security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions 45 Packages Projects Releases Wiki Activity

Merge PR #4957 from @peterydzynski - Update regex for Powershell Token Obfuscation rules

Browse Source 
update: Powershell Token Obfuscation - Process Creation - Optimized used regex
update: Powershell Token Obfuscation - Powershell - Optimized used regex
chore: Fixed SigmaHQ conventions broken links
This commit is contained in:
peterydzynski
2024-08-10 07:26:42 -04:00
committed by GitHub
parent dbba992bc3
commit ace902b68f
5 changed files with 7 additions and 7 deletions
Download Patch File Download Diff File Expand all files Collapse all files
.github/PULL_REQUEST_TEMPLATE.md
+1 -1
View File
@@ -44,4 +44,4 @@ Link the fixed issues here, in case your commit fixes issues with rules or code
### SigmaHQ Rule Creation Conventions ### SigmaHQ Rule Creation Conventions
- If your PR adds new rules, please consider following and applying these [conventions](https://github.com/SigmaHQ/sigma-specification/blob/main/sigmahq/sigmahq_conventions.md) - If your PR adds new rules, please consider following and applying these [conventions](https://github.com/SigmaHQ/sigma-specification/blob/main/sigmahq/)
.github/workflows/greetings.yml
+1 -1
View File
@@ -29,6 +29,6 @@ jobs:
It looks like this is your first pull request on the Sigma rules repository! It looks like this is your first pull request on the Sigma rules repository!
Please make sure to read the [SigmaHQ conventions](https://github.com/SigmaHQ/sigma-specification/blob/main/sigmahq/sigmahq_conventions.md) document to make sure your contribution is adhering to best practices and has all the necessary elements in place for a successful approval. Please make sure to read the [SigmaHQ conventions](https://github.com/SigmaHQ/sigma-specification/blob/main/sigmahq/) document to make sure your contribution is adhering to best practices and has all the necessary elements in place for a successful approval.
Thanks again, and welcome to the Sigma community! :smiley: Thanks again, and welcome to the Sigma community! :smiley:
CONTRIBUTING.md
+1 -1
View File
@@ -48,6 +48,6 @@ git push origin your-feature-branch
## 📚 Adding or Updating Detection Rules ## 📚 Adding or Updating Detection Rules
To update or contribute a new rule please make sure to follow the guidelines in the [SigmaHQ conventions document](https://github.com/SigmaHQ/sigma-specification/blob/main/sigmahq/sigmahq_conventions.md). Consider installing the [VsCode Sigma Extension](https://marketplace.visualstudio.com/items?itemName=humpalum.sigma) for auto completion and quality of life features. To update or contribute a new rule please make sure to follow the guidelines in the [SigmaHQ conventions documents](https://github.com/SigmaHQ/sigma-specification/blob/main/sigmahq). Consider installing the [VsCode Sigma Extension](https://marketplace.visualstudio.com/items?itemName=humpalum.sigma) for auto completion and quality of life features.
Thank you for contributing to Sigma! 🧙‍♂️ Thank you for contributing to Sigma! 🧙‍♂️
rules/windows/powershell/powershell_script/posh_ps_token_obfuscation.yml
+2 -2
View File
@@ -9,7 +9,7 @@ references:
- https://github.com/danielbohannon/Invoke-Obfuscation - https://github.com/danielbohannon/Invoke-Obfuscation
author: frack113 author: frack113
date: 2022/12/27 date: 2022/12/27
modified: 2023/03/24 modified: 2024/08/10
tags: tags:
- attack.defense_evasion - attack.defense_evasion
- attack.t1027.009 - attack.t1027.009
@@ -27,7 +27,7 @@ detection:
- ScriptBlockText|re: '\w+`(\w+|-|.)`[\w+|\s]' - ScriptBlockText|re: '\w+`(\w+|-|.)`[\w+|\s]'
# - ScriptBlockText|re: '\((\'(\w|-|\.)+\'\+)+\'(\w|-|\.)+\'\)' TODO: fixme # - ScriptBlockText|re: '\((\'(\w|-|\.)+\'\+)+\'(\w|-|\.)+\'\)' TODO: fixme
- ScriptBlockText|re: '"(\{\d\}){2,}"\s*-f' # trigger on at least two placeholders. One might be used for legitimate string formatting - ScriptBlockText|re: '"(\{\d\}){2,}"\s*-f' # trigger on at least two placeholders. One might be used for legitimate string formatting
- ScriptBlockText|re: '\$\{((e|n|v)*`(e|n|v)*)+:path\}|\$\{((e|n|v)*`(e|n|v)*)+:((p|a|t|h)*`(p|a|t|h)*)+\}|\$\{env:((p|a|t|h)*`(p|a|t|h)*)+\}' - ScriptBlockText|re: '(?i)\$\{(?=.*`)+?`?e`?n`?v`?:`?p`?a`?t`?h`?\}'
filter_chocolatey: filter_chocolatey:
ScriptBlockText|contains: ScriptBlockText|contains:
- 'it will return true or false instead' # Chocolatey install script https://github.com/chocolatey/chocolatey - 'it will return true or false instead' # Chocolatey install script https://github.com/chocolatey/chocolatey
rules/windows/process_creation/proc_creation_win_powershell_token_obfuscation.yml
+2 -2
View File
@@ -9,7 +9,7 @@ references:
- https://github.com/danielbohannon/Invoke-Obfuscation - https://github.com/danielbohannon/Invoke-Obfuscation
author: frack113 author: frack113
date: 2022/12/27 date: 2022/12/27
modified: 2022/12/30 modified: 2024/08/09
tags: tags:
- attack.defense_evasion - attack.defense_evasion
- attack.t1027.009 - attack.t1027.009
@@ -26,7 +26,7 @@ detection:
- CommandLine|re: '\w+`(\w+|-|.)`[\w+|\s]' - CommandLine|re: '\w+`(\w+|-|.)`[\w+|\s]'
# - CommandLine|re: '\((\'(\w|-|\.)+\'\+)+\'(\w|-|\.)+\'\)' TODO: fixme # - CommandLine|re: '\((\'(\w|-|\.)+\'\+)+\'(\w|-|\.)+\'\)' TODO: fixme
- CommandLine|re: '"(\{\d\})+"\s*-f' - CommandLine|re: '"(\{\d\})+"\s*-f'
- CommandLine|re: '\$\{((e|n|v)*`(e|n|v)*)+:path\}|\$\{((e|n|v)*`(e|n|v)*)+:((p|a|t|h)*`(p|a|t|h)*)+\}|\$\{env:((p|a|t|h)*`(p|a|t|h)*)+\}' - CommandLine|re: '(?i)\$\{(?=.*`)+?`?e`?n`?v`?:`?p`?a`?t`?h`?\}'
condition: selection condition: selection
falsepositives: falsepositives:
- Unknown - Unknown