From 5b59c6d1153a36602c1aa1b4fa8080482613a1db Mon Sep 17 00:00:00 2001
From: Feathers <93973834+ionsor@users.noreply.github.com>
Date: Sun, 6 Oct 2024 23:03:54 +0200
Subject: [PATCH] Merge PR #5012 from @ionsor - Update `Potentially Suspicious
 JWT Token Search Via CLI`

update: Potentially Suspicious JWT Token Search Via CLI - added the `eyJhbGciOi` string, corresponding to `{"alg":` from the JWT token header.

---------

Co-authored-by: nasbench <8741929+nasbench@users.noreply.github.com>
---
 ...ml => proc_creation_win_susp_jwt_token_search.yml} | 11 +++++++++--
 1 file changed, 9 insertions(+), 2 deletions(-)
 rename rules/windows/process_creation/{proc_creation_win_susp_office_token_search.yml => proc_creation_win_susp_jwt_token_search.yml} (56%)

diff --git a/rules/windows/process_creation/proc_creation_win_susp_office_token_search.yml b/rules/windows/process_creation/proc_creation_win_susp_jwt_token_search.yml
similarity index 56%
rename from rules/windows/process_creation/proc_creation_win_susp_office_token_search.yml
rename to rules/windows/process_creation/proc_creation_win_susp_jwt_token_search.yml
index 2cde32de6..30c231516 100644
--- a/rules/windows/process_creation/proc_creation_win_susp_office_token_search.yml
+++ b/rules/windows/process_creation/proc_creation_win_susp_jwt_token_search.yml
@@ -1,11 +1,14 @@
-title: Suspicious Office Token Search Via CLI
+title: Potentially Suspicious JWT Token Search Via CLI
 id: 6d3a3952-6530-44a3-8554-cf17c116c615
 status: test
-description: Detects possible search for office tokens via CLI by looking for the string "eyJ0eX". This string is used as an anchor to look for the start of the JWT token used by office and similar apps.
+description: |
+    Detects possible search for JWT tokens via CLI by looking for the string "eyJ0eX" or "eyJhbG".
+    This string is used as an anchor to look for the start of the JWT token used by microsoft office and similar apps.
 references:
     - https://mrd0x.com/stealing-tokens-from-office-applications/
 author: Nasreddine Bencherchali (Nextron Systems)
 date: 2022-10-25
+modified: 2024-10-06
 tags:
     - attack.credential-access
     - attack.t1528
@@ -16,9 +19,13 @@ detection:
     selection:
         CommandLine|contains:
             - 'eyJ0eXAiOi' # {"typ":
+            - 'eyJhbGciOi' # {"alg":
             - ' eyJ0eX'
             - ' "eyJ0eX"'
             - " 'eyJ0eX'"
+            - ' eyJhbG'
+            - ' "eyJhbG"'
+            - " 'eyJhbG'"
     condition: selection
 falsepositives:
     - Unknown