Issue with yara L rule

So I have written this rule :

rule linux_user_account_created_and_deleted_in_short_time_interval {

meta:

author = "ABC"

description = "New user created and deleted in short time interval"

events:

$e1.metadata.vendor_name = "Linux"

$e1.metadata.product_name = "AuditD"

$e1.metadata.product_event_type = "useradd" nocase

$e1.metadata.description != /failed/ nocase

$user1 = re.capture($e1.metadata.description, "new\\\\suser:\\\\sname=([^,]+),\\\\sUID=")

$e1.principal.hostname = $srcHost

$ts = $e1.metadata.event_timestamp.seconds

$user1 != ""

$e2.metadata.event_timestamp.seconds > $e1.metadata.event_timestamp.seconds

$e2.metadata.vendor_name = "Linux"

$e2.metadata.product_name = "AuditD"

$e2.metadata.description = /delete user/ nocase

$user2 = re.capture($e2.metadata.description, "delete user '([^']+)'")

$e2.principal.hostname = $srcHost

$ts = $e2.metadata.event_timestamp.seconds

strings.to_lower($user1) = strings.to_lower($user2)

match:

$user1 over 12h

outcome:

$risk_score = max(20)

$alertDescription = array_distinct(strings.concat("'A user '", $user1 , "' was created and deleted on the linux server with the hostname'", $srcHost , "'within a short time interval of '", ($e2.metadata.event_timestamp.seconds - $e1.metadata.event_timestamp.seconds)/60, "' minutes.'"))

condition:

$e1 and $e2

}

Here are few of the relevant fields for user account created and deleted.

metadata.description : "new user: name=testuser_hehe1, UID=1001, GID=1001, home=/home/testuser_hehe1, shell=/bin/sh, from=/dev/pts/0"

metadata.log_type : "AUDITD"metadata.product_event_type"useradd"
metadata.product_name : "AuditD"
metadata.vendor_name : "Linux"

and
metadata.description : "delete user 'testuser_hehe1'"
metadata.log_type : "AUDITD"
metadata.product_event_type : "userdel"
metadata.product_name : "AuditD"
metadata.vendor_name : "Linux"

Is there any issue with the rule I have written? since it is not detecting the required event .

Page 1 / 1

@jstoner @AymanC

Can you look into this?

The couple of things I would suggest that you take a look at are as follows:

Using a regex through the description fields seems like more effort than is needed when event_type like user_creation and user_deletion exist. Perhaps there are better fields to use that have greater precision that can be used

Same thing with userid. There are principal and target.user.userid fields and the like in the schema. Rather than using a regex to extract this from description, can you pull these elements from other fields that have closer matches to the values you are looking for?

I'd suggest adding variables to your outcome section that show what your user and time values are so you can make sure that the values that you are trying to extract are extracted neatly to try to join them.

I'd also make sure you have simulated the event you are trying to create ahead of time so you know that data exists to meet that specific use case.

I think when tackling issues like this. Work on each condition seperately and ensure each line works. Start from the basic principle, and slowly add on to your rule with additional condition and filters ( this is if you have the simulated data as mentioned by @jstoner available). Look into the ingestion API to craft a event which is expected to help you test, if recreating the event is not feasible.

For this use case it may be of benefit looking into sliding window[1] for matches within YARA-L 2.0.

Kind Regards,

Ayman

[1]- https://cloud.google.com/chronicle/docs/detection/yara-l-2-0-syntax

Reply

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded