From f7e670d55eff9f23ba12a4afdaadb4689c141fd5 Mon Sep 17 00:00:00 2001 From: frack113 Date: Tue, 11 Jan 2022 13:40:53 +0100 Subject: [PATCH] Simple Quote --- rules/linux/builtin/lnx_shell_susp_rev_shells.yml | 4 ++-- .../macos/process_creation/macos_local_account.yml | 2 +- rules/linux/other/lnx_susp_vsftp.yml | 2 +- rules/linux/process_creation/lnx_local_account.yml | 2 +- .../zeek/zeek_dce_rpc_domain_user_enumeration.yml | 4 ++-- ...k_dce_rpc_printnightmare_print_driver_install.yml | 12 ++++++------ rules/proxy/proxy_cobalt_malformed_uas.yml | 6 +++--- rules/proxy/proxy_ursnif_malware_c2_url.yml | 8 ++++---- rules/web/web_exchange_cve_2020_0688_exploit.yml | 6 +++--- .../builtin/security/win_rdp_localhost_login.yml | 4 ++-- .../process_creation_mal_darkside_ransomware.yml | 8 +++----- .../powershell_azurehound_commands.yml | 3 +-- .../powershell_script/powershell_ntfs_ads_access.yml | 7 +++---- .../win_powershell_xor_commandline.yml | 2 +- ...eys_unauthenticated_privileged_console_access.yml | 5 ++--- .../win_susp_crackmapexec_powershell_obfuscation.yml | 8 ++++---- .../win_susp_emotet_rundll32_execution.yml | 2 +- .../win_susp_spoolsv_child_processes.yml | 4 ++-- 18 files changed, 42 insertions(+), 47 deletions(-) diff --git a/rules/linux/builtin/lnx_shell_susp_rev_shells.yml b/rules/linux/builtin/lnx_shell_susp_rev_shells.yml index 89376d456..e8fe87ee7 100644 --- a/rules/linux/builtin/lnx_shell_susp_rev_shells.yml +++ b/rules/linux/builtin/lnx_shell_susp_rev_shells.yml @@ -27,10 +27,10 @@ detection: - '/bin/sh -i <&3 >&3 2>&3' - 'uname -a; w; id; /bin/bash -i' - '$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2); $stream.Write($sendbyte,0,$sendbyte.Length); $stream.Flush()};' - - ";os.dup2(s.fileno(),0);os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);os.putenv('HISTFILE','/dev/null');" + - ';os.dup2(s.fileno(),0);os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);os.putenv(''HISTFILE'',''/dev/null'');' - '.to_i;exec sprintf("/bin/sh -i <&%d >&%d 2>&%d",f,f,f)' - ';while(cmd=c.gets);IO.popen(cmd,"r"){|io|c.print' - - "socat exec:'bash -li',pty,stderr,setsid,sigint,sane tcp:" + - 'socat exec:''bash -li'',pty,stderr,setsid,sigint,sane tcp:' - 'rm -f /tmp/p; mknod /tmp/p p &&' - ' | /bin/bash | telnet ' - ',echo=0,raw tcp-listen:' diff --git a/rules/linux/macos/process_creation/macos_local_account.yml b/rules/linux/macos/process_creation/macos_local_account.yml index 799398f8c..5274f9fbc 100644 --- a/rules/linux/macos/process_creation/macos_local_account.yml +++ b/rules/linux/macos/process_creation/macos_local_account.yml @@ -25,7 +25,7 @@ detection: - 'user' selection_3: CommandLine|contains: - - "'x:0:'" + - '''x:0:''' selection_4: Image|endswith: - '/cat' diff --git a/rules/linux/other/lnx_susp_vsftp.yml b/rules/linux/other/lnx_susp_vsftp.yml index 80b9d2c51..9109c095c 100644 --- a/rules/linux/other/lnx_susp_vsftp.yml +++ b/rules/linux/other/lnx_susp_vsftp.yml @@ -22,7 +22,7 @@ detection: - 'bug: pid active in ptrace_sandbox_free' - 'PTRACE_SETOPTIONS failure' - 'weird status:' - - "couldn't handle sandbox event" + - 'couldn''t handle sandbox event' - 'syscall * out of bounds' - 'syscall not permitted:' - 'syscall validate failed:' diff --git a/rules/linux/process_creation/lnx_local_account.yml b/rules/linux/process_creation/lnx_local_account.yml index 881b6c683..a8e4cdaf2 100644 --- a/rules/linux/process_creation/lnx_local_account.yml +++ b/rules/linux/process_creation/lnx_local_account.yml @@ -16,7 +16,7 @@ detection: - '/lastlog' selection_2: CommandLine|contains: - - "'x:0:'" + - '''x:0:''' selection_3: Image|endswith: - '/cat' diff --git a/rules/network/zeek/zeek_dce_rpc_domain_user_enumeration.yml b/rules/network/zeek/zeek_dce_rpc_domain_user_enumeration.yml index e8b7378fd..316835f92 100644 --- a/rules/network/zeek/zeek_dce_rpc_domain_user_enumeration.yml +++ b/rules/network/zeek/zeek_dce_rpc_domain_user_enumeration.yml @@ -2,8 +2,8 @@ title: Domain User Enumeration Network Recon 01 description: Domain user and group enumeration via network reconnaissance. Seen in APT 29 and other common tactics and actors. Detects a set of RPC (remote procedure calls) used to enumerate a domain controller. The rule was created based off the datasets and hackathon from https://github.com/OTRF/detection-hackathon-apt29 id: 66a0bdc6-ee04-441a-9125-99d2eb547942 references: - - "https://github.com/OTRF/detection-hackathon-apt29" - - "https://github.com/OTRF/detection-hackathon-apt29/issues/37" + - https://github.com/OTRF/detection-hackathon-apt29 + - https://github.com/OTRF/detection-hackathon-apt29/issues/37 author: 'Nate Guagenti (@neu5ron), Open Threat Research (OTR)' date: 2020/05/03 modified: 2021/11/14 diff --git a/rules/network/zeek/zeek_dce_rpc_printnightmare_print_driver_install.yml b/rules/network/zeek/zeek_dce_rpc_printnightmare_print_driver_install.yml index da006cf6b..c8c0ccfad 100644 --- a/rules/network/zeek/zeek_dce_rpc_printnightmare_print_driver_install.yml +++ b/rules/network/zeek/zeek_dce_rpc_printnightmare_print_driver_install.yml @@ -25,12 +25,12 @@ logsource: detection: printer_operation: operation: - - "RpcAsyncInstallPrinterDriverFromPackage" # "76f03f96-cdfd-44fc-a22c-64950a001209",0x3e - - "RpcAsyncAddPrintProcessor" # "76f03f96-cdfd-44fc-a22c-64950a001209",0x2c - - "RpcAddPrintProcessor" # "12345678-1234-abcd-ef00-0123456789ab",0x0e - - "RpcAddPrinterDriverEx" # "12345678-1234-abcd-ef00-0123456789ab",0x59 - - "RpcAddPrinterDriver" # "12345678-1234-abcd-ef00-0123456789ab",0x09 - - "RpcAsyncAddPrinterDriver" # "76f03f96-cdfd-44fc-a22c-64950a001209",0x27 + - 'RpcAsyncInstallPrinterDriverFromPackage' # "76f03f96-cdfd-44fc-a22c-64950a001209",0x3e + - 'RpcAsyncAddPrintProcessor' # "76f03f96-cdfd-44fc-a22c-64950a001209",0x2c + - 'RpcAddPrintProcessor' # "12345678-1234-abcd-ef00-0123456789ab",0x0e + - 'RpcAddPrinterDriverEx' # "12345678-1234-abcd-ef00-0123456789ab",0x59 + - 'RpcAddPrinterDriver' # "12345678-1234-abcd-ef00-0123456789ab",0x09 + - 'RpcAsyncAddPrinterDriver' # "76f03f96-cdfd-44fc-a22c-64950a001209",0x27 condition: printer_operation falsepositives: - Legitimate remote alteration of a printer driver. diff --git a/rules/proxy/proxy_cobalt_malformed_uas.yml b/rules/proxy/proxy_cobalt_malformed_uas.yml index c40499fe3..a3b19690c 100644 --- a/rules/proxy/proxy_cobalt_malformed_uas.yml +++ b/rules/proxy/proxy_cobalt_malformed_uas.yml @@ -12,9 +12,9 @@ logsource: detection: selection1: c-useragent: - - "Mozilla/4.0 (compatible; MSIE 6.0;Windows NT 5.1)" - - "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E )" - - "Mozilla/5.0 (Windows; U; MSIE 7.0; Windows NT 5.2) Java/1.5.0_08" + - 'Mozilla/4.0 (compatible; MSIE 6.0;Windows NT 5.1)' + - 'Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E )' + - 'Mozilla/5.0 (Windows; U; MSIE 7.0; Windows NT 5.2) Java/1.5.0_08' selection2: c-useragent|endswith: '; MANM; MANM)' condition: 1 of selection* diff --git a/rules/proxy/proxy_ursnif_malware_c2_url.yml b/rules/proxy/proxy_ursnif_malware_c2_url.yml index