fix: title and add python filter

2023-01-02 15:02:28 +01:00
parent e23a63a60e
commit 083d30c19d
4 changed files with 8 additions and 5 deletions
@@ -1,4 +1,4 @@
-title: Perl Inline Command Execution Using "-e"
+title: Perl Inline Command Execution
 id: f426547a-e0f7-441a-b63e-854ac5bdf54d
 status: experimental
 description: Detects execution of perl using the "-e"/"-E" flags. This is could be used as a way to launch a reverse shell or execute live perl code.
@@ -1,4 +1,4 @@
-title: Php Inline Command Execution Using "-r"
+title: Php Inline Command Execution
 id: d81871ef-5738-47ab-9797-7a9c90cd4bfb
 status: experimental
 description: Detects execution of php using the "-r" flag. This is could be used as a way to launch a reverse shell or execute live php code.
@@ -1,4 +1,4 @@
-title: Python Inline Command Execution Using "-c"
+title: Python Inline Command Execution
 id: 899133d5-4d7c-4a7f-94ee-27355c879d90
 status: experimental
 description: Detects execution of python using the "-c" flag. This is could be used as a way to launch a reverse shell or execute live python code.
@@ -23,7 +23,10 @@ detection:
        - OriginalFileName: 'python.exe'
    selection_cli:
        CommandLine|contains: ' -c'
-    condition: all of selection_*
+    filter_python: # Based on baseline
+        ParentImage|startswith: 'C:\Program Files\Python'
+        ParentImage|endswith: '\python.exe'
+    condition: all of selection_* and not 1 of filter_*
 falsepositives:
    - Unknown
 level: medium
@@ -1,4 +1,4 @@
-title: Ruby Inline Command Execution Using "-e"
+title: Ruby Inline Command Execution
 id: 20a5ffa1-3848-4584-b6f8-c7c7fd9f69c8
 status: experimental
 description: Detects execution of ruby using the "-e" flag. This is could be used as a way to launch a reverse shell or execute live ruby code.