From 7b1d23621c6adc16d615693f473c7babbc114388 Mon Sep 17 00:00:00 2001 From: fukusuket <41001169+fukusuket@users.noreply.github.com> Date: Fri, 2 Dec 2022 20:17:39 +0900 Subject: [PATCH 1/3] refactor: remove unnesessary escape. --- .../powershell_module/posh_pm_invoke_obfuscation_clip.yml | 2 +- .../powershell_module/posh_pm_invoke_obfuscation_stdin.yml | 2 +- .../powershell_module/posh_pm_invoke_obfuscation_via_var.yml | 2 +- .../powershell_script/posh_ps_invoke_obfuscation_clip.yml | 2 +- .../powershell_script/posh_ps_invoke_obfuscation_var.yml | 2 +- 5 files changed, 5 insertions(+), 5 deletions(-) diff --git a/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_clip.yml b/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_clip.yml index 53ca1e6a4c4..934b65cf75e 100644 --- a/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_clip.yml +++ b/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_clip.yml @@ -21,7 +21,7 @@ logsource: definition: PowerShell Module Logging must be enabled detection: selection_4103: - Payload|re: '.*cmd.{0,5}(?:\/c|\/r).+clip(?:\.exe)?.{0,4}&&.+clipboard]::\(\s\\\"\{\d\}.+\-f.+\"' + Payload|re: '.*cmd.{0,5}(?:/c|/r).+clip(?:\.exe)?.{0,4}&&.+clipboard]::\(\s\\"\{\d\}.+\-f.+"' condition: selection_4103 falsepositives: - Unknown diff --git a/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_stdin.yml b/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_stdin.yml index c2fcb76a1bd..d66aac66090 100644 --- a/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_stdin.yml +++ b/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_stdin.yml @@ -21,7 +21,7 @@ logsource: definition: PowerShell Module Logging must be enabled detection: selection_4103: - Payload|re: '.*cmd.{0,5}(?:\/c|\/r).+powershell.+(?:\$\{?input\}?|noexit).+\"' + Payload|re: '.*cmd.{0,5}(?:/c|/r).+powershell.+(?:\$\{?input\}?|noexit).+"' condition: selection_4103 falsepositives: - Unknown diff --git a/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_via_var.yml b/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_via_var.yml index 834abcae109..84cd69bd0ca 100644 --- a/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_via_var.yml +++ b/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_via_var.yml @@ -21,7 +21,7 @@ logsource: definition: PowerShell Module Logging must be enabled detection: selection_4103: - Payload|re: '(?i).*&&set.*(\{\d\}){2,}\\\"\s+?\-f.*&&.*cmd.*\/c' # FPs with |\/r + Payload|re: '(?i).*&&set.*(\{\d\}){2,}\\"\s+?\-f.*&&.*cmd.*/c' # FPs with |\/r condition: selection_4103 falsepositives: - Unknown diff --git a/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_clip.yml b/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_clip.yml index fdc6069f916..8370a7eb795 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_clip.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_clip.yml @@ -18,7 +18,7 @@ logsource: definition: Script block logging must be enabled detection: selection_4104: - ScriptBlockText|re: '.*cmd.{0,5}(?:\/c|\/r).+clip(?:\.exe)?.{0,4}&&.+clipboard]::\(\s\\\"\{\d\}.+\-f.+\"' + ScriptBlockText|re: '.*cmd.{0,5}(?:/c|/r).+clip(?:\.exe)?.{0,4}&&.+clipboard]::\(\s\\"\{\d\}.+\-f.+"' condition: selection_4104 falsepositives: - Unknown diff --git a/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_var.yml b/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_var.yml index ac368db0c1d..2a0cef3d2d1 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_var.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_var.yml @@ -18,7 +18,7 @@ logsource: definition: Script block logging must be enabled detection: selection_4104: - ScriptBlockText|re: '.*cmd.{0,5}(?:\/c|\/r)(?:\s|)\"set\s[a-zA-Z]{3,6}.*(?:\{\d\}){1,}\\\"\s+?\-f(?:.*\)){1,}.*\"' + ScriptBlockText|re: '.*cmd.{0,5}(?:/c|/r)(?:\s|)"set\s[a-zA-Z]{3,6}.*(?:\{\d\}){1,}\\"\s+?\-f(?:.*\)){1,}.