Fix test

Velocidex · Oct 26, 2024 · 77829a2 · 77829a2
1 parent 018efe2
commit 77829a2
Show file tree

Hide file tree

Showing 3 changed files with 111 additions and 7 deletions.
diff --git a/vql/sigma/evaluator/correlation.go b/vql/sigma/evaluator/correlation.go
@@ -261,10 +261,8 @@ func (self *timespanManager) addTime(
 	}
 
 	new_event := &TimedEvent{
-		ts: ts,
-		Event: &Event{
-			Dict: event.Copy(),
-		},
+		ts:    ts,
+		Event: event,
 	}
 	self.correlator.addEvent(ctx, scope, new_event, rule)
 

diff --git a/vql/sigma/fixtures/TestSigmaCorrelation.golden b/vql/sigma/fixtures/TestSigmaCorrelation.golden
@@ -78,7 +78,114 @@
    }
   }
  ],
- "Correlation Test VALUE_COUNT": [],
+ "Correlation Test VALUE_COUNT": [
+  {
+   "Timestamp": "2024-10-10T12:25:00+10",
+   "EventID": 4799,
+   "SubjectUserName": "admin",
+   "TargetUserName": "Distributed COM Users",
+   "Details": null,
+   "_Correlations": [
+    {
+     "Timestamp": "2024-10-10T12:22:00+10",
+     "EventID": 4799,
+     "SubjectUserName": "admin",
+     "TargetUserName": "Administrators"
+    },
+    {
+     "Timestamp": "2024-10-10T12:23:00+10",
+     "EventID": 4799,
+     "SubjectUserName": "admin",
+     "TargetUserName": "Remote Desktop Users"
+    },
+    {
+     "Timestamp": "2024-10-10T12:24:00+10",
+     "EventID": 4799,
+     "SubjectUserName": "admin",
+     "TargetUserName": "Remote Management Users"
+    },
+    {
+     "Timestamp": "2024-10-10T12:25:00+10",
+     "EventID": 4799,
+     "SubjectUserName": "admin",
+     "TargetUserName": "Distributed COM Users"
+    }
+   ],
+   "_Rule": {
+    "Title": "High-privilege group enumeration",
+    "Name": "privileged_group_enumeration",
+    "Logsource": {
+     "Product": "windows",
+     "Service": "security"
+    },
+    "Detection": {
+     "Searches": {
+      "selection": {
+       "event_matchers": [
+        [
+         {
+          "field": "EventID",
+          "values": [
+           4799
+          ]
+         },
+         {
+          "field": "TargetUserName",
+          "values": [
+           "Administrators",
+           "Remote Desktop Users",
+           "Remote Management Users",
+           "Distributed COM Users"
+          ]
+         }
+        ]
+       ]
+      }
+     },
+     "Condition": [
+      {
+       "Search": {
+        "Name": "selection"
+       }
+      }
+     ]
+    },
+    "status": "stable",
+    "Level": "informational",
+    "AdditionalFields": {
+     "falsepositives": [
+      "Administrative activity",
+      "Directory assessment tools"
+     ]
+    },
+    "correlator": {
+     "Title": "Enumeration of multiple high-privilege groups by tools like BloodHound",
+     "Correlation": {
+      "type": "value_count",
+      "rules": [
+       "privileged_group_enumeration"
+      ],
+      "group-by": [
+       "SubjectUserName"
+      ],
+      "timespan": "15m",
+      "condition": {
+       "field": "TargetUserName",
+       "gte": 4
+      }
+     },
+     "status": "stable",
+     "Level": "high",
+     "AdditionalFields": {
+      "falsepositives": [
+       "Administrative activity",
+       "Directory assessment tools"
+      ]
+     }
+    }
+   }
+  }
+ ],
  "Correlation Test TEMPORAL": [
   {
    "Timestamp": "2024-10-10T12:23:00+10",

diff --git a/vql/sigma/sigma_test.go b/vql/sigma/sigma_test.go
@@ -684,7 +684,6 @@ logsource:
 detection:
   selection:
     EventID: 4799
-    CallerProcessId: 0x0
     TargetUserName:
       - Administrators
       - Remote Desktop Users
@@ -894,7 +893,7 @@ func (self *SigmaTestSuite) TestSigmaCorrelations() {
 	for idx, test_case := range sigmaCorrelationTestCases {
 		fmt.Printf("Running case: %v: %v\n", idx, test_case.description)
 
-		if false && idx != 3 {
+		if false && idx != 2 {
 			continue
 		}