security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

fix: FP with chocolatey

Browse Source
This commit is contained in:
phantinuss
2023-02-21 16:38:05 +01:00
parent 3085a4025a
commit ecc41ad20b
1 changed files with 4 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files
rules/windows/powershell/powershell_script/posh_ps_token_obfuscation.yml
+4 -2
View File
@@ -9,7 +9,7 @@ references:
- https://github.com/danielbohannon/Invoke-Obfuscation
author: frack113
date: 2022/12/27
modified: 2023/01/24
modified: 2023/02/21
tags:
- attack.defense_evasion
- attack.t1027.009
@@ -29,7 +29,9 @@ detection:
- ScriptBlockText|re: '"(\{\d\}){2,}"\s*-f' # trigger on at least two placeholders. One might be used for legitimate string formatting
- ScriptBlockText|re: '\$\{((e|n|v)*`(e|n|v)*)+:path\}|\$\{((e|n|v)*`(e|n|v)*)+:((p|a|t|h)*`(p|a|t|h)*)+\}|\$\{env:((p|a|t|h)*`(p|a|t|h)*)+\}'
filter:
ScriptBlockText|contains: 'it will return true or false instead' # Chocolatey install script https://github.com/chocolatey/chocolatey
ScriptBlockText|contains:
- 'it will return true or false instead' # Chocolatey install script https://github.com/chocolatey/chocolatey
- 'The function also prevents `Get-ItemProperty` from failing' # https://docs.chocolatey.org/en-us/create/functions/get-uninstallregistrykey
condition: selection and not filter
falsepositives:
- Unknown