From 76a3dda7861aad5066032374e7742d890dcf06f8 Mon Sep 17 00:00:00 2001 From: Tim Shelton Date: Mon, 6 Dec 2021 20:22:14 +0000 Subject: [PATCH 1/5] fixes error when implementing regex type, data should not be escaped --- tools/sigma/backends/hawk.py | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/tools/sigma/backends/hawk.py b/tools/sigma/backends/hawk.py index 0afa8fae3..ae5f8143d 100644 --- a/tools/sigma/backends/hawk.py +++ b/tools/sigma/backends/hawk.py @@ -328,7 +328,8 @@ class HAWKBackend(SingleTextQueryBackend): if type(value) == SigmaRegularExpressionModifier: value = str(value) value = value.replace("*", "EEEESTAREEE") - value = re.escape(self.generateValueNode(value, True)) + # IS REGEX, NEVER NEED TO ESCAPE! + value = self.generateValueNode(value, True) value = value.replace("EEEESTAREEE", ".*") endsWith = False startsWith = False From ea511bd761573e8132bbe799dbd4fccc7f80f60f Mon Sep 17 00:00:00 2001 From: Tim Shelton Date: Mon, 6 Dec 2021 20:50:20 +0000 Subject: [PATCH 2/5] adding file event filter --- tools/config/hawk.yml | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/tools/config/hawk.yml b/tools/config/hawk.yml index 583e4421c..b640d833b 100644 --- a/tools/config/hawk.yml +++ b/tools/config/hawk.yml @@ -174,6 +174,12 @@ logsources: conditions: product_name: "Sysmon" vendor_id: "23" + windows-file-event: + product: windows + category: file_event + conditions: + product_name: "Sysmon" + vendor_id: 11 windows-wmi-sysmon: product: windows category: wmi_event From 8871898adfba5f743b5c03dc96c07930685cd80e Mon Sep 17 00:00:00 2001 From: Tim Shelton Date: Mon, 6 Dec 2021 22:05:13 +0000 Subject: [PATCH 3/5] fixing yaml fail --- tools/config/hawk.yml | 10 +++------- 1 file changed, 3 insertions(+), 7 deletions(-) diff --git a/tools/config/hawk.yml b/tools/config/hawk.yml index b640d833b..27bc269d1 100644 --- a/tools/config/hawk.yml +++ b/tools/config/hawk.yml @@ -150,7 +150,9 @@ logsources: vendor_id: "11" windows-file-event: product: windows - category: file_create + category: + - file_create + - file_event conditions: product_name: "Sysmon" vendor_id: "11" @@ -174,12 +176,6 @@ logsources: conditions: product_name: "Sysmon" vendor_id: "23" - windows-file-event: - product: windows - category: file_event - conditions: - product_name: "Sysmon" - vendor_id: 11 windows-wmi-sysmon: product: windows category: wmi_event From 7a7cf4ede61dd51ccdecf70f1ffd167454c05a40 Mon Sep 17 00:00:00 2001 From: Tim Shelton Date: Mon, 6 Dec 2021 22:32:10 +0000 Subject: [PATCH 4/5] fix str err --- tools/config/hawk.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/tools/config/hawk.yml b/tools/config/hawk.yml index 27bc269d1..c87727987 100644 --- a/tools/config/hawk.yml +++ b/tools/config/hawk.yml @@ -151,8 +151,8 @@ logsources: windows-file-event: product: windows category: - - file_create - - file_event + - "file_create" + - "file_event" conditions: product_name: "Sysmon" vendor_id: "11" From 1937a90cbf9221957b5a85ca25241ac6b13347b1 Mon Sep 17 00:00:00 2001 From: Tim Shelton Date: Mon, 6 Dec 2021 23:03:24 +0000 Subject: [PATCH 5/5] fixing yaml err --- tools/config/hawk.yml | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/tools/config/hawk.yml b/tools/config/hawk.yml index c87727987..cf045ef46 100644 --- a/tools/config/hawk.yml +++ b/tools/config/hawk.yml @@ -150,9 +150,7 @@ logsources: vendor_id: "11" windows-file-event: product: windows - category: - - "file_create" - - "file_event" + category: file_event conditions: product_name: "Sysmon" vendor_id: "11"