Part 1: Unintentional Escaped Wildcards
Overview of Series
This is part 1 of a multi-part series covering frequent mistakes SOC Prime observes regularly in SIGMA. We will cover everything from common rule logic errors to common schema problems and even some more obscure “gotchas” to think about. Some of these ideas will extend beyond SIGMA and into general detection engineering.
Problem #1: Matching on Asterisks Instead of Wildcards
This problem was extensive with SIGMA several years ago but has since been identified by the SIGMA community and isn’t plaguing folk’s repositories anymore. However, if you have downloaded or used old SIGMA content, it may be worth going back to check for this problem.
SIGMA allows for the use of * (asterisk) and ? (question mark) as wildcards. A common mistake is to accidentally escape these characters when their use as a wildcard was intended. Using a single (backslash) before an asterisk or question mark will cause it to be treated as a character instead of a wildcard. Instead, we must escape the trailing backslash with another backslash (\* rather than *).
Regular Expression to Identify Impacted Rules via Grep or a Similar Tool:
Below are some examples to make the problem more evident.
Incorrect Example
[^\]\*/g |
In this example, an analyst meant to match on any user profile, but instead, they unintentionally escaped the wildcard character so that it will match an asterisk (*) literally:
title: Unintentional Escaped Wildcard Example
description: This rule has been stripped down to minimal fields to show the effect of unintentional escaped wildcards
detection:
selection:
Image|endswith: 'users*appdataroamingmalware.exe'
condition: selection
The Solution: Proper Escaping
In the example displayed below, we’ve correctly escaped the backslash before the wildcard so that the asterisk is treated as a wildcard:
title: Correct Wildcard Example
description: This rule has been stripped down to minimal fields to show the effect of unintentional escaped wildcards
detection:
selection:
Image|endswith: 'users\*appdataroamingmalware.exe'
condition: selection
Identifying the Problem with SOC Prime’s Warden Tool
If you use Uncoder AI, you will receive this warning from our rule Warden when potential improper wildcard usage has been observed. To invoke Warden on Uncoder AI, press CTRL+W.
“The ‘detection’ component potentially contains incorrect wildcard usage. Ensure the component uses the following. Use of asterisks (*) and question marks (?) as wildcards within a rule. A common mistake is to accidentally escape these characters when their use as a wildcard was intended. Using a single backslash () before an asterisk or a question mark (?) will be treated as a character instead of a wildcard. Ensure sure to avoid using a trailing backslash with another backslash (\* instead of *).”
Identifying the Problem With SIGMA-CLI
Unfortunately, SIGMA-CLI doesn’t currently warn against matching on asterisks or question marks.
Stay tuned to follow more articles on the Frequent SIGMA Mistakes Series and share your feedback with peers on our Discord community.
The post Frequent SIGMA Mistakes Series appeared first on SOC Prime.
