From 3085a4025a696b7f9a9f808dfbbe983cdbdcf5b8 Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Mon, 20 Feb 2023 19:37:30 +0100 Subject: [PATCH 1/4] Update PULL_REQUEST_TEMPLATE.md --- .github/PULL_REQUEST_TEMPLATE.md | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/.github/PULL_REQUEST_TEMPLATE.md b/.github/PULL_REQUEST_TEMPLATE.md index a8309e983..568e50410 100644 --- a/.github/PULL_REQUEST_TEMPLATE.md +++ b/.github/PULL_REQUEST_TEMPLATE.md @@ -1,4 +1,4 @@ -## Summary of the Pull Request +## Summary / Title of the Pull Request [summary] @@ -6,10 +6,10 @@ [detailed description] -## Example Log Event (In Case of FP Fixes) +## Example Log Event -**N/A** +(in case of false positive fixes) -## Relevant Issues (In Case of Issue Fixes) +## Fixed Issues -**N/A** +(in case your commit fixes issues with rules or code) From f710664dc0c6b3e2297151fb2f8f74706e360771 Mon Sep 17 00:00:00 2001 From: fukusuket <41001169+fukusuket@users.noreply.github.com> Date: Tue, 21 Feb 2023 21:53:05 +0900 Subject: [PATCH 2/4] fix: sigmac conversion error with base64offset|contains rule --- tools/sigma/parser/modifiers/transform.py | 1 + 1 file changed, 1 insertion(+) diff --git a/tools/sigma/parser/modifiers/transform.py b/tools/sigma/parser/modifiers/transform.py index 8a5267999..de47b3f32 100644 --- a/tools/sigma/parser/modifiers/transform.py +++ b/tools/sigma/parser/modifiers/transform.py @@ -24,6 +24,7 @@ class SigmaContainsModifier(ListOrStringModifierMixin, SigmaTransformModifier): """Add *-wildcard before and after all string(s)""" identifier = "contains" active = True + valid_input_types = ListOrStringModifierMixin.valid_input_types + (NodeSubexpression,) def apply_str(self, val): try: From ecc41ad20b2c64c9003f9b9da4d35ef3d3980a72 Mon Sep 17 00:00:00 2001 From: phantinuss <79651203+phantinuss@users.noreply.github.com> Date: Tue, 21 Feb 2023 16:38:05 +0100 Subject: [PATCH 3/4] fix: FP with chocolatey --- .../powershell_script/posh_ps_token_obfuscation.yml | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/rules/windows/powershell/powershell_script/posh_ps_token_obfuscation.yml b/rules/windows/powershell/powershell_script/posh_ps_token_obfuscation.yml index cad0c455c..84fe1ffba 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_token_obfuscation.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_token_obfuscation.yml @@ -9,7 +9,7 @@ references: - https://github.com/danielbohannon/Invoke-Obfuscation author: frack113 date: 2022/12/27 -modified: 2023/01/24 +modified: 2023/02/21 tags: - attack.defense_evasion - attack.t1027.009 @@ -29,7 +29,9 @@ detection: - ScriptBlockText|re: '"(\{\d\}){2,}"\s*-f' # trigger on at least two placeholders. One might be used for legitimate string formatting - ScriptBlockText|re: '\$\{((e|n|v)*`(e|n|v)*)+:path\}|\$\{((e|n|v)*`(e|n|v)*)+:((p|a|t|h)*`(p|a|t|h)*)+\}|\$\{env:((p|a|t|h)*`(p|a|t|h)*)+\}' filter: - ScriptBlockText|contains: 'it will return true or false instead' # Chocolatey install script https://github.com/chocolatey/chocolatey + ScriptBlockText|contains: + - 'it will return true or false instead' # Chocolatey install script https://github.com/chocolatey/chocolatey + - 'The function also prevents `Get-ItemProperty` from failing' # https://docs.chocolatey.org/en-us/create/functions/get-uninstallregistrykey condition: selection and not filter falsepositives: - Unknown From 2530cd72de925d215efd2c49c5056690021df87d Mon Sep 17 00:00:00 2001 From: phantinuss <79651203+phantinuss@users.noreply.github.com> Date: Tue, 21 Feb 2023 16:38:33 +0100 Subject: [PATCH 4/4] chore: update submodule cti --- tests/cti | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tests/cti b/tests/cti index 4cbf8cc4b..b195cbc81 160000 --- a/tests/cti +++ b/tests/cti @@ -1 +1 @@ -Subproject commit 4cbf8cc4bdf2121ee987a23bfe5aac4fe4d2f5b1 +Subproject commit b195cbc81adbfb8ca3306c283179168bdd9011fa