Incorrect Sigma Rule to EQL Conversion in Security Onion - Incorret conversion of CommandLine|contains|windash: ' -s'

[brazorfajeje]

Version

2.4.70

Installation Method

Security Onion ISO image

Description

other (please provide detail below)

Installation Type

Distributed

Location

on-prem with Internet access

Hardware Specs

Exceeds minimum requirements

CPU

16

RAM

32

Storage for /

250GB

Storage for /nsm

1TB

Network Traffic Collection

span port

Network Traffic Speeds

Less than 1Gbps

Status

Yes, all services on all nodes are running OK

Salt Status

Yes, there are salt failures (please provide detail below)

Logs

No, there are no additional clues

Detail

There is a problem in the translation of the sigma rules in EQL, SO correctly translates CommandLine|contains|windash: ' -s' in process.command_line:"* -s*" or process.command_line:"* /s*" , but it doesn't put it in the parentheses, so when it concatenates with other conditions the "and" is only on the second condition and matches everything with a -s

for example

title: Qakbot Regsvr32 Calc Pattern
id: 0033cf83-fb87-446d-9cac-43d63ad4d5a9
status: experimental
description: Detects a specific command line of "regsvr32" where the "calc" keyword is used in conjunction with the "/s" flag. This behavior is often seen used by Qakbot
references:
    - https://github.com/pr0xylife/Qakbot/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023/05/26
modified: 2024/03/05
tags:
    - attack.defense_evasion
    - attack.execution
    - detection.emerging_threats
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        CommandLine|contains|windash: ' -s'
        CommandLine|endswith: ' calc'
        Image|endswith: \regsvr32.exe
    condition: selection
falsepositives:
    - Unlikely
level: high

is translated in

any where process.command_line:"* -s*" or process.command_line:"* /s*" and process.command_line:"* calc" and process.executable:"*\\regsvr32.exe" 

and not

any where (process.command_line:"* -s*" or process.command_line:"* /s*") and process.command_line:"* calc" and process.executable:"*\\regsvr32.exe" 

Guidelines

• I have read the discussion guidelines at Read before posting! #1720 and assert that I have followed the guidelines.

[defensivedepth]

I reported this bug to the Sigma project last month - they fixed it (SigmaHQ/pySigma-backend-elasticsearch@24fe2c5) and the fix made it into 2.4.80.