security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

fix: FPs noticed in THOR testing

Browse Source
This commit is contained in:
Florian Roth
2022-02-21 10:15:27 +01:00
parent cf1d3aad08
commit 35d4c8bc69
4 changed files with 12 additions and 5 deletions
Download Patch File Download Diff File Expand all files Collapse all files
rules/web/web_cve_2021_44228_log4j.yml
+4 -1
View File
@@ -42,7 +42,10 @@ detection:
- '${${lower:j}ndi:'
- '${${upper:j}ndi:'
- '${${::-j}${::-n}${::-d}${::-i}:'
condition: keywords
filter:
- 'w.nessus.org/nessus'
- '/nessus}'
condition: keywords and not filter
falsepositives:
- Vulnerability scanning
level: high
rules/windows/deprecated/powershell_suspicious_invocation_specific.yml
+2 -1
View File
@@ -7,7 +7,7 @@ tags:
- attack.t1059.001
author: Florian Roth (rule), Jonhnathan Ribeiro
date: 2017/03/05
modified: 2022/02/16
modified: 2022/02/21
logsource:
product: windows
service: powershell
@@ -54,6 +54,7 @@ detection:
filter_chocolatey:
- "(New-Object System.Net.WebClient).DownloadString('https://community.chocolatey.org/install.ps1"
- "(New-Object System.Net.WebClient).DownloadString('https://chocolatey.org/install.ps1')"
- 'Write-ChocolateyWarning'
condition: (all of convert_b64 or all of iex_selection or all of enc_selection or all of reg_selection or all of webclient_selection or all of iex_webclient) and not 1 of filter_*
falsepositives:
- Penetration tests
rules/windows/powershell/powershell_module/posh_pm_suspicious_invocation_specific.yml
+4 -2
View File
@@ -10,7 +10,7 @@ tags:
- attack.t1059.001
author: Florian Roth (rule), Jonhnathan Ribeiro
date: 2017/03/05
modified: 2022/02/11
modified: 2022/02/21
logsource:
product: windows
category: ps_module
@@ -61,7 +61,9 @@ detection:
- 'Net.WebClient'
- '.Download'
filter_chocolatey:
ContextInfo|contains: "(New-Object System.Net.WebClient).DownloadString('https://community.chocolatey.org/install.ps1"
ContextInfo|contains:
- "(New-Object System.Net.WebClient).DownloadString('https://community.chocolatey.org/install.ps1"
- 'Write-ChocolateyWarning'
condition: 1 of selection* and not 1 of filter*
falsepositives:
- Penetration tests
rules/windows/powershell/powershell_script/posh_ps_suspicious_invocation_specific.yml
+2 -1
View File
@@ -10,7 +10,7 @@ tags:
- attack.t1059.001
author: Florian Roth (rule), Jonhnathan Ribeiro
date: 2017/03/05
modified: 2022/02/16
modified: 2022/02/21
logsource:
product: windows
category: ps_script
@@ -64,6 +64,7 @@ detection:
ScriptBlockText|contains:
- "(New-Object System.Net.WebClient).DownloadString('https://community.chocolatey.org/install.ps1"
- "(New-Object System.Net.WebClient).DownloadString('https://chocolatey.org/install.ps1')"
- 'Write-ChocolateyWarning'
condition: 1 of select* and not 1 of filter*
falsepositives:
- Penetration tests