*"' condition: selection_4104 falsepositives: - Unknown From a05742b4207f69277682cfdaa570d38fe44775a7 Mon Sep 17 00:00:00 2001 From: fukusuket <41001169+fukusuket@users.noreply.github.com> Date: Fri, 2 Dec 2022 21:26:45 +0900 Subject: [PATCH 2/3] refactor: remove unnesessary escape. --- .../powershell_module/posh_pm_invoke_obfuscation_clip.yml | 2 +- .../powershell_module/posh_pm_invoke_obfuscation_var.yml | 2 +- .../powershell_module/posh_pm_invoke_obfuscation_via_var.yml | 2 +- .../powershell_script/posh_ps_invoke_obfuscation_clip.yml | 2 +- .../powershell_script/posh_ps_invoke_obfuscation_var.yml | 2 +- .../powershell_script/posh_ps_invoke_obfuscation_via_var.yml | 2 +- 6 files changed, 6 insertions(+), 6 deletions(-) diff --git a/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_clip.yml b/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_clip.yml index 934b65cf75e..fc66daaec18 100644 --- a/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_clip.yml +++ b/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_clip.yml @@ -21,7 +21,7 @@ logsource: definition: PowerShell Module Logging must be enabled detection: selection_4103: - Payload|re: '.*cmd.{0,5}(?:/c|/r).+clip(?:\.exe)?.{0,4}&&.+clipboard]::\(\s\\"\{\d\}.+\-f.+"' + Payload|re: '.*cmd.{0,5}(?:/c|/r).+clip(?:\.exe)?.{0,4}&&.+clipboard]::\(\s\\"\{\d\}.+-f.+"' condition: selection_4103 falsepositives: - Unknown diff --git a/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_var.yml b/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_var.yml index cd0de12279b..93f2d66d187 100644 --- a/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_var.yml +++ b/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_var.yml @@ -21,7 +21,7 @@ logsource: definition: PowerShell Module Logging must be enabled detection: selection_4103: - Payload|re: '.*cmd.{0,5}(?:\/c|\/r)(?:\s|)\"set\s[a-zA-Z]{3,6}.*(?:\{\d\}){1,}\\\"\s+?\-f(?:.*\)){1,}.*\"' + Payload|re: '.*cmd.{0,5}(?:/c|/r)(?:\s|)"set\s[a-zA-Z]{3,6}.*(?:\{\d\}){1,}\\"\s+?-f(?:.*\)){1,}.*"' condition: selection_4103 falsepositives: - Unknown diff --git a/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_via_var.yml b/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_via_var.yml index 84cd69bd0ca..feb1b5446c1 100644 --- a/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_via_var.yml +++ b/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_via_var.yml @@ -21,7 +21,7 @@ logsource: definition: PowerShell Module Logging must be enabled detection: selection_4103: - Payload|re: '(?i).*&&set.*(\{\d\}){2,}\\"\s+?\-f.*&&.*cmd.*/c' # FPs with |\/r + Payload|re: '(?i).*&&set.*(\{\d\}){2,}\\"\s+?-f.*&&.*cmd.*/c' # FPs with |\/r condition: selection_4103 falsepositives: - Unknown diff --git a/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_clip.yml b/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_clip.yml index 8370a7eb795..8bca2eca579 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_clip.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_clip.yml @@ -18,7 +18,7 @@ logsource: definition: Script block logging must be enabled detection: selection_4104: - ScriptBlockText|re: '.*cmd.{0,5}(?:/c|/r).+clip(?:\.exe)?.{0,4}&&.+clipboard]::\(\s\\"\{\d\}.+\-f.+"' + ScriptBlockText|re: '.*cmd.{0,5}(?:/c|/r).+clip(?:\.exe)?.{0,4}&&.+clipboard]::\(\s\\"\{\d\}.+-f.+"' condition: selection_4104 falsepositives: - Unknown diff --git a/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_var.yml b/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_var.yml index 2a0cef3d2d1..8b7dbcfc308 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_var.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_var.yml @@ -18,7 +18,7 @@ logsource: definition: Script block logging must be enabled detection: selection_4104: - ScriptBlockText|re: '.*cmd.{0,5}(?:/c|/r)(?:\s|)"set\s[a-zA-Z]{3,6}.*(?:\{\d\}){1,}\\"\s+?\-f(?:.*\)){1,}.*"' + ScriptBlockText|re: '.*cmd.{0,5}(?:/c|/r)(?:\s|)"set\s[a-zA-Z]{3,6}.*(?:\{\d\}){1,}\\"\s+?-f(?:.*\)){1,}.*"' condition: selection_4104 falsepositives: - Unknown diff --git a/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_via_var.yml b/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_via_var.yml index 8b94e1e348a..00d3ebee5bd 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_via_var.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_via_var.yml @@ -18,7 +18,7 @@ logsource: definition: Script block logging must be enabled detection: selection_4104: - ScriptBlockText|re: '(?i).*&&set.*(\{\d\}){2,}\\\"\s+?\-f.*&&.*cmd.*\/c' # FPs with |\/r + ScriptBlockText|re: '(?i).*&&set.*(\{\d\}){2,}\\"\s+?-f.*&&.*cmd.