security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

fix: values missed escaping

Browse Source
This commit is contained in:
Florian Roth
2022-03-05 10:39:15 +01:00
parent 8b29c2202c
commit ec62ec6bbb
3 changed files with 7 additions and 7 deletions
Download Patch File Download Diff File Expand all files Collapse all files
rules/windows/powershell/powershell_script/posh_ps_suspicious_iofilestream.yml
+2 -2
View File
@@ -3,7 +3,7 @@ id: 70ad982f-67c8-40e0-a955-b920c2fa05cb
status: experimental
description: Open a handle on the drive volume via the \\.\ DOS device path specifier and perform direct access read of the first few bytes of the volume.
date: 2022/01/09
modified: 2022/01/10
modified: 2022/03/05
author: frack113
references:
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1006/T1006.md
@@ -16,7 +16,7 @@ detection:
ScriptBlockText|contains|all:
- New-Object
- IO.FileStream
- '\\.\'
- '\\\\.\\'
condition: selection
falsepositives:
- Legitimate PowerShell scripts
rules/windows/process_creation/proc_creation_win_cobaltstrike_process_patterns.yml
+3 -3
View File
@@ -7,7 +7,7 @@ references:
- https://hausec.com/2021/07/26/cobalt-strike-and-tradecraft/
- https://thedfirreport.com/2021/08/29/cobalt-strike-a-defenders-guide/
date: 2021/07/27
modified: 2021/08/30
modified: 2022/03/05
tags:
- attack.execution
- attack.t1059
@@ -23,11 +23,11 @@ detection:
ParentCommandLine|contains:
- '/C whoami'
- 'cmd.exe /C echo'
- ' > \\.\pipe'
- ' > \\\\.\\pipe'
selection3:
CommandLine|contains:
- 'cmd.exe /c echo'
- '> \\.\pipe'
- '> \\\\.\\pipe'
- '\whoami.exe'
ParentImage|endswith: '\dllhost.exe'
selection4:
rules/windows/process_creation/proc_creation_win_malware_notpetya.yml
+2 -2
View File
@@ -7,7 +7,7 @@ references:
- https://securelist.com/schroedingers-petya/78870/
- https://www.hybrid-analysis.com/sample/64b0b58a2c030c77fdb2b537b2fcc4af432bc55ffb36599a31d418c7c69e94b1?environmentId=100
date: 2019/01/16
modified: 2021/12/08
modified: 2022/03/05
logsource:
category: process_creation
product: windows
@@ -15,7 +15,7 @@ detection:
select_pipe_com:
CommandLine|contains|all:
- '\AppData\Local\Temp\'
- '\\.\pipe\\'
- '\\\\.\\pipe\\'
select_rundll32_dash1:
Image|endswith: '\rundll32.exe'
CommandLine|endswith: