security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Merge pull request #3751 from fukusuket/refactor-remove-unnecessary-escape-regex

Browse Source 
refactor: remove unnesessary escape(in |re block)
This commit is contained in:
frack113
2022-12-04 18:00:37 +01:00
committed by GitHub
parent 9375fe95b4 9c76aac1fc
commit 53e04deae9
2 changed files with 4 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files
rules/windows/pipe_created/pipe_created_mal_cobaltstrike_re.yml
+2 -2
View File
@@ -7,7 +7,7 @@ references:
- https://gist.github.com/MHaggis/6c600e524045a6d49c35291a21e10752
author: Florian Roth
date: 2021/07/30
modified: 2022/10/09
modified: 2022/12/03
tags:
- attack.defense_evasion
- attack.privilege_escalation
@@ -23,7 +23,7 @@ detection:
- PipeName|re: '\\\\ntsvcs[0-9a-f]{2}'
- PipeName|re: '\\\\DserNamePipe[0-9a-f]{2}'
- PipeName|re: '\\\\SearchTextHarvester[0-9a-f]{2}'
- PipeName|re: '\\\\mypipe\-(?:f|h)[0-9a-f]{2}'
- PipeName|re: '\\\\mypipe-(?:f|h)[0-9a-f]{2}'
- PipeName|re: '\\\\windows\.update\.manager[0-9a-f]{2,3}'
- PipeName|re: '\\\\ntsvcs_[0-9a-f]{2}'
- PipeName|re: '\\\\scerpc_?[0-9a-f]{2}'
rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_stdin.yml
+2 -2
View File
@@ -6,7 +6,7 @@ references:
- https://github.com/Neo23x0/sigma/issues/1009 #(Task 25)
author: Jonathan Cheong, oscd.community
date: 2020/10/15
modified: 2022/11/29
modified: 2022/12/03
tags:
- attack.defense_evasion
- attack.t1027
@@ -18,7 +18,7 @@ logsource:
definition: Script block logging must be enabled
detection:
selection_4104:
ScriptBlockText|re: '.*cmd.{0,5}(?:\/c|\/r).+powershell.+(?:\$?\{?input\}?|noexit).+\"'
ScriptBlockText|re: '.*cmd.{0,5}(?:/c|/r).+powershell.+(?:\$?\{?input\}?|noexit).+"'
condition: selection_4104
falsepositives:
- Unknown