*/c' # FPs with |\/r condition: selection_4104 falsepositives: - Unknown From ead6831b2582641af693aacc3e027508471b3c53 Mon Sep 17 00:00:00 2001 From: fukusuket <41001169+fukusuket@users.noreply.github.com> Date: Fri, 2 Dec 2022 21:57:37 +0900 Subject: [PATCH 3/3] update modified date. --- .../powershell_module/posh_pm_invoke_obfuscation_clip.yml | 2 +- .../powershell_module/posh_pm_invoke_obfuscation_stdin.yml | 2 +- .../powershell_module/posh_pm_invoke_obfuscation_var.yml | 2 +- .../powershell_module/posh_pm_invoke_obfuscation_via_var.yml | 2 +- .../powershell_script/posh_ps_invoke_obfuscation_clip.yml | 2 +- .../powershell_script/posh_ps_invoke_obfuscation_var.yml | 2 +- .../powershell_script/posh_ps_invoke_obfuscation_via_var.yml | 2 +- 7 files changed, 7 insertions(+), 7 deletions(-) diff --git a/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_clip.yml b/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_clip.yml index fc66daaec18..94e7993f482 100644 --- a/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_clip.yml +++ b/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_clip.yml @@ -9,7 +9,7 @@ references: - https://github.com/Neo23x0/sigma/issues/1009 #(Task 26) author: Jonathan Cheong, oscd.community date: 2020/10/13 -modified: 2022/11/27 +modified: 2022/12/02 tags: - attack.defense_evasion - attack.t1027 diff --git a/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_stdin.yml b/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_stdin.yml index d66aac66090..a121dcb1a18 100644 --- a/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_stdin.yml +++ b/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_stdin.yml @@ -9,7 +9,7 @@ references: - https://github.com/Neo23x0/sigma/issues/1009 #(Task 25) author: Jonathan Cheong, oscd.community date: 2020/10/15 -modified: 2022/11/29 +modified: 2022/12/02 tags: - attack.defense_evasion - attack.t1027 diff --git a/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_var.yml b/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_var.yml index 93f2d66d187..15597a1fd6e 100644 --- a/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_var.yml +++ b/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_var.yml @@ -9,7 +9,7 @@ references: - https://github.com/Neo23x0/sigma/issues/1009 #(Task 24) author: Jonathan Cheong, oscd.community date: 2020/10/15 -modified: 2022/11/29 +modified: 2022/12/02 tags: - attack.defense_evasion - attack.t1027 diff --git a/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_via_var.yml b/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_via_var.yml index feb1b5446c1..fe9edfa527e 100644 --- a/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_via_var.yml +++ b/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_via_var.yml @@ -9,7 +9,7 @@ references: - https://github.com/Neo23x0/sigma/issues/1009 #(Task27) author: Timur Zinniatullin, oscd.community date: 2020/10/13 -modified: 2022/11/29 +modified: 2022/12/02 tags: - attack.defense_evasion - attack.t1027 diff --git a/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_clip.yml b/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_clip.yml index 8bca2eca579..91814308c20 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_clip.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_clip.yml @@ -6,7 +6,7 @@ references: - https://github.com/Neo23x0/sigma/issues/1009 #(Task 26) author: Jonathan Cheong, oscd.community date: 2020/10/13 -modified: 2022/11/27 +modified: 2022/12/02 tags: - attack.defense_evasion - attack.t1027 diff --git a/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_var.yml b/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_var.yml index 8b7dbcfc308..95f709d0bb6 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_var.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_var.yml @@ -6,7 +6,7 @@ references: - https://github.com/Neo23x0/sigma/issues/1009 #(Task 24) author: Jonathan Cheong, oscd.community date: 2020/10/15 -modified: 2022/11/29 +modified: 2022/12/02 tags: - attack.defense_evasion - attack.t1027 diff --git a/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_via_var.yml b/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_via_var.yml index 00d3ebee5bd..0a2966fbf04 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_via_var.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_via_var.yml @@ -6,7 +6,7 @@ references: - https://github.com/Neo23x0/sigma/issues/1009 #(Task27) author: Timur Zinniatullin, oscd.community date: 2020/10/13 -modified: 2022/11/29 +modified: 2022/12/02 tags: - attack.defense_evasion - attack.t1027