Solved: See if a UDM field contains a substring of another... - Page 2

amalone341 · 12-22-2022 09:37 AM

Is there any way in Yara-L to check if a UDM field contains a substring of another UDM field? The following example shows a use case for this and the question I am trying to ask of the data:

rule variable_testing {

meta:

author = "amalone"

description = "Test to see if we can find a substring of one UDM field inside another udm field"

severity = "Low"

events:

$file.metadata.event_type = "FILE_MODIFICATION"

$file.principal.hostname = $hst

// Get the name of the file involved in the file modification

$fileName = re.capture($file.target.file.full_path, `(?:\\|\/)([^\/\\]+)$`)

$launch.metadata.event_type = "PROCESS_LAUNCH"

$launch.principal.hostname = $hst

/*

Is it possible to see if a UDM field contains a substring of another UDM field? For example, I have a file modification where I grab the name

of the file using the re.capture function. I want to match this event with a process launch event on the same host where the target.proccess.command_line

contains the name of the file from the file modifcation. The following two lines are syntactically incorrect but demonstrate the idea of what im trying to accomplish.

//re.regex($launch.target.process.command_line, $fileName)

//re.regex($launch.target.process.command_line, re.capture($event.target.file.full_path, `(?:\\|\/)([^\/\\]+)$`) ) nocase

*/

match:

$hst over 1m

outcome:

$name = array_distinct($fileName)

condition:

$file and $launch

}

Dimarsky

Looks like I was beaten to the punch, but since I already prepped this I'll throw it in here with the hope that this makes things even more clear.

The logic in the original post appears like it should work. I adapted it to some sample data we have in our demo instance. I kept this to a single event, but the logic remains identical.

The rule:

rule variable_testing {
meta:
  author = "amalone and now eugene"
  description = "Test using variable in various positions of the regex function"  
  severity = "Low"

events:
  $event.metadata.event_type = "PROCESS_LAUNCH"
  $event.metadata.product_name = "Microsoft-Windows-Sysmon"
  $hostname = strings.to_lower($event.principal.hostname) // going to be "danieljones-pc"
  $name_substring = strings.to_lower(re.capture($event.principal.hostname, "^([^-]*)")) // should pick up "danieljones
  $fullpath = $event.src.file.full_path // should be "C:\Users\danieljones\Desktop\"
  re.regex($fullpath, $name_substring) // checks to see if "danieljones" exists in the fullpath
  
outcome:
 $Unaltered_Hostname = $hostname
 $Extracted_Username = $name_substring
 $Full_Path = $fullpath

condition: 
    $event
}

And here are some of the resulting detections along with the pertinent fields displayed (seems I can't upload images so here is a table):

timestamp	Detection ID	event	Full_Path (Outcome)	Extracted_Username (Outcome)	Unaltered_Hostname (Outcome)
2022-12-22T00:10:25Z	de_0c0f2e1a-e9c4-f20a-847c-3876f95239a5	executable.exe launched by sandbox-control.exe	C:\Users\danieljones\Desktop\	danieljones	danieljones-pc
2022-12-22T00:10:35Z	de_c5e1bb87-476a-68e5-1c0f-5254d02372b5	WindPlugin.exe launched by explorer.exe	C:\Users\danieljones\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\	danieljones	danieljones-pc
2022-12-22T00:10:55Z	de_37638139-4917-93e9-d3a2-9c1e6991e340	program.exe launched by explorer.exe	C:\Users\danieljones\Desktop\	danieljones	danieljones-pc
2022-12-22T00:24:06Z	de_83b814ab-491f-6f38-00ed-33fe65490fae	executable.exe launched by sandbox-control.exe	C:\Users\danieljones\Desktop\	danieljones	danieljones-pc
2022-12-22T00:24:16Z	de_d8c1187c-ede6-1b49-5da1-7759ccce5387	WindPlugin.exe launched by explorer.exe	C:\Users\danieljones\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\	danieljones	danieljones-pc
2022-12-22T00:24:36Z	de_fd46a82b-888c-881c-1e35-5273aa873336	program.exe launched by explorer.exe	C:\Users\danieljones\Desktop\	danieljones	danieljones-pc

View solution in original post

See if a UDM field contains a substring of another UDM field