Getting an error while converting sigma rule to Crowdstrike query

[thekarannayak]

I only get this error in this sigma rule, others are working as expected, seems to be a bug ....

C:\Users\karan.nayak>sigma convert -p crowdstrike_fdr -t splunk ..\..\sigma_cve_2021_40444.yml
Parsing Sigma rules  [####################################]  100%
Error while conversion: Only file name of parent image is available in CrowdStrike events.

[thomaspatzke]

No, this is an intentional error thrown by the CrowdStrike pipeline in case that ParentImage not only contains a file name (ParentImage|endswith: "\\parent.exe"), but more path components, e.g. ParentImage|endswith: "\\Windows\\System32\\something.exe". The reason is that CrowdStrike ProcessRollup2 events only contain the file name in the ParentBaseFileName field and therefore paths are not supported by its data model.

[thekarannayak]

Thank you for your reply! Let me share you an example sigma rule which is throwing the error I mentioned:

title: MAL_CVE-2021-40444
id: 64a16f62-c931-49fc-aa37-bf4398e8a9ef
description: Detects a process pattern used by malicious documents exploiting CVE-2021-40444
references:
    - https://www.joesandbox.com/analysis/476188/1/html
    - https://mobile.twitter.com/rimpq/status/1435559265440251905
    - https://twitter.com/neonprimetime/status/1435586404034269186

status: stable
author: CNANCE, Insikt Group, Recorded Future
date: 2021/09/08
level: high
tags:
    - attack.initial_access
    - attack.t1566.001 # Phishing: Spearphishing Attachment
logsource:
    category: process_creation
    product: windows
detection:
    selection1:
        ParentImage|endswith:
            - 'WINWORD.EXE'
            - 'EXCEL.EXE'
            - 'POWERPNT.EXE'
        Image|endswith:
            'control.exe'
        CommandLine|contains:
            - 'AppData'
            - 'temp'
            - 'programdata'
        CommandLine|contains|all:
            - '.cpl:'
            - '../'
            - '.inf'
    selection2:
        ParentImage|endswith:
            'control.exe'
        Image|endswith:
            'rundll32.exe'
        CommandLine|contains|all:
            - 'Shell32.dll,Control_RunDLL'
            - '.cpl:'
            - '../'
            - '.inf'
    condition: selection1 or selection2
falsepositives:
    - Unlikely

This is the above sigma rule that I was trying to convert, and according to your explanation I don't seem to verify it, cause there is no path in the sigma rule, it's only the filename, can you please check into this?

[thomaspatzke]

You should put a slash in front of the values of ParentImage|endswith because else it could also match somethingtotallydifferentthanwinword.exe, which is usually not intended. Nevertheless, I will relax the condition a bit in the next version of the CrowdStrike pipeline because there might be valid use cases for ParentImage values without slashes at the beginning.

[thomaspatzke]

Just published the version 1.0.0 with the relaxed restriction.

[thekarannayak]

Awesome, it is working now, thanks for your help!!

[thomaspatzke]

Transferred the discussion to the appropriate project.