c1e0b5ca1..d9f0aa5df 100644 --- a/rules/proxy/proxy_ursnif_malware_c2_url.yml +++ b/rules/proxy/proxy_ursnif_malware_c2_url.yml @@ -12,12 +12,12 @@ logsource: detection: b64encoding: c-uri|contains: - - "_2f" - - "_2b" + - '_2f' + - '_2b' urlpatterns: c-uri|contains|all: - - ".avi" - - "/images/" + - '.avi' + - '/images/' condition: b64encoding and urlpatterns fields: - c-ip diff --git a/rules/web/web_exchange_cve_2020_0688_exploit.yml b/rules/web/web_exchange_cve_2020_0688_exploit.yml index 7e25ca23a..1c086ad22 100644 --- a/rules/web/web_exchange_cve_2020_0688_exploit.yml +++ b/rules/web/web_exchange_cve_2020_0688_exploit.yml @@ -12,9 +12,9 @@ logsource: detection: selection: c-uri|contains|all: - - "/ecp/default.aspx" - - "__VIEWSTATEGENERATOR=" - - "__VIEWSTATE=" + - '/ecp/default.aspx' + - '__VIEWSTATEGENERATOR=' + - '__VIEWSTATE=' condition: selection falsepositives: - Unknown diff --git a/rules/windows/builtin/security/win_rdp_localhost_login.yml b/rules/windows/builtin/security/win_rdp_localhost_login.yml index 1b18f26cc..f6ddb6e44 100644 --- a/rules/windows/builtin/security/win_rdp_localhost_login.yml +++ b/rules/windows/builtin/security/win_rdp_localhost_login.yml @@ -20,8 +20,8 @@ detection: EventID: 4624 LogonType: 10 IpAddress: - - "::1" - - "127.0.0.1" + - '::1' + - '127.0.0.1' condition: selection falsepositives: - Unknown diff --git a/rules/windows/malware/process_creation_mal_darkside_ransomware.yml b/rules/windows/malware/process_creation_mal_darkside_ransomware.yml index 52e5887a8..9f8cb2a8f 100644 --- a/rules/windows/malware/process_creation_mal_darkside_ransomware.yml +++ b/rules/windows/malware/process_creation_mal_darkside_ransomware.yml @@ -14,13 +14,11 @@ logsource: detection: selection1: CommandLine|contains: - - "=[char][byte]('0x'+" + - '=[char][byte](''0x''+' - ' -work worker0 -path ' selection2: - ParentCommandLine|contains: - - 'DllHost.exe /Processid:{3E5FC7F9-9A51-4367-9063-A120244FBEC7}' - Image|contains: - - '\AppData\Local\Temp\' + ParentCommandLine|contains: 'DllHost.exe /Processid:{3E5FC7F9-9A51-4367-9063-A120244FBEC7}' + Image|contains: '\AppData\Local\Temp\' condition: 1 of selection* falsepositives: - Unknown diff --git a/rules/windows/powershell/powershell_script/powershell_azurehound_commands.yml b/rules/windows/powershell/powershell_script/powershell_azurehound_commands.yml index 491e1d7c5..ba1adbeb0 100644 --- a/rules/windows/powershell/powershell_script/powershell_azurehound_commands.yml +++ b/rules/windows/powershell/powershell_script/powershell_azurehound_commands.yml @@ -13,8 +13,7 @@ logsource: definition: Script Block Logging must be enable detection: selection: - ScriptBlockText|contains: - - "Invoke-AzureHound" + ScriptBlockText|contains: Invoke-AzureHound condition: selection tags: - attack.discovery diff --git a/rules/windows/powershell/powershell_script/powershell_ntfs_ads_access.yml b/rules/windows/powershell/powershell_script/powershell_ntfs_ads_access.yml index 7ba724b77..fa8335566 100644 --- a/rules/windows/powershell/powershell_script/powershell_ntfs_ads_access.yml +++ b/rules/windows/powershell/powershell_script/powershell_ntfs_ads_access.yml @@ -22,11 +22,10 @@ logsource: detection: selection_content: ScriptBlockText|contains: - - "set-content" - - "add-content" + - set-content + - add-content selection_stream: - ScriptBlockText|contains: - - "-stream" + ScriptBlockText|contains: '-stream' condition: all of selection* falsepositives: - unknown diff --git a/rules/windows/process_creation/win_powershell_xor_commandline.yml