Chainsaw Doesnt Log Sigma Rule

156 views

Skip to first unread message

Armughan

unread,

Sep 14, 2023, 5:59:51 AM9/14/23

to Wazuh | Mailing List

I have basically created a sigma rule to detect powershell execution on windows and am using chainsaw to for logging it to active_response.log file which is used by wazuh.
The problem is that chainsaw isnt detecting the rule or logging it.
Below is my sigma rule:

title: Detect PowerShell Execution
id: 4374aeb8-98c9-47d5-b319-c3321967fbb6
status: experimental
description: Detects the execution of potentially malicious PowerShell commands or scripts.
author: Your Name
date: 2023-09-14
logsource:
category: process_creation
detection:
selection:
Image:
- 'endswith:powershell.exe'
- 'endswith:powershell_ise.exe'
CommandLine:
- 'endswith:-e'
- 'endswith:-enc'
- 'endswith:-ex'
- 'endswith:-exec'
- 'endswith:-execbypass'
- 'endswith:-command'
- 'endswith:-c'
- 'endswith:-w'
- 'endswith:-nop'
- 'endswith:-ep'
- 'endswith:-file'
CommandLine|contains|all:
- 'IEX('
- 'Invoke-Expression('
- 'endswith:powershell.exe'
- 'endswith:powershell_ise.exe'
condition: selection
level: high
falsepositives:
- Legitimate administrative PowerShell usage

Below is my chainsaw.ps1 that I use to automate chainsaw running every 5 minutes

# Analyse events recorded in last 5 Minutes. Convert Start Date to Timestamp
$start_date = (Get-Date).AddMinutes(-5)
$from = Get-Date -Date $start_date -UFormat '+%Y-%m-%dT%H:%M:%S'

# Create Chainsaw Output Folder if it doesn't exist
$chainsaw_output = "$env:TMP\chainsaw_output"
If(!(test-path $chainsaw_output)) {
New-Item -ItemType Directory -Force -Path $chainsaw_output
}

# Windows Sigma Path
$windows_path = "[PATH]\chainsaw\test-sigma"

# Run Chainsaw and store JSONs in TMP folder
& '[PATH]\chainsaw.exe' hunt C:\Windows\System32\winevt -s $windows_path --mapping '[PATH]\chainsaw\mappings\sigma-event-logs-all.yml' --from $from --output $env:TMP\chainsaw_output\results.json --json --level high --level critical

# Convert JSON to new line entry for every 'group'
function Convert-JsonToNewLine($json) {
foreach($document in $json) {
$document.document | ConvertTo-Json -Compress -Depth 99 | foreach-object {
[pscustomobject]@{
group = $document.group
kind = $document.kind
document = $_
event = $document.document.data.Event.EventData
path = $document.document.path
system = $document.document.data.Event.System
name = $document.name
timestamp = $document.timestamp
authors = $document.authors
level = $document.level
source = $document.source
status = $document.status
falsepositives = $document.falsepositives
id = $document.id
logsource = $document.logsource
references = $document.references
tags = $document.tags
} | ConvertTo-Json -Compress
}
}
}

# Define the file path
$file = "C:\Program Files (x86)\ossec-agent\active-response\active-responses.log"

# Convert JSONs to new line entry and append to active-responses.log
Get-ChildItem $env:TMP\chainsaw_output -Filter *.json | Foreach-Object {
$Chainsaw_Array = Get-Content $_.FullName | ConvertFrom-Json
Convert-JsonToNewLine $Chainsaw_Array | Out-File -Append -Encoding ascii $file
}

Daniel Folch

unread,

Sep 14, 2023, 9:11:31 AM9/14/23

to Wazuh | Mailing List

Hello,

Let’s try to troubleshoot the issue.

It seems that the path variable in your script is not correct due to using [PATH], with this test script I got the following result:

# Windows Sigma Path $windows_path = "$[PATH]\chainsaw\test-sigma" Write-Output $windows_path PS C:\> powershell.exe .\test.ps1 [PATH]\chainsaw\test-sigma

If possible check if the path is correct in your case by adding Write-Output $windows_path so the path is printed.

If what you intend is to get the path of the script then you can use:

$scriptPath = split-path -parent $MyInvocation.MyCommand.Definition

Here you have the result of the test script

$scriptPath = split-path -parent $MyInvocation.MyCommand.Definition # Windows Sigma Path $windows_path = "$scriptPath" + "chainsaw\test-sigma" Write-Output $windows_path PS C:\> powershell.exe .\test.ps1 C:\chainsaw\test-sigma