Path normalization
Currently, file and registry paths contained in Windows event data and state data appear in the format used by the kernel in which namespace links and aliases appear as fully resolved. This can cause confusion when attempting to match paths in a rule. File paths in events generally appear in the following format:
\Device\HarddiskVolume1\Windows\System32\svchost.exe
Instead of:
c:\windows\system32\svchost.exe
File paths referencing data on a Server Message Block (SMB) share appear as the following:
\Device\Mup\[remote ip address]\[share name]\...
Registry paths in events generally appear in the following form:
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{BF1AEDE2-3B07-4D8A-A03E-9C8B80AAD258}
\REGISTRY\USER\S-1-5-21-586946019-3361328298-3290581161-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\StartPage2
Instead of in the following form:
HKLM\SYSTEM\CurrentControlSet\Services
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{BF1AEDE2-3B07-4D8A-A03E-9C8B80AAD258}
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\StartPage2
This means that the following rule never matches:
alert when strcmp(file.path,"c:\windows\system32\file.txt",false);
The easiest solution for this is to instead write the rule using the strstr operator, as shown in the following example:
alert when strstr(file.path,"windows\system32\file.txt",false);
Similar logic can be applied to registry key matching rules, as shown in the following example:
alert when strstr(registry.key,"Software\Microsoft\Windows\CurrentVersion\Explorer\StartPage2",false);
In addition, a built-in function exists to normalize kernel registry paths. The getregistrysubkey() function is used to trim off portions of the hive path, as shown in the following example:
alert when strstr(getregistrysubkey(registry.key), "Software\Microsoft\Windows\CurrentVersion\Explorer\StartPage2",false);
The following table describes the file path formats used for various event types.
| Event type |
Event attribute |
Path example |
| process |
process.path |
\Device\HardDisk... |
| process |
process.parentpath |
\Device\HardDisk... |
| object |
object.targetprocess |
\Device\HardDisk... |
| image load |
imageload.imagepath |
c:\... |
| file |
file.path |
\Device\HardDisk... |
| curproc |
curproc.filewritelist |
\Device\HardDisk... |
| registry |
registry.keyname |
\\REGISTRY\\MACHINE\\ \\REGISTRY\\USER\\ |
When comparing paths contained in event data against paths contained in curproc state attributes, there is no issue because the paths are both in the same format.
Example:
alert when curproc.parent.filewritelist contains process.path;