Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Implement utf16/utf16be/utf16le/wide modifiers #1432

Open
YamatoSecurity opened this issue Oct 11, 2024 · 2 comments
Open

Implement utf16/utf16be/utf16le/wide modifiers #1432

YamatoSecurity opened this issue Oct 11, 2024 · 2 comments
Labels
enhancement New feature or request under-investigation under investigation to develop
Milestone
3.0 3rd Year Anni...

Comments

@YamatoSecurity
Copy link
Collaborator

YamatoSecurity commented Oct 11, 2024
edited
Loading

Although not used in any rules yet, we would like to support the following modifiers for sigma support completeness:

  • utf16|base64offset|contains
  • utf16be|base64offset|contains
  • utf16le|base64offset|contains
  • wide|base64offset|contains

Probably no need to support as base64offset is usually used instead of base64:

  • utf16|base64|contains
  • utf16be|base64|contains
  • utf16le|base64|contains
  • wide|base64|contains

Example:

detection:
  selection:
    CommandLine|wide|base64offset|contains: "ping"

Info: https://sigmahq.io/docs/basics/modifiers.html#wide

Prepends a byte order mark and encodes UTF16, (only used in combination with base64 modifiers)

Don't end with utf16, utf16le, utf16be or wide

The value modifier chain must not end with character set encoding modifiers (utf16, utf16le, utf16be and wide). The resulting values are internally represented as byte sequences instead of text strings and contain null characters which are usually difficult to handle in queries. Therefore the should be followed by an encoding modifier (base64, base64offset)

I think we should implement utf16 to check both utf16be and utf16le variants.
wide should be an alias for utf16le in Windows.

We should probably investigate if these encodings are being used inside base64 encoded payloads to begin with. If not, then it probably is not worth implementing.
@YamatoSecurity YamatoSecurity added the enhancement New feature or request label Oct 11, 2024
@hitenkoku
Copy link
Collaborator

The value modifier chain must not end with character set encoding modifiers (utf16, utf16le, utf16be and wide). The resulting values are internally represented as byte sequences instead of text strings and contain null characters which are usually difficult to handle in queries. Therefore the should be followed by an encoding modifier (base64, base64offset)
Usually it doesn't makes sense to combine the re type modifier with any other modifier.

https:/SigmaHQ/sigma/wiki/Rule-Creation-Guide

@YamatoSecurity YamatoSecurity changed the title Implement base64 modifiers Implement utf16/utf16be/utf16le/wide modifiers Oct 12, 2024
@YamatoSecurity
Copy link
Collaborator Author

@hitenkoku Thanks for the information! I was mistaken on how it was being used. I updated the specifications.

@YamatoSecurity YamatoSecurity mentioned this issue Oct 13, 2024
Closed
@YamatoSecurity YamatoSecurity added the under-investigation under investigation to develop label Oct 13, 2024
@YamatoSecurity YamatoSecurity added this to the v3.0 milestone Oct 14, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement New feature or request under-investigation under investigation to develop
Projects
None yet
Milestone
3.0 3rd Year Anniversary Release
Development

No branches or pull requests
2 participants
@hitenkoku @YamatoSecurity