alice.insecurebank.local" β C:\Users\administrator\AppData\Roaming\M β C:\Windows\system32\mstsc.exe β
β β β to Move Laterally β β β icrosoft\Windows\Start Menu\Programs\Sta β β
β β β β β β rtup\cmd.exe β β
As long as you're happy that this satisfied the conditions of the DRL then I'll merge the PR.
This has been added to master with #11. It will be live in the next release.