Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Sigma.Windows.Hayabusa.Rule: PwSh Engine Started rule's Details fields value is null #32

Closed
fukusuket opened this issue May 3, 2024 · 2 comments · Fixed by #33
Closed

Sigma.Windows.Hayabusa.Rule: PwSh Engine Started rule's Details fields value is null #32

fukusuket opened this issue May 3, 2024 · 2 comments · Fixed by #33

Comments

@fukusuket
Copy link

fukusuket commented May 3, 2024
edited
Loading

Hello, Thank you for maintain rules :)

I found Sigma.Windows.Hayabusa.Rule: PwSh Engine Started rule's Details fields value is null as follows, so I report it.

powershell

hayabusa json-timeline's output

{
    "Timestamp": "2023-10-12 16:29:10.368 +09:00",
    "RuleTitle": "PwSh Engine Started",
    "Level": "info",
    "Computer": "MyComputer",
    "Channel": "PwShClassic",
    "EventID": 400,
    "RecordID": 15,
    "Details": {
        "HostApplication": "powershell -ExecutionPolicy Bypass -windowstyle hidden -command C:\\mcj\\software\\win10\\antivirus\\mcafee\\mcafee_install.ps1"
    },
    "ExtraFieldInfo": {
        "CommandLine": "",
        "CommandName": "",
        "CommandPath": "",
        "CommandType": "",
        "Data": ["Available", "NewEngineState=Available\\r\\n\\tPreviousEngineState=None\\r\\n\\r\\n\\tSequenceNumber=13\\r\\n\\r\\n\\tHostName=ConsoleHost\\r\\n\\tHostVersion=5.1.22621.1778\\r\\n\\tHostId=9dffc9dd-aafe-4b79-9376-1d6cf3004052\\r\\n\\tHostApplication=powershell -ExecutionPolicy Bypass -windowstyle hidden -command C:\\mcj\\software\\win10\\antivirus\\mcafee\\mcafee_install.ps1\\r\\n\\tEngineVersion=5.1.22621.1778\\r\\n\\tRunspaceId=26c18ad2-f3f2-400e-8425-362f1e73857c\\r\\n\\tPipelineId=\\r\\n\\tCommandName=\\r\\n\\tCommandType=\\r\\n\\tScriptName=\\r\\n\\tCommandPath=\\r\\n\\tCommandLine=", "None"],
        "EngineVersion": "5.1.22621.1778",
        "HostId": "9dffc9dd-aafe-4b79-9376-1d6cf3004052",
        "HostName": "ConsoleHost",
        "HostVersion": "5.1.22621.1778",
        "NewEngineState": "Available",
        "PipelineId": "",
        "PreviousEngineState": "None",
        "RunspaceId": "26c18ad2-f3f2-400e-8425-362f1e73857c",
        "ScriptName": "",
        "SequenceNumber": 13
    }
}

original evtx's xml

<Event>
    <System>
        <Provider Name="PowerShell" />
        <EventID Qualifiers="0">400</EventID>
        <Version>0</Version>
        <Level>4</Level>
        <Task>4</Task>
        <Opcode>0</Opcode>
        <Keywords>0x80000000000000</Keywords>
        <TimeCreated SystemTime="2023-10-12T07:29:10.3688565Z" />
        <EventRecordID>15</EventRecordID>
        <Correlation />
        <Execution ProcessID="11020" ThreadID="0" />
        <Channel>Windows PowerShell</Channel>
        <Computer>MyComputer</Computer>
        <Security />
    </System>
    <EventData>
        <Data>Available</Data>
        <Data>None</Data>
        <Data>NewEngineState=Available PreviousEngineState=None SequenceNumber=13
            HostName=ConsoleHost HostVersion=5.1.22621.1778
            HostId=9dffc9dd-aafe-4b79-9376-1d6cf3004052 HostApplication=powershell -ExecutionPolicy
            Bypass -windowstyle hidden -command
            C:\mcj\software\win10\antivirus\mcafee\mcafee_install.ps1 EngineVersion=5.1.22621.1778
            RunspaceId=26c18ad2-f3f2-400e-8425-362f1e73857c PipelineId= CommandName= CommandType=
            ScriptName= CommandPath= CommandLine=</Data>
    </EventData>
</Event>
@fukusuket
Copy link
Author

This is because PwSh Engine Started rule operates with special specifications as shown below. (This is a special specification that only applies to Channel:PwShClassic)

FYI:

scudette added a commit that referenced this issue May 3, 2024
@scudette
Add specialized parsing to powershell classic events
aec7324 
Fixes: #32
@scudette scudette mentioned this issue May 3, 2024
Merged
scudette added a commit that referenced this issue May 3, 2024
@scudette
Add specialized parsing to powershell classic events (#33)
631882d 
Fixes: #32
@scudette
Copy link
Contributor

scudette commented May 3, 2024

Thanks again for testing it!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Add specialized parsing to powershell classic events Velocidex/velociraptor-sigma-rules
2 participants
@scudette @fukusuket