Search error and escaping characters

Lewis030 · October 12, 2023, 3:06pm

Hello there, i'm trying to play around with a rule to search for instances of the Sticky Key being abused in Windows.

The output below has been created from converting a SIGMA rule:

process where (event.category : "process" and process.command_line : "*copy " and process.command_line : "/y *" and process.command_line : "C:\windows\system32\cmd.exe C:\windows\system32\sethc.exe")

Whenever i try this in Kibana i get a lot of errors. I understand after reading that i need to escape certain characters. Please can someone advise how to make this work. Also do i need the process where at the beginning (i don't think i do) ?

Hopefully someone can help as i intend to create and convert a few more SIGMA rules to test.

Thanks

Lewis030 · October 13, 2023, 5:59am

I may have worked it out but have no way of testing.

process.command_line : ("C:\windows\system32\cmd.exe C:\windows\system32\sethc.exe" AND copy AND /y) AND event.category : "process"

Please could someone take a look and tell me what they think.

Thanks

system · November 10, 2023, 5:59am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Rule failure for Windows path exclusions? SIEM	5	468	January 6, 2021
How to search file path field value in Kibana? Kibana kql-kibana-query-language	1	1006	March 15, 2023
Struggling with searching for greater/lesser than characters in string Kibana	2	713	August 10, 2017
Query for Unicode Character in process.name Kibana	3	1143	May 21, 2021
Search special chars in .kibana index Kibana	7	1366	May 24, 2018

Search error and escaping characters

Related topics