pySigma Logpoint backend
Project description
pySigma Logpoint Backend
Overview
This is the Logpoint backend for pySigma. It provides the package sigma.backends.logpoint
with the Logpoint
class.
Further, it contains the processing pipieline sigma.pipelines.logpoint
, which performs field mapping and error handling.
Rule Support
The Logpoint backend supports the following log sources/rule types:
- Windows Sysmon
- Windows
Usage example
Sigma CLI
--> Coming soon!!
Stand-alone
Prerequisites
- Ensure that you have Python installed (3.x is recommended).
- Install Poetry, the package manager with following command
curl -sSL https://install.python-poetry.org | python3 -
- After installation, ensure Poetry is in your system’s PATH by adding the following line to your shell configuration (e.g., .bashrc, .zshrc, or .profile):
export PATH="$HOME/.local/bin:$PATH"
- Navigate to your project directory and run the following command to install project dependencies:
cd pySigma-backend-logpoint
poetry install
- Create a python script in the same directory with following content.
The following example script,
test.py
can be used to convert your sigma rule of your choice to generate corresponding Logpoint Query. Suspicious Process Masquerading As SvcHost.EXE
from sigma.backends.logpoint.logpoint import Logpoint
from sigma.pipelines.logpoint.windows import logpoint_windows_pipeline
from sigma.collection import SigmaCollection
# Place your sigma rule yml string here
logpoint_query = Logpoint(logpoint_windows_pipeline()).convert(
SigmaCollection.from_yaml(
"""
title: Suspicious Process Masquerading As SvcHost.EXE
id: be58d2e2-06c8-4f58-b666-b99f6dc3b6cd
related:
- id: 01d2e2a1-5f09-44f7-9fc1-24faa7479b6d
type: similar
- id: e4a6b256-3e47-40fc-89d2-7a477edd6915
type: similar
status: experimental
description: |
Detects a suspicious process that is masquerading as the legitimate "svchost.exe" by naming its binary "svchost.exe" and executing from an uncommon location.
Adversaries often disguise their malicious binaries by naming them after legitimate system processes like "svchost.exe" to evade detection.
references:
- https://tria.ge/240731-jh4crsycnb/behavioral2
- https://redcanary.com/blog/threat-detection/process-masquerading/
author: Swachchhanda Shrawan Poudel
date: 2024-08-07
tags:
- attack.defense-evasion
- attack.t1036.005
logsource:
category: process_creation
product: windows
detection:
selection:
Image|endswith: '\svchost.exe'
filter_main_img_location:
Image:
- 'C:\Windows\System32\svchost.exe'
- 'C:\Windows\SysWOW64\svchost.exe'
filter_main_ofn:
OriginalFileName: 'svchost.exe'
condition: selection and not 1 of filter_main_*
falsepositives:
- Unlikely
level: high
"""
)
)
print(logpoint_query[0])
- Running the python file
poetry run python3 test.py
>> label="Create" label="Process" "process"="*\svchost.exe" - ("process" in ["C:\Windows\System32\svchost.exe", "C:\Windows\SysWOW64\svchost.exe"] or file="svchost.exe")
Limitations and Constraints
This backend is in its preliminary stage, which means there may be issues with query conversion from uncommon log types and it does not yet support conversion from all log sources covered by Sigma. Attempting to convert such rule types may result in an error.
This backend is currently maintained by Logpoint, with contributions from the following individuals:
Report Issues
If you encounter any issues, please don't hesitate to open a new issue.
Project details
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
Hashes for pysigma_backend_logpoint-0.1.0.tar.gz
Algorithm | Hash digest | |
---|---|---|
SHA256 | 1c652e6c21feca01d98165b6d20b7145f78c73ebbc7cbc3ddab5a92f169f6518 |
|
MD5 | 7fbe2b8d54093f815adace92adba511a |
|
BLAKE2b-256 | 281660ec3a0fdfb6205186d4b7186f5445d394c0dd2430682941df6c3e72c74d |
Hashes for pysigma_backend_logpoint-0.1.0-py3-none-any.whl
Algorithm | Hash digest | |
---|---|---|
SHA256 | e4fcfa8cbc8eb1e9fedf8baf651df3fcf30588027472bd353f5b8480ca767008 |
|
MD5 | 8c045d2bc927b5668996ddbb9884b8d6 |
|
BLAKE2b-256 | 79daed1690351aa8c590d5ff4f9164f05ef93e824cdd997574abaa16c203c0d6 |