Relaxed ParentImage restriction: file name suffix patterns

SigmaHQ · Feb 16, 2023 · 8026e07 · 8026e07
1 parent 109d3fd
commit 8026e07
Show file tree

Hide file tree

Showing 2 changed files with 21 additions and 1 deletion.
diff --git a/sigma/pipelines/crowdstrike/crowdstrike.py b/sigma/pipelines/crowdstrike/crowdstrike.py
@@ -137,7 +137,7 @@ def crowdstrike_fdr_pipeline():
                 detection_item_conditions=[
                     MatchStringCondition(
                         cond="any",
-                        pattern="^\\*\\\\[^\\\\]+$",
+                        pattern="^\\*\\\\?[^\\\\]+$",
                         negate=True,
                     )
                 ]

diff --git a/tests/test_processing_pipelines_crowdstrike.py b/tests/test_processing_pipelines_crowdstrike.py
@@ -41,6 +41,21 @@ def process_creation_sigma_rule_parentimage():
             condition: sel
     """)
 
+@pytest.fixture
+def process_creation_sigma_rule_parentimage_without_slash():
+    return SigmaCollection.from_yaml("""
+        title: Process Creation Test
+        status: test
+        logsource:
+            category: process_creation
+            product: windows
+        detection:
+            sel:
+                CommandLine: "test.exe foo bar"
+                ParentImage: "*parent.exe"
+            condition: sel
+    """)
+
 @pytest.fixture
 def process_creation_sigma_rule_parentimage_path():
     return SigmaCollection.from_yaml("""
@@ -110,6 +125,11 @@ def test_crowdstrike_pipeline_parentimage(resolver : ProcessingPipelineResolver,
     backend = TextQueryTestBackend(pipeline)
     assert backend.convert(process_creation_sigma_rule_parentimage) == ["event_simpleName=\"ProcessRollup2\" and CommandLine=\"test.exe foo bar\" and ParentBaseFileName=\"parent.exe\""]
 
+def test_crowdstrike_pipeline_parentimage_without_slash(resolver : ProcessingPipelineResolver, process_creation_sigma_rule_parentimage_without_slash):
+    pipeline = resolver.resolve_pipeline("crowdstrike")
+    backend = TextQueryTestBackend(pipeline)
+    assert backend.convert(process_creation_sigma_rule_parentimage_without_slash) == ["event_simpleName=\"ProcessRollup2\" and CommandLine=\"test.exe foo bar\" and ParentBaseFileName endswith \"parent.exe\""]
+
 def test_crowdstrike_pipeline_parentimage_path(resolver : ProcessingPipelineResolver, process_creation_sigma_rule_parentimage_path):
     pipeline = resolver.resolve_pipeline("crowdstrike")
     backend = TextQueryTestBackend(pipeline)