Project description

pySigma Logpoint Backend

Tests Coverage Badge Status

Overview

This is the Logpoint backend for pySigma. It provides the package sigma.backends.logpoint with the Logpoint class. Further, it contains the processing pipieline sigma.pipelines.logpoint, which performs field mapping and error handling.

Rule Support

The Logpoint backend supports the following log sources/rule types:

Windows Sysmon
Windows

Usage example

Sigma CLI

--> Coming soon!!

Stand-alone

Prerequisites

Ensure that you have Python installed (3.x is recommended).
Install Poetry, the package manager with following command

   curl -sSL https://install.python-poetry.org | python3 -

After installation, ensure Poetry is in your system’s PATH by adding the following line to your shell configuration (e.g., .bashrc, .zshrc, or .profile):

export PATH="$HOME/.local/bin:$PATH"

Navigate to your project directory and run the following command to install project dependencies:

cd pySigma-backend-logpoint
poetry install

Create a python script in the same directory with following content. The following example script, test.py can be used to convert your sigma rule of your choice to generate corresponding Logpoint Query. Suspicious Process Masquerading As SvcHost.EXE

from sigma.backends.logpoint.logpoint import Logpoint
from sigma.pipelines.logpoint.windows import logpoint_windows_pipeline
from sigma.collection import SigmaCollection

# Place your sigma rule yml string here
logpoint_query = Logpoint(logpoint_windows_pipeline()).convert(
                SigmaCollection.from_yaml(
                    """
                    title: Suspicious Process Masquerading As SvcHost.EXE
                    id: be58d2e2-06c8-4f58-b666-b99f6dc3b6cd
                    related:
                        - id: 01d2e2a1-5f09-44f7-9fc1-24faa7479b6d
                        type: similar
                        - id: e4a6b256-3e47-40fc-89d2-7a477edd6915
                        type: similar
                    status: experimental
                    description: |
                        Detects a suspicious process that is masquerading as the legitimate "svchost.exe" by naming its binary "svchost.exe" and executing from an uncommon location.
                        Adversaries often disguise their malicious binaries by naming them after legitimate system processes like "svchost.exe" to evade detection.
                    references:
                        - https://tria.ge/240731-jh4crsycnb/behavioral2
                        - https://redcanary.com/blog/threat-detection/process-masquerading/
                    author: Swachchhanda Shrawan Poudel
                    date: 2024-08-07
                    tags:
                        - attack.defense-evasion
                        - attack.t1036.005
                    logsource:
                        category: process_creation
                        product: windows
                    detection:
                        selection:
                            Image|endswith: '\svchost.exe'
                        filter_main_img_location:
                            Image:
                                - 'C:\Windows\System32\svchost.exe'
                                - 'C:\Windows\SysWOW64\svchost.exe'
                        filter_main_ofn:
                            OriginalFileName: 'svchost.exe'
                        condition: selection and not 1 of filter_main_*
                    falsepositives:
                        - Unlikely
                    level: high
                    """
                )
            )

print(logpoint_query[0])

Running the python file

poetry run python3 test.py

>> label="Create" label="Process" "process"="*\svchost.exe" - ("process" in ["C:\Windows\System32\svchost.exe", "C:\Windows\SysWOW64\svchost.exe"] or file="svchost.exe")

Limitations and Constraints

This backend is in its preliminary stage, which means there may be issues with query conversion from uncommon log types and it does not yet support conversion from all log sources covered by Sigma. Attempting to convert such rule types may result in an error.

This backend is currently maintained by Logpoint, with contributions from the following individuals:

Report Issues

If you encounter any issues, please don't hesitate to open a new issue.

Project details

These details have not been verified by PyPI

Project links

Release history Release notifications | RSS feed

0.2.0

Sep 10, 2024

This version

0.1.0

Aug 29, 2024

Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

pysigma_backend_logpoint-0.1.0.tar.gz (28.1 kB view hashes)

Uploaded Aug 29, 2024 Source

Built Distribution

pysigma_backend_logpoint-0.1.0-py3-none-any.whl (27.8 kB view hashes)

Uploaded Aug 29, 2024 Python 3

Hashes for pysigma_backend_logpoint-0.1.0.tar.gz

Hashes for pysigma_backend_logpoint-0.1.0.tar.gz
Algorithm	Hash digest
SHA256	`1c652e6c21feca01d98165b6d20b7145f78c73ebbc7cbc3ddab5a92f169f6518`
MD5	`7fbe2b8d54093f815adace92adba511a`
BLAKE2b-256	`281660ec3a0fdfb6205186d4b7186f5445d394c0dd2430682941df6c3e72c74d`

Hashes for pysigma_backend_logpoint-0.1.0-py3-none-any.whl

Hashes for pysigma_backend_logpoint-0.1.0-py3-none-any.whl
Algorithm	Hash digest
SHA256	`e4fcfa8cbc8eb1e9fedf8baf651df3fcf30588027472bd353f5b8480ca767008`
MD5	`8c045d2bc927b5668996ddbb9884b8d6`
BLAKE2b-256	`79daed1690351aa8c590d5ff4f9164f05ef93e824cdd997574abaa16c203c0d6`