Frequent SIGMA Mistakes Series

[post-views]
September 12, 2023 · 3 min read
Frequent SIGMA Mistakes Series

Part 1: Unintentional Escaped Wildcards

Overview of Series

This is part 1 of a multi-part series covering frequent mistakes SOC Prime observes regularly in SIGMA. We will cover everything from common rule logic errors to common schema problems and even some more obscure “gotchas” to think about. Some of these ideas will extend beyond SIGMA and into general detection engineering.

Problem #1: Matching on Asterisks Instead of Wildcards

This problem was extensive with SIGMA several years ago but has since been identified by the SIGMA community and isn’t plaguing folk’s repositories anymore. However, if you have downloaded or used old SIGMA content, it may be worth going back to check for this problem. 

SIGMA allows for the use of * (asterisk) and ? (question mark) as wildcards. A common mistake is to accidentally escape these characters when their use as a wildcard was intended. Using a single \ (backslash) before an asterisk or question mark will cause it to be treated as a character instead of a wildcard. Instead, we must escape the trailing backslash with another backslash (\\* rather than \*). 

Regular Expression to Identify Impacted Rules via Grep or a Similar Tool:

[^\\]\\\*/g

Below are some examples to make the problem more evident.

Incorrect Example

In this example, an analyst meant to match on any user profile, but instead, they unintentionally escaped the wildcard character so that it will match an asterisk (*) literally:

title: Unintentional Escaped Wildcard Example
description: This rule has been stripped down to minimal fields to show the effect of unintentional escaped wildcards
detection:
 selection:
   Image|endswith: '\users\*\appdata\roaming\malware.exe'
  condition: selection

The Solution: Proper Escaping

In the example displayed below, we’ve correctly escaped the backslash before the wildcard so that the asterisk is treated as a wildcard:

title: Correct Wildcard Example
description: This rule has been stripped down to minimal fields to show the effect of unintentional escaped wildcards
detection:
  selection:
    Image|endswith: '\users\\*\appdata\roaming\malware.exe'
  condition: selection

Identifying the Problem with SOC Prime’s Warden Tool

If you use Uncoder AI, you will receive this warning from our rule Warden when potential improper wildcard usage has been observed. To invoke Warden on Uncoder AI, press CTRL+W

“The ‘detection’ component potentially contains incorrect wildcard usage. Ensure the component uses the following. Use of asterisks (*) and question marks (?) as wildcards within a rule. A common mistake is to accidentally escape these characters when their use as a wildcard was intended. Using a single backslash (\) before an asterisk or a question mark (?) will be treated as a character instead of a wildcard. Ensure sure to avoid using a trailing backslash with another backslash (\\* instead of \*).”

Identifying the Problem With SIGMA-CLI

Unfortunately, SIGMA-CLI doesn’t currently warn against matching on asterisks or question marks. 

Stay tuned to follow more articles on the Frequent SIGMA Mistakes Series and share your feedback with peers on our Discord community. 

Was this article helpful?

Like and share it with your peers.
Join SOC Prime's Detection as Code platform to improve visibility into threats most relevant to your business. To help you get started and drive immediate value, book a meeting now with SOC Prime experts.

Related Posts