security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions 45 Packages Projects Releases Wiki Activity

Merge PR #5012 from @ionsor - Update Potentially Suspicious JWT Token Search Via CLI

Browse Source 
update: Potentially Suspicious JWT Token Search Via CLI - added the `eyJhbGciOi` string, corresponding to `{"alg":` from the JWT token header. 

---------

Co-authored-by: nasbench <8741929+nasbench@users.noreply.github.com>
This commit is contained in:
Feathers
2024-10-06 23:03:54 +02:00
committed by GitHub
parent d1f1fc716f
commit 5b59c6d115
1 changed files with 9 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files
rules/windows/process_creation/proc_creation_win_susp_office_token_search.yml → rules/windows/process_creation/proc_creation_win_susp_jwt_token_search.yml
+9 -2
View File
@@ -1,11 +1,14 @@
title: Suspicious Office Token Search Via CLI
title: Potentially Suspicious JWT Token Search Via CLI
id: 6d3a3952-6530-44a3-8554-cf17c116c615
status: test
description: Detects possible search for office tokens via CLI by looking for the string "eyJ0eX". This string is used as an anchor to look for the start of the JWT token used by office and similar apps.
description: |
Detects possible search for JWT tokens via CLI by looking for the string "eyJ0eX" or "eyJhbG".
This string is used as an anchor to look for the start of the JWT token used by microsoft office and similar apps.
references:
- https://mrd0x.com/stealing-tokens-from-office-applications/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-10-25
modified: 2024-10-06
tags:
- attack.credential-access
- attack.t1528
@@ -16,9 +19,13 @@ detection:
selection:
CommandLine|contains:
- 'eyJ0eXAiOi' # {"typ":
- 'eyJhbGciOi' # {"alg":
- ' eyJ0eX'
- ' "eyJ0eX"'
- " 'eyJ0eX'"
- ' eyJhbG'
- ' "eyJhbG"'
- " 'eyJhbG'"
condition: selection
falsepositives:
- Unknown