b/rules/windows/process_creation/win_powershell_xor_commandline.yml index 55ed270f2..c09ec56b0 100644 --- a/rules/windows/process_creation/win_powershell_xor_commandline.yml +++ b/rules/windows/process_creation/win_powershell_xor_commandline.yml @@ -16,7 +16,7 @@ detection: CommandLine|contains: - 'bxor' - '-join ' - - "-join'" + - '-join''' - '-join"' - '-join`' - 'char' diff --git a/rules/windows/process_creation/win_sticky_keys_unauthenticated_privileged_console_access.yml b/rules/windows/process_creation/win_sticky_keys_unauthenticated_privileged_console_access.yml index 18cddb9e6..fc9cb34de 100644 --- a/rules/windows/process_creation/win_sticky_keys_unauthenticated_privileged_console_access.yml +++ b/rules/windows/process_creation/win_sticky_keys_unauthenticated_privileged_console_access.yml @@ -6,7 +6,7 @@ references: - https://www.clearskysec.com/wp-content/uploads/2020/02/ClearSky-Fox-Kitten-Campaign-v1.pdf status: experimental date: 2020/02/18 -modified: 2021/06/11 +modified: 2022/01/11 author: Sreeman tags: - attack.t1015 # an old one @@ -17,8 +17,7 @@ logsource: category: process_creation detection: selection: - CommandLine: - - "copy /y C:\\windows\\system32\\cmd.exe C:\\windows\\system32\\sethc.exe" + CommandLine: 'copy /y C:\windows\system32\cmd.exe C:\windows\system32\sethc.exe' condition: selection fields: - CommandLine diff --git a/rules/windows/process_creation/win_susp_crackmapexec_powershell_obfuscation.yml b/rules/windows/process_creation/win_susp_crackmapexec_powershell_obfuscation.yml index 1a3cdca0b..587425522 100644 --- a/rules/windows/process_creation/win_susp_crackmapexec_powershell_obfuscation.yml +++ b/rules/windows/process_creation/win_susp_crackmapexec_powershell_obfuscation.yml @@ -18,11 +18,11 @@ detection: CommandLine|contains: - 'join*split' # Line 343ff - - "( $ShellId[1]+$ShellId[13]+'x')" + - '( $ShellId[1]+$ShellId[13]+''x'')' - '( $PSHome[*]+$PSHOME[*]+' - - "( $env:Public[13]+$env:Public[5]+'x')" - - "( $env:ComSpec[4,*,25]-Join'')" - - "[1,3]+'x'-Join'')" + - '( $env:Public[13]+$env:Public[5]+''x'')' + - '( $env:ComSpec[4,*,25]-Join'''')' + - '[1,3]+''x''-Join'''')' condition: powershell_execution and snippets fields: - ComputerName diff --git a/rules/windows/process_creation/win_susp_emotet_rundll32_execution.yml b/rules/windows/process_creation/win_susp_emotet_rundll32_execution.yml index f5e70dfcf..104842f68 100644 --- a/rules/windows/process_creation/win_susp_emotet_rundll32_execution.yml +++ b/rules/windows/process_creation/win_susp_emotet_rundll32_execution.yml @@ -26,7 +26,7 @@ detection: CommandLine|endswith: - '.dll,Control_RunDLL' - '.dll",Control_RunDLL' - - ".dll',Control_RunDLL" + - '.dll'',Control_RunDLL' filter_ide: ParentImage|endswith: - '\tracker.exe' #When Visual Studio compile NodeJS program, it might use MSBuild to create tracker.exe and then, the tracker.exe fork rundll32.exe diff --git a/rules/windows/process_creation/win_susp_spoolsv_child_processes.yml b/rules/windows/process_creation/win_susp_spoolsv_child_processes.yml index 09dffbc8d..1029690e0 100644 --- a/rules/windows/process_creation/win_susp_spoolsv_child_processes.yml +++ b/rules/windows/process_creation/win_susp_spoolsv_child_processes.yml @@ -55,8 +55,8 @@ detection: Image|endswith: \netsh.exe suspicious_netsh_filter: CommandLine|contains: - - "add portopening" - - "rule name" + - 'add portopening' + - 'rule name' suspicious_powershell: Image|endswith: \powershell.exe suspicious_powershell_filter: