security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Fix parse errors

Browse Source
This commit is contained in:
Steven
2021-04-15 02:46:41 +02:00
parent 8301b9c221
commit 9f5e8a02a4
3 changed files with 7 additions and 7 deletions
Download Patch File Download Diff File Expand all files Collapse all files
rules/windows/builtin/win_invoke_obfuscation_stdin+_services.yml
+3 -3
View File
@@ -16,9 +16,9 @@ falsepositives:
- Unknown
level: high
detection:
selection_1:
selection:
- ImagePath|re: '.*cmd.{0,5}(?:\/c|\/r).+powershell.+(?:\$\{?input\}?|noexit).+\"'
condition: selection and selection_1
condition: selection
---
logsource:
product: windows
@@ -36,4 +36,4 @@ logsource:
service: security
detection:
selection:
EventID: 4697
EventID: 4697
rules/windows/builtin/win_invoke_obfuscation_via_use_clip_services.yml
+2 -2
View File
@@ -16,9 +16,9 @@ falsepositives:
- Unknown
level: high
detection:
selection_1:
selection:
- ImagePath|re: '(?i).*?echo.*clip.*&&.*(Clipboard|i`?n`?v`?o`?k`?e`?).*'
condition: selection and selection_1
condition: selection
---
logsource:
product: windows
rules/windows/builtin/win_meterpreter_or_cobaltstrike_getsystem_service_installation.yml
+2 -2
View File
@@ -14,7 +14,7 @@ tags:
- attack.t1134.001
- attack.t1134.002
detection:
selection_1:
selection:
# meterpreter getsystem technique 1: cmd.exe /c echo 559891bb017 > \\.\pipe\5e120a
- ServiceFileName|contains|all:
- 'cmd'
@@ -32,7 +32,7 @@ detection:
- 'rundll32'
- '.dll,a'
- '/p:'
condition: selection and selection_1
condition: selection
fields:
- ComputerName
- SubjectDomainName