Merge PR #5708 from @nasbench - Multiple updates and issue fixes
Goodlog Tests / check-baseline-win7 (push) Has been cancelled
Goodlog Tests / check-baseline-win10 (push) Has been cancelled
Goodlog Tests / check-baseline-win11 (push) Has been cancelled
Goodlog Tests / check-baseline-win11-2023 (push) Has been cancelled
Goodlog Tests / check-baseline-win2022 (push) Has been cancelled
Goodlog Tests / check-baseline-win2022-domain-controller (push) Has been cancelled
Goodlog Tests / check-baseline-win2022-0-20348-azure (push) Has been cancelled
Create Release / Create Release (push) Has been cancelled
Sigma Rule Tests / yamllint (push) Has been cancelled
Validate Sigma rules / sigma-rules-validator (push) Has been cancelled
Sigma Rule Tests / test-sigma-logsource (push) Has been cancelled
Sigma Rule Tests / test-sigma-legacy (push) Has been cancelled
Sigma Rule Tests / sigma-check (push) Has been cancelled
Goodlog Tests / check-baseline-win7 (push) Has been cancelled
Goodlog Tests / check-baseline-win10 (push) Has been cancelled
Goodlog Tests / check-baseline-win11 (push) Has been cancelled
Goodlog Tests / check-baseline-win11-2023 (push) Has been cancelled
Goodlog Tests / check-baseline-win2022 (push) Has been cancelled
Goodlog Tests / check-baseline-win2022-domain-controller (push) Has been cancelled
Goodlog Tests / check-baseline-win2022-0-20348-azure (push) Has been cancelled
Create Release / Create Release (push) Has been cancelled
Sigma Rule Tests / yamllint (push) Has been cancelled
Validate Sigma rules / sigma-rules-validator (push) Has been cancelled
Sigma Rule Tests / test-sigma-logsource (push) Has been cancelled
Sigma Rule Tests / test-sigma-legacy (push) Has been cancelled
Sigma Rule Tests / sigma-check (push) Has been cancelled
fix: Turla Group Commands May 2020 - Change the commandline to regex to account for additional spaces when ingesting non XML version of logs from the eventlog. fix: Potential Dtrack RAT Activity - Change the commandline to regex to account for additional spaces when ingesting non XML version of logs from the eventlog. fix: Potential Data Exfiltration Activity Via CommandLine Tools - Change the commandline to regex to account for additional spaces when ingesting non XML version of logs from the eventlog. fix: Suspicious Network Command - Change the commandline to regex to account for additional spaces when ingesting non XML version of logs from the eventlog. fix: Suspicious SYSTEM User Process Creation - Change the commandline to regex to account for additional spaces when ingesting non XML version of logs from the eventlog. fix: Potential Snatch Ransomware Activity - Change the commandline to regex to account for additional spaces when ingesting non XML version of logs from the eventlog. fix: Potential Devil Bait Malware Reconnaissance - Change the commandline to regex to account for additional spaces when ingesting non XML version of logs from the eventlog. fix: Mint Sandstorm - AsperaFaspex Suspicious Process Execution - Change the commandline to regex to account for additional spaces when ingesting non XML version of logs from the eventlog. fix: Mint Sandstorm - ManageEngine Suspicious Process Execution - Change the commandline to regex to account for additional spaces when ingesting non XML version of logs from the eventlog. update: Powershell Token Obfuscation - Powershell - Move to the TH folder in order to set the right FP expectations. fix: Kerberoasting Activity - Initial Query - Fix issue with filter names and logic chore: add sorting to the rule archiver script --------- Thanks: KingKDot Thanks: zambomarcell Thanks: Koifman Co-authored-by: phantinuss <79651203+phantinuss@users.noreply.github.com>
This commit is contained in:
Nasreddine Bencherchali
committed by
GitHub
GitHub
parent
02f7843bcf
commit
a77d3bae4b
@@ -1,44 +0,0 @@
|
||||
title: Powershell Token Obfuscation - Powershell
|
||||
id: f3a98ce4-6164-4dd4-867c-4d83de7eca51
|
||||
related:
|
||||
- id: deb9b646-a508-44ee-b7c9-d8965921c6b6
|
||||
type: similar
|
||||
status: test
|
||||
description: Detects TOKEN OBFUSCATION technique from Invoke-Obfuscation
|
||||
references:
|
||||
- https://github.com/danielbohannon/Invoke-Obfuscation
|
||||
author: frack113
|
||||
date: 2022-12-27
|
||||
modified: 2023-03-24
|
||||
tags:
|
||||
- attack.defense-evasion
|
||||
- attack.t1027.009
|
||||
logsource:
|
||||
product: windows
|
||||
category: ps_script
|
||||
definition: 'Requirements: Script Block Logging must be enabled'
|
||||
detection:
|
||||
selection:
|
||||
# Examples:
|
||||
# IN`V`o`Ke-eXp`ResSIOn (Ne`W-ob`ject Net.WebClient).DownloadString
|
||||
# &('In'+'voke-Expressi'+'o'+'n') (.('New-Ob'+'jec'+'t') Net.WebClient).DownloadString
|
||||
# &("{2}{3}{0}{4}{1}"-f 'e','Expression','I','nvok','-') (&("{0}{1}{2}"-f'N','ew-O','bject') Net.WebClient).DownloadString
|
||||
- ScriptBlockText|re: '\w+`(\w+|-|.)`[\w+|\s]'
|
||||
# - ScriptBlockText|re: '\((\'(\w|-|\.)+\'\+)+\'(\w|-|\.)+\'\)' TODO: fixme
|
||||
- ScriptBlockText|re: '"(\{\d\}){2,}"\s*-f' # trigger on at least two placeholders. One might be used for legitimate string formatting
|
||||
# ${e`Nv:pATh}
|
||||
- ScriptBlockText|re: '(?i)\$\{`?e`?n`?v`?:`?p`?a`?t`?h`?\}'
|
||||
filter_envpath:
|
||||
ScriptBlockText|contains: '${env:path}' # TODO: Fix this. See https://github.com/SigmaHQ/sigma/pull/4964
|
||||
filter_chocolatey:
|
||||
ScriptBlockText|contains:
|
||||
- 'it will return true or false instead' # Chocolatey install script https://github.com/chocolatey/chocolatey
|
||||
- 'The function also prevents `Get-ItemProperty` from failing' # https://docs.chocolatey.org/en-us/create/functions/get-uninstallregistrykey
|
||||
filter_exchange:
|
||||
Path|startswith: 'C:\Program Files\Microsoft\Exchange Server\'
|
||||
Path|endswith: '\bin\servicecontrol.ps1'
|
||||
ScriptBlockText|contains: '`r`n'
|
||||
condition: selection and not 1 of filter_*
|
||||
falsepositives:
|
||||
- Unknown
|
||||
level: high
|
||||
Reference in New Issue
Block a user