SAF-T1001: fix Sigma unicode detection and address review findings#213
Open
fkautz wants to merge 1 commit into
Open
SAF-T1001: fix Sigma unicode detection and address review findings#213fkautz wants to merge 1 commit into
fkautz wants to merge 1 commit into
Conversation
d58cf6e to
20455cb
Compare
Fix the Sigma rule's invisible-character detection, which never matched real payloads: the literal '\uXXXX' globs were matched as literal text by production backends. Replace them with a tool_description|re regex over the actual codepoints (zero-width, bidirectional, and the U+E0000-U+E007F tag range). Rework the test harness to model real backend semantics (drop the unicode-escape hack) and add test-log cases carrying genuine invisible characters. Result: 13/13 pass with full pattern coverage. Also address the rest of the review: - Complete References with the six missing incident citations plus the RADE source; reconcile the inlined rule with the shipped file. - Reconcile the ATT&CK mapping: keep Initial Access primary, add supporting tactics, and replace the loose T1055 with T1027 (Obfuscated Files). - Expand the Description with the technical mechanism. - Correct RADE (Retrieval-Agent Deception, arXiv:2504.03767) and remove hype language. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com> Signed-off-by: Frederick F. Kautz IV <fkautz@alumni.cmu.edu>
20455cb to
a76534f
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Addresses the SAF-T1001 (Tool Poisoning Attack) technique review. The headline fix is the detection rule: its invisible-character patterns never matched real payloads.
Detection fix (primary)
'*\uXXXX*'. A production backend treats those as the literal 6-character string, not the U+200B codepoint, so a description containing a genuine zero-width / bidirectional / Unicode-tag character matched none of them — exactly the attack the page documents.tool_description|reregex over the actual codepoints (zero-width, bidirectional overrides/isolates, and theU+E0000-U+E007Ftag range).test_detection_rule.pyto model real backend semantics (dropped the non-standardunicode-escapedecode that was making the broken rule look green) and addedtest-logs.jsoncases carrying real invisible characters. Now 13/13 pass with full pattern coverage, and the test reflects production behavior.Other review findings
Test
🤖 Generated with Claude Code