https://github.com/crowdsecurity/pysigma-backend-crowdsec

pysigma backend for crowdsec
https://github.com/crowdsecurity/pysigma-backend-crowdsec

Last synced: 10 months ago
JSON representation

pysigma backend for crowdsec

• Host: GitHub
• URL: https://github.com/crowdsecurity/pysigma-backend-crowdsec
• Owner: crowdsecurity
• License: lgpl-3.0
• Created: 2023-07-21T08:29:56.000Z (almost 3 years ago)
• Default Branch: main
• Last Pushed: 2024-12-30T09:16:01.000Z (over 1 year ago)
• Last Synced: 2025-07-18T11:59:06.247Z (11 months ago)
• Language: Python
• Size: 70.3 KB
• Stars: 1
• Watchers: 1
• Forks: 0
• Open Issues: 1
• Metadata Files:
  • Readme: README.md
  • License: LICENSE

Awesome Lists containing this project

README

          
![pylint](https://github.com/buixor/pySigma-backend-crowdsec/actions/workflows/pylint.yml/badge.svg)

![pytest](https://github.com/buixor/pySigma-backend-crowdsec/actions/workflows/pytest.yml/badge.svg)

# pySigma crowdsec Backend

This is a **WIP** (but functional) crowdsec backend+pipeline for [pySigma](https://github.com/SigmaHQ/pySigma/).

# Testing

Use `poetry` and install `sigma-cli` to test rules conversion:

```bash

poetry shell

poetry install

pip3 install sigma-cli

```

# Converting Crowdsec Rules

> By default, sigma appends everything into the same file. We want individual files with names that match the rule name.

```bash

for i in `find ./rules/windows/process_creation/ -type f` ; do echo ${i} ; sigma convert -p crowdsec -t crowdsec  ${i} > ./generated/$(basename ${i}) ; x=$(basename ${i%.*}); sed -i 's@name: sigmahq/.*@name: sigmahq/'${x}'@g' ./generated/$(basename ${i}) ;  done

```

# Example output

```yaml

#sigma convert -p crowdsec -t crowdsec .../sigma_core/rules/windows/process_creation/proc_creation_win_lolbin_msdt_answer_file.yml

type: trigger

name: sigmahq/proc_creation_win_lolbin_msdt_answer_file

description: |

  Detects execution of "msdt.exe" using an answer file which is simulating the legitimate way of calling msdt via "pcwrun.exe" (For example from the compatibility tab)

filter: |

  (evt.Meta.service == 'sysmon' && evt.Parsed.EventID == '1') && (evt.Parsed.Image endsWith '\\msdt.exe' && evt.Parsed.CommandLine contains '\\WINDOWS\\diagnostics\\index\\PCWDiagnostic.xml' && (evt.Parsed.CommandLine contains ' -af ' || evt.Parsed.CommandLine contains ' /af ') && not (evt.Parsed.ParentImage endsWith '\\pcwrun.exe'))

blackhole: 2m

#status: test

labels:

  service: windows

  confidence: 1

  spoofable: 0

  classification:

   - attack.t1218

  label: "Execute MSDT Via Answer File"

  behavior : "windows:audit"

  remediation: false

scope:

  type: ParentProcessId

  expression: evt.Parsed.ParentProcessId

```

# Support Categories

- [x] WebServer

- [x] Windows / `registry_add`

- [x] Windows / `process_creation`