From 083d30c19d5c9efad55d2729d46c189edbf82ee8 Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com> Date: Mon, 2 Jan 2023 15:02:28 +0100 Subject: [PATCH] fix: title and add python filter --- .../proc_creation_win_perl_inline_command_execution.yml | 2 +- .../proc_creation_win_php_inline_command_execution.yml | 2 +- .../proc_creation_win_python_inline_command_execution.yml | 7 +++++-- .../proc_creation_win_ruby_inline_command_execution.yml | 2 +- 4 files changed, 8 insertions(+), 5 deletions(-) diff --git a/rules/windows/process_creation/proc_creation_win_perl_inline_command_execution.yml b/rules/windows/process_creation/proc_creation_win_perl_inline_command_execution.yml index 0b418d513..6d2e148ef 100644 --- a/rules/windows/process_creation/proc_creation_win_perl_inline_command_execution.yml +++ b/rules/windows/process_creation/proc_creation_win_perl_inline_command_execution.yml @@ -1,4 +1,4 @@ -title: Perl Inline Command Execution Using "-e" +title: Perl Inline Command Execution id: f426547a-e0f7-441a-b63e-854ac5bdf54d status: experimental description: Detects execution of perl using the "-e"/"-E" flags. This is could be used as a way to launch a reverse shell or execute live perl code. diff --git a/rules/windows/process_creation/proc_creation_win_php_inline_command_execution.yml b/rules/windows/process_creation/proc_creation_win_php_inline_command_execution.yml index d76462058..e36ff3b05 100644 --- a/rules/windows/process_creation/proc_creation_win_php_inline_command_execution.yml +++ b/rules/windows/process_creation/proc_creation_win_php_inline_command_execution.yml @@ -1,4 +1,4 @@ -title: Php Inline Command Execution Using "-r" +title: Php Inline Command Execution id: d81871ef-5738-47ab-9797-7a9c90cd4bfb status: experimental description: Detects execution of php using the "-r" flag. This is could be used as a way to launch a reverse shell or execute live php code. diff --git a/rules/windows/process_creation/proc_creation_win_python_inline_command_execution.yml b/rules/windows/process_creation/proc_creation_win_python_inline_command_execution.yml index 90645f7b0..f6fe37632 100644 --- a/rules/windows/process_creation/proc_creation_win_python_inline_command_execution.yml +++ b/rules/windows/process_creation/proc_creation_win_python_inline_command_execution.yml @@ -1,4 +1,4 @@ -title: Python Inline Command Execution Using "-c" +title: Python Inline Command Execution id: 899133d5-4d7c-4a7f-94ee-27355c879d90 status: experimental description: Detects execution of python using the "-c" flag. This is could be used as a way to launch a reverse shell or execute live python code. @@ -23,7 +23,10 @@ detection: - OriginalFileName: 'python.exe' selection_cli: CommandLine|contains: ' -c' - condition: all of selection_* + filter_python: # Based on baseline + ParentImage|startswith: 'C:\Program Files\Python' + ParentImage|endswith: '\python.exe' + condition: all of selection_* and not 1 of filter_* falsepositives: - Unknown level: medium diff --git a/rules/windows/process_creation/proc_creation_win_ruby_inline_command_execution.yml b/rules/windows/process_creation/proc_creation_win_ruby_inline_command_execution.yml index 29a542518..5d9a0d1e5 100644 --- a/rules/windows/process_creation/proc_creation_win_ruby_inline_command_execution.yml +++ b/rules/windows/process_creation/proc_creation_win_ruby_inline_command_execution.yml @@ -1,4 +1,4 @@ -title: Ruby Inline Command Execution Using "-e" +title: Ruby Inline Command Execution id: 20a5ffa1-3848-4584-b6f8-c7c7fd9f69c8 status: experimental description: Detects execution of ruby using the "-e" flag. This is could be used as a way to launch a reverse shell or execute live ruby code.