security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

fix: explicitly escape { to make it clear that it is a literal (#3737)

Browse Source
This commit is contained in:
Fukusuke Takahashi
2022-11-30 19:43:49 +09:00
committed by GitHub
parent 82afa90499
commit 76fece654a
5 changed files with 5 additions and 5 deletions
Download Patch File Download Diff File Expand all files Collapse all files
rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_stdin.yml
+1 -1
View File
@@ -18,7 +18,7 @@ logsource:
definition: Script block logging must be enabled
detection:
selection_4104:
ScriptBlockText|re: '.*cmd.{0,5}(?:\/c|\/r).+powershell.+(?:\$\{?input\}?|noexit).+\"'
ScriptBlockText|re: '.*cmd.{0,5}(?:\/c|\/r).+powershell.+(?:\$?\{?input\}?|noexit).+\"'
condition: selection_4104
falsepositives:
- Unknown
rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_via_stdin.yml
+1 -1
View File
@@ -18,7 +18,7 @@ logsource:
definition: Script block logging must be enabled
detection:
selection_4104:
ScriptBlockText|re: '(?i).*(set).*&&\s?set.*(environment|invoke|\${?input).*&&.*"'
ScriptBlockText|re: '(?i).*(set).*&&\s?set.*(environment|invoke|\$\{?input).*&&.*"'
condition: selection_4104
falsepositives:
- Unknown