After spending some time writing application rules for detecting Powershell, lateral movement and indicators of compromise for endpoint events I figured there would be a good post about how escaping slashes (\) works in the application world.
It took me a while to wrap my head around it, so this hopefully saves you some time.
This is what an event might look like as meta in NetWitness:
Notice the slashes in the directory field in the event itself
single slash (\)
if you were to drill on that directory meta or copy it out as text it would look like this
HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Active Setup\\Installed Components\\{8A69D345-D564-463c-AFF1-A69D9E530F96} @StubPath
notice the single slash (\) is now escaped with another slash (\\)
What would you write your application rule to trigger on if your logic was looking for this event (Autorun Active Setup)?
nwe.callback_id exists && category = 'autorun' && autorun.type = 'explorer' && directory contains 'software\\microsoft\\active setup\\installed components'
Notice the apprule in the UI editor works on the escaped slashes (\\)
Another way to check this is to drill on the meta that you want to work with in your application rule and see how that shows up in your breadcrumbs
You can see that the breadcrumb shows the escaped string.. this is what we will use in our rule.
One more complication... what if you wanted to write your rule in NotePad++ and import them into the decoder? What would your rule look like there?
name=p2_mo_autorun_active_setup rule="nwe.callback_id exists && category = 'autorun' && autorun.type = 'explorer' && directory contains 'software\\\\microsoft\\\\active setup\\\\installed components'" alert=ioc type=application
four slashes (\\\\) ? when importing from nwr files the slashes need to be escaped again.
So one(\) slash in meta, needs two slashes (\\) in the application rule syntax, which when imported from nwr files needs four slashes (\\\\).
Another example is matching a system making a call to a remote service using sc.exe. How would we match this type of command?
sc \\win7 create remotecmdasservice binpath= "cmd /k start" type= own start= auto
name=p1_creates_remote_service rule="nwe.callback_id exists && category = 'process event' && action = 'createprocess' && filename.dst = 'sc.exe' && param contains '\\\\\\\\' && param contains ' create ' && param contains ' binpath='" alert=ioc type=application
eight (\\\\\\\\) slashes to match two (\\) as meta indicating a remote system when imported via nwr text file.
Happy hunting!
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.