From 0ef3dc208282097a595642f58e5ecfb0f67bf0df Mon Sep 17 00:00:00 2001 From: frack113 Date: Thu, 15 Jul 2021 08:13:49 +0200 Subject: [PATCH] escape / in regex --- .../powershell/powershell_invoke_obfuscation_via_var++.yml | 3 ++- .../win_monitoring_for_persistence_via_bits.yml | 6 +++--- .../sysmon_abusing_windows_telemetry_for_persistence.yml | 4 ++-- 3 files changed, 7 insertions(+), 6 deletions(-) diff --git a/rules/windows/powershell/powershell_invoke_obfuscation_via_var++.yml b/rules/windows/powershell/powershell_invoke_obfuscation_via_var++.yml index 6d19dc2e1..0dcbf6928 100644 --- a/rules/windows/powershell/powershell_invoke_obfuscation_via_var++.yml +++ b/rules/windows/powershell/powershell_invoke_obfuscation_via_var++.yml @@ -4,6 +4,7 @@ description: Detects Obfuscated Powershell via VAR++ LAUNCHER status: experimental author: Timur Zinniatullin, oscd.community date: 2020/10/13 +modified: 2021/07/15 references: - https://github.com/Neo23x0/sigma/issues/1009 #(Task27) tags: @@ -17,7 +18,7 @@ logsource: detection: selection_1: EventID: 4104 - ScriptBlockText|re: '(?i).*&&set.*(\{\d\}){2,}\\\"\s+?\-f.*&&.*cmd.*\/c/c' # FPs with |\/r + ScriptBlockText|re: '(?i).*&&set.*(\{\d\}){2,}\\\"\s+?\-f.*&&.*cmd.*\/c' # FPs with |\/r selection_2: EventID: 4103 Payload|re: '(?i).*&&set.*(\{\d\}){2,}\\\"\s+?\-f.*&&.*cmd.*\/c' # FPs with |\/r diff --git a/rules/windows/process_creation/win_monitoring_for_persistence_via_bits.yml b/rules/windows/process_creation/win_monitoring_for_persistence_via_bits.yml index c601496c3..c5aa53dbd 100644 --- a/rules/windows/process_creation/win_monitoring_for_persistence_via_bits.yml +++ b/rules/windows/process_creation/win_monitoring_for_persistence_via_bits.yml @@ -4,7 +4,7 @@ description: BITS will allow you to schedule a command to execute after a succes status: experimental author: Sreeman date: 2020/10/29 -modified: 2021/06/11 +modified: 2021/07/15 tags: - attack.defense_evasion references: @@ -16,9 +16,9 @@ logsource: category: process_creation detection: selection_1: - CommandLine|re: '(?i).*bitsadmin.*/SetNotifyCmdLine.*(%COMSPEC%|cmd.exe|regsvr32.exe).*' + CommandLine|re: '(?i).*bitsadmin.*\/SetNotifyCmdLine.*(%COMSPEC%|cmd.exe|regsvr32.exe).*' selection_2: - CommandLine|re: '(?i).*bitsadmin.*/Addfile.*(http|https|ftp|ftps):.*' + CommandLine|re: '(?i).*bitsadmin.*\/Addfile.*(http|https|ftp|ftps):.*' condition: selection_1 or selection_2 falsepositives: - None observed yet. diff --git a/rules/windows/sysmon/sysmon_abusing_windows_telemetry_for_persistence.yml b/rules/windows/sysmon/sysmon_abusing_windows_telemetry_for_persistence.yml index 7e8315e2b..58ac60c31 100644 --- a/rules/windows/sysmon/sysmon_abusing_windows_telemetry_for_persistence.yml +++ b/rules/windows/sysmon/sysmon_abusing_windows_telemetry_for_persistence.yml @@ -12,7 +12,7 @@ tags: - attack.t1053 author: Sreeman date: 2020/09/29 -modified: 2021/06/11 +modified: 2021/07/15 fields: - EventID - CommandLine @@ -37,5 +37,5 @@ logsource: category: process_creation detection: selection: - CommandLine|re: '(?i).*schtasks.*(-|/)r.*\\Application Experience\\Microsoft Compatibility Appraiser.*' + CommandLine|re: '(?i).*schtasks.*(-|\/)r.*\\Application Experience\\Microsoft Compatibility Appraiser.*' condition: selection \ No newline at end of file