Navigation Menu

Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Compliance with DRL 1.1 #1

Closed
Neo23x0 opened this issue Sep 2, 2021 · 2 comments · Fixed by #11
Closed

Compliance with DRL 1.1 #1

Neo23x0 opened this issue Sep 2, 2021 · 2 comments · Fixed by #11
Assignees
@fscc-jamesd

Comments

@Neo23x0
Copy link

Neo23x0 commented Sep 2, 2021
edited

First of all, great tool 👍

Would it be possible to display the rule author somewhere whenever a rule matches on an eventlog entry to comply with the Detection Rule License?
Maybe in brackets behind the rule title in the column detection_rules?

https://github.com/SigmaHQ/sigma/blob/master/LICENSE.Detection.Rules.md

I guess this would be the right location:
https://github.com/countercept/chainsaw/blob/0a4b0f22427985a6cd0af1b1fd559933e5adf6f7/src/hunt/modules.rs#L50
@fscc-jamesd fscc-jamesd self-assigned this Sep 3, 2021
@fscc-jamesd fscc-jamesd mentioned this issue Sep 3, 2021
Closed
@fscc-jamesd
Copy link
Contributor

Hi @Neo23x0

Thanks for raising this issue. I must have mis-understood the DRL as my interpretation was that as long as the sigma rule base remained unmodified, referenced and linked then showing the matching detections was okay without explicity naming the author for each detection.

My thought process for how the analyst workflow would work was:

Run Chainsaw -> View Detections -> Read Detection Logic -> Verify Chainsaw Detections Against Raw Data

The author information would be visible in the "Read Detection Logic" step when the analyst goes to the specific Sigma rule.

Regardless, I'm more than happy to add support for your requirements. I've opened PR #5 which adds --authors as an optional flag to the hunt module. Using this flag will add a new column to the table/CSV output which will include the author information. For example:

[+] Detection: (External Rule) - Suspicious File Creation
┌─────────────────────┬────┬────────────────────────────────┬───────────────────────────────────┬────────────────────────────┬──────────────────────────────────────────┬──────────────────────────────────────────┐
│     system_time     │ id │        detection_rules         │           rule_authors            │       computer_name        │      Event.EventData.TargetFilename      │                  image                   │
├─────────────────────┼────┼────────────────────────────────┼───────────────────────────────────┼────────────────────────────┼──────────────────────────────────────────┼──────────────────────────────────────────┤
│ 2019-03-17 19:09:41 │ 11 │ ‣ LSASS Memory Dump File       │ ‣ Teymur Kheirkhabarov            │ "PC04.example.corp"        │ C:\Users\IEUser\Desktop\lsass.exe_190317 │ C:\Users\IEUser\Desktop\procdump.exe     │
│                     │    │ Creation                       │ oscd.community                    │                            │ _120941.dmp                              │                                          │
├─────────────────────┼────┼────────────────────────────────┼───────────────────────────────────┼────────────────────────────┼──────────────────────────────────────────┼──────────────────────────────────────────┤
│ 2019-03-17 19:10:03 │ 11 │ ‣ LSASS Memory Dump File       │ ‣ Teymur Kheirkhabarov            │ "PC04.example.corp"        │ C:\Users\IEUser\AppData\Local\Temp\lsass │ C:\Windows\system32\taskmgr.exe          │
│                     │    │ Creation                       │ oscd.community                    │                            │  (2).DMP                                 │                                          │
├─────────────────────┼────┼────────────────────────────────┼───────────────────────────────────┼────────────────────────────┼──────────────────────────────────────────┼──────────────────────────────────────────┤
│ 2019-05-14 14:04:05 │ 11 │ ‣ Hijack Legit RDP Session     │ ‣ Samir Bousseaden                │ "alice.insecurebank.local" │ C:\Users\administrator\AppData\Roaming\M │ C:\Windows\system32\mstsc.exe            │
│                     │    │ to Move Laterally              │                                   │                            │ icrosoft\Windows\Start Menu\Programs\Sta │                                          │
│                     │    │                                │                                   │                            │ rtup\cmd.exe                             │                                          │

As long as you're happy that this satisfied the conditions of the DRL then I'll merge the PR.

@fscc-jamesd fscc-jamesd mentioned this issue Sep 6, 2021
Merged
@fscc-jamesd
Copy link
Contributor

This has been added to master with #11. It will be live in the next release.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@fscc-jamesd fscc-jamesd

Labels
None yet
Projects
None yet
Milestone
No milestone
2 participants
@Neo23x0 @fscc-jamesd