Going to start writing publicly about some of the research articles I come across my day to day that I enjoy. Going to post more detailed info on my website when I get a chance to fully absorb what I’ve read, but I figured I’d share my findings here with the LimaCharlie group first
Came across some research on evading SIEM Rules: https://arxiv.org/pdf/2311.10197 / The FOSS tool built to counter it - AMIDES: GitHub - fkie-cad/amides: An Adaptive Misuse Detection System
TL;DR:
The researchers analyzed 292 widely used SIEM rules and found that nearly half of them can be trivially evaded. Evasion techniques include simple changes like:
• Insertion: Adding extra characters to avoid string matching.
• Substitution: Using alternative commands/arguments that perform the same function.
• Omission: Leaving out optional parameters.
• Reordering: Swapping argument order to break strict regex matches.
• Recoding: Representing values differently (e.g., IP encoding tricks).
Basically, attackers can tweak their command executions just enough to sidestep detection while still pulling off their objectives.
To counter this, the authors propose Adaptive Misuse Detection, which extends traditional rule-based detection with machine learning. The idea is to compare incoming events against both SIEM rules and known-benign events, flagging anything suspicious that should have matched a rule but didn’t.
They built AMIDES, an open-source tool that does this. Using a large enterprise dataset, AMIDES detected 70% of SIEM rule evasions with zero false positives—not bad