fix: explicitly escape { to make it clear that it is a literal (#3737)

2022-11-30 19:43:49 +09:00
parent 82afa90499
commit 76fece654a
5 changed files with 5 additions and 5 deletions
@@ -21,7 +21,7 @@ logsource:
    definition: PowerShell Module Logging must be enabled
 detection:
    selection_4103:
-        Payload|re: '(?i).*(set).*&&\s?set.*(environment|invoke|\${?input).*&&.*"'
+        Payload|re: '(?i).*(set).*&&\s?set.*(environment|invoke|\$?\{?input).*&&.*"'
    condition: selection_4103
 falsepositives:
    - Unknown
@@ -18,7 +18,7 @@ logsource:
    definition: Script block logging must be enabled
 detection:
    selection_4104:
-        ScriptBlockText|re: '.*cmd.{0,5}(?:\/c|\/r).+powershell.+(?:\$\{?input\}?|noexit).+\"'
+        ScriptBlockText|re: '.*cmd.{0,5}(?:\/c|\/r).+powershell.+(?:\$?\{?input\}?|noexit).+\"'
    condition: selection_4104
 falsepositives:
    - Unknown
@@ -18,7 +18,7 @@ logsource:
    definition: Script block logging must be enabled
 detection:
    selection_4104:
-        ScriptBlockText|re: '(?i).*(set).*&&\s?set.*(environment|invoke|\${?input).*&&.*"'
+        ScriptBlockText|re: '(?i).*(set).*&&\s?set.*(environment|invoke|\$\{?input).*&&.*"'
    condition: selection_4104
 falsepositives:
    - Unknown
@@ -16,7 +16,7 @@ logsource:
 detection:
    selection:
        Image|endswith: '\xwizard.exe'
-        CommandLine|re: '{[a-fA-F0-9]{8}-[a-fA-F0-9]{4}-[a-fA-F0-9]{4}-[a-fA-F0-9]{4}-[a-fA-F0-9]{12}}'
+        CommandLine|re: '\{[a-fA-F0-9]{8}-[a-fA-F0-9]{4}-[a-fA-F0-9]{4}-[a-fA-F0-9]{4}-[a-fA-F0-9]{12}\}'
    condition: selection
 falsepositives:
    - Unknown
@@ -30,7 +30,7 @@ detection:
        Image|endswith:
            - '\powershell.exe'
            - '\pwsh.exe'
-        CommandLine|re: '.*{.*{.*{.*{.*{.*'
+        CommandLine|re: '.*\{.*\{.*\{.*\{.*\{.*'
    selection4:
        Image|endswith:
            - '\powershell.exe'