security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions 45 Packages Projects Releases Wiki Activity

Merge PR #4957 from @peterydzynski - Update regex for Powershell Token Obfuscation rules

Browse Source 
update: Powershell Token Obfuscation - Process Creation - Optimized used regex
update: Powershell Token Obfuscation - Powershell - Optimized used regex
chore: Fixed SigmaHQ conventions broken links
This commit is contained in:
peterydzynski
2024-08-10 07:26:42 -04:00
committed by GitHub
parent dbba992bc3
commit ace902b68f
5 changed files with 7 additions and 7 deletions
Download Patch File Download Diff File Expand all files Collapse all files
.github/PULL_REQUEST_TEMPLATE.md
+1 -1
View File
@@ -44,4 +44,4 @@ Link the fixed issues here, in case your commit fixes issues with rules or code
### SigmaHQ Rule Creation Conventions
- If your PR adds new rules, please consider following and applying these [conventions](https://github.com/SigmaHQ/sigma-specification/blob/main/sigmahq/sigmahq_conventions.md)
- If your PR adds new rules, please consider following and applying these [conventions](https://github.com/SigmaHQ/sigma-specification/blob/main/sigmahq/)
.github/workflows/greetings.yml
+1 -1
View File
@@ -29,6 +29,6 @@ jobs:
It looks like this is your first pull request on the Sigma rules repository!
Please make sure to read the [SigmaHQ conventions](https://github.com/SigmaHQ/sigma-specification/blob/main/sigmahq/sigmahq_conventions.md) document to make sure your contribution is adhering to best practices and has all the necessary elements in place for a successful approval.
Please make sure to read the [SigmaHQ conventions](https://github.com/SigmaHQ/sigma-specification/blob/main/sigmahq/) document to make sure your contribution is adhering to best practices and has all the necessary elements in place for a successful approval.
Thanks again, and welcome to the Sigma community! :smiley:
CONTRIBUTING.md
+1 -1
View File
@@ -48,6 +48,6 @@ git push origin your-feature-branch
## 📚 Adding or Updating Detection Rules
To update or contribute a new rule please make sure to follow the guidelines in the [SigmaHQ conventions document](https://github.com/SigmaHQ/sigma-specification/blob/main/sigmahq/sigmahq_conventions.md). Consider installing the [VsCode Sigma Extension](https://marketplace.visualstudio.com/items?itemName=humpalum.sigma) for auto completion and quality of life features.
To update or contribute a new rule please make sure to follow the guidelines in the [SigmaHQ conventions documents](https://github.com/SigmaHQ/sigma-specification/blob/main/sigmahq). Consider installing the [VsCode Sigma Extension](https://marketplace.visualstudio.com/items?itemName=humpalum.sigma) for auto completion and quality of life features.
Thank you for contributing to Sigma! 🧙‍♂️
rules/windows/powershell/powershell_script/posh_ps_token_obfuscation.yml
+2 -2
View File
@@ -9,7 +9,7 @@ references:
- https://github.com/danielbohannon/Invoke-Obfuscation
author: frack113
date: 2022/12/27
modified: 2023/03/24
modified: 2024/08/10
tags:
- attack.defense_evasion
- attack.t1027.009
@@ -27,7 +27,7 @@ detection:
- ScriptBlockText|re: '\w+`(\w+|-|.)`[\w+|\s]'
# - ScriptBlockText|re: '\((\'(\w|-|\.)+\'\+)+\'(\w|-|\.)+\'\)' TODO: fixme
- ScriptBlockText|re: '"(\{\d\}){2,}"\s*-f' # trigger on at least two placeholders. One might be used for legitimate string formatting
- ScriptBlockText|re: '\$\{((e|n|v)*`(e|n|v)*)+:path\}|\$\{((e|n|v)*`(e|n|v)*)+:((p|a|t|h)*`(p|a|t|h)*)+\}|\$\{env:((p|a|t|h)*`(p|a|t|h)*)+\}'
- ScriptBlockText|re: '(?i)\$\{(?=.*`)+?`?e`?n`?v`?:`?p`?a`?t`?h`?\}'
filter_chocolatey:
ScriptBlockText|contains:
- 'it will return true or false instead' # Chocolatey install script https://github.com/chocolatey/chocolatey
rules/windows/process_creation/proc_creation_win_powershell_token_obfuscation.yml
+2 -2
View File
@@ -9,7 +9,7 @@ references:
- https://github.com/danielbohannon/Invoke-Obfuscation
author: frack113
date: 2022/12/27
modified: 2022/12/30
modified: 2024/08/09
tags:
- attack.defense_evasion
- attack.t1027.009
@@ -26,7 +26,7 @@ detection:
- CommandLine|re: '\w+`(\w+|-|.)`[\w+|\s]'
# - CommandLine|re: '\((\'(\w|-|\.)+\'\+)+\'(\w|-|\.)+\'\)' TODO: fixme
- CommandLine|re: '"(\{\d\})+"\s*-f'
- CommandLine|re: '\$\{((e|n|v)*`(e|n|v)*)+:path\}|\$\{((e|n|v)*`(e|n|v)*)+:((p|a|t|h)*`(p|a|t|h)*)+\}|\$\{env:((p|a|t|h)*`(p|a|t|h)*)+\}'
- CommandLine|re: '(?i)\$\{(?=.*`)+?`?e`?n`?v`?:`?p`?a`?t`?h`?\}'
condition: selection
falsepositives:
- Unknown