From c8a376179b1732043250d69eabc369eb7db204a2 Mon Sep 17 00:00:00 2001 From: Fukusuke Takahashi <41001169+fukusuket@users.noreply.github.com> Date: Sun, 11 Aug 2024 18:54:46 +0900 Subject: [PATCH] Merge PR #4964 from @fukusuket - Fix rules to not use `Lookahead` regex fix: Powershell Token Obfuscation - Powershell - Changed to not use Lookahead regex fix: Powershell Token Obfuscation - Process Creation - Changed to not use Lookahead regex --------- Co-authored-by: nasbench <8741929+nasbench@users.noreply.github.com> --- .../powershell_script/posh_ps_token_obfuscation.yml | 8 +++++--- .../proc_creation_win_powershell_token_obfuscation.yml | 10 ++++++---- 2 files changed, 11 insertions(+), 7 deletions(-) diff --git a/rules/windows/powershell/powershell_script/posh_ps_token_obfuscation.yml b/rules/windows/powershell/powershell_script/posh_ps_token_obfuscation.yml index 507343c29..fe4cc6b83 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_token_obfuscation.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_token_obfuscation.yml @@ -9,7 +9,7 @@ references: - https://github.com/danielbohannon/Invoke-Obfuscation author: frack113 date: 2022/12/27 -modified: 2024/08/10 +modified: 2024/08/11 tags: - attack.defense_evasion - attack.t1027.009 @@ -23,11 +23,13 @@ detection: # IN`V`o`Ke-eXp`ResSIOn (Ne`W-ob`ject Net.WebClient).DownloadString # &('In'+'voke-Expressi'+'o'+'n') (.('New-Ob'+'jec'+'t') Net.WebClient).DownloadString # &("{2}{3}{0}{4}{1}"-f 'e','Expression','I','nvok','-') (&("{0}{1}{2}"-f'N','ew-O','bject') Net.WebClient).DownloadString - # ${e`Nv:pATh} - ScriptBlockText|re: '\w+`(\w+|-|.)`[\w+|\s]' # - ScriptBlockText|re: '\((\'(\w|-|\.)+\'\+)+\'(\w|-|\.)+\'\)' TODO: fixme - ScriptBlockText|re: '"(\{\d\}){2,}"\s*-f' # trigger on at least two placeholders. One might be used for legitimate string formatting - - ScriptBlockText|re: '(?i)\$\{(?=.*`)+?`?e`?n`?v`?:`?p`?a`?t`?h`?\}' + # ${e`Nv:pATh} + - ScriptBlockText|re: '(?i)\$\{`?e`?n`?v`?:`?p`?a`?t`?h`?\}' + filter_envpath: + ScriptBlockText|contains: '${env:path}' # TODO: Fix this. See https://github.com/SigmaHQ/sigma/pull/4964 filter_chocolatey: ScriptBlockText|contains: - 'it will return true or false instead' # Chocolatey install script https://github.com/chocolatey/chocolatey diff --git a/rules/windows/process_creation/proc_creation_win_powershell_token_obfuscation.yml b/rules/windows/process_creation/proc_creation_win_powershell_token_obfuscation.yml index f7be94afa..6c88f8b51 100644 --- a/rules/windows/process_creation/proc_creation_win_powershell_token_obfuscation.yml +++ b/rules/windows/process_creation/proc_creation_win_powershell_token_obfuscation.yml @@ -9,7 +9,7 @@ references: - https://github.com/danielbohannon/Invoke-Obfuscation author: frack113 date: 2022/12/27 -modified: 2024/08/09 +modified: 2024/08/11 tags: - attack.defense_evasion - attack.t1027.009 @@ -22,12 +22,14 @@ detection: # IN`V`o`Ke-eXp`ResSIOn (Ne`W-ob`ject Net.WebClient).DownloadString # &('In'+'voke-Expressi'+'o'+'n') (.('New-Ob'+'jec'+'t') Net.WebClient).DownloadString # &("{2}{3}{0}{4}{1}"-f 'e','Expression','I','nvok','-') (&("{0}{1}{2}"-f'N','ew-O','bject') Net.WebClient).DownloadString - # ${e`Nv:pATh} - CommandLine|re: '\w+`(\w+|-|.)`[\w+|\s]' # - CommandLine|re: '\((\'(\w|-|\.)+\'\+)+\'(\w|-|\.)+\'\)' TODO: fixme - CommandLine|re: '"(\{\d\})+"\s*-f' - - CommandLine|re: '(?i)\$\{(?=.*`)+?`?e`?n`?v`?:`?p`?a`?t`?h`?\}' - condition: selection + # ${e`Nv:pATh} + - CommandLine|re: '(?i)\$\{`?e`?n`?v`?:`?p`?a`?t`?h`?\}' + filter_main_envpath: + CommandLine|contains: '${env:path}' + condition: selection and not 1 of filter_main_* falsepositives: - Unknown level: high