Skip to content

Commit

Permalink
Rules Update
Browse files Browse the repository at this point in the history
  • Loading branch information
@wagga40
wagga40 committed Aug 11, 2024
1 parent bf72310 commit d3030d3
Show file tree
Hide file tree
Showing 10 changed files with 20 additions and 20 deletions.
6 changes: 3 additions & 3 deletions pdm.lock
View file

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

4 changes: 2 additions & 2 deletions rules_windows_generic.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -12294,7 +12294,7 @@
],
"level": "high",
"rule": [
"SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (CommandLine REGEXP '\\w+`(\\w+|-|.)`[\\w+|\\s]' OR CommandLine REGEXP '\"(\\{\\d\\})+\"\\s*-f' OR CommandLine REGEXP '\\$\\{((e|n|v)*`(e|n|v)*)+:path\\}|\\$\\{((e|n|v)*`(e|n|v)*)+:((p|a|t|h)*`(p|a|t|h)*)+\\}|\\$\\{env:((p|a|t|h)*`(p|a|t|h)*)+\\}'))"
"SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (CommandLine REGEXP '\\w+`(\\w+|-|.)`[\\w+|\\s]' OR CommandLine REGEXP '\"(\\{\\d\\})+\"\\s*-f' OR CommandLine REGEXP '(?i)\\$\\{(?=.*`)+?`?e`?n`?v`?:`?p`?a`?t`?h`?\\}'))"
],
"filename": "proc_creation_win_powershell_token_obfuscation.yml"
},
Expand Down Expand Up @@ -24487,7 +24487,7 @@
],
"level": "high",
"rule": [
"SELECT * FROM logs WHERE ((EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational')) AND (ScriptBlockText REGEXP '\\w+`(\\w+|-|.)`[\\w+|\\s]' OR ScriptBlockText REGEXP '\"(\\{\\d\\}){2,}\"\\s*-f' OR ScriptBlockText REGEXP '\\$\\{((e|n|v)*`(e|n|v)*)+:path\\}|\\$\\{((e|n|v)*`(e|n|v)*)+:((p|a|t|h)*`(p|a|t|h)*)+\\}|\\$\\{env:((p|a|t|h)*`(p|a|t|h)*)+\\}') AND NOT (((ScriptBlockText LIKE '%it will return true or false instead%' ESCAPE '\\' OR ScriptBlockText LIKE '%The function also prevents `Get-ItemProperty` from failing%' ESCAPE '\\')) OR (Path LIKE 'C:\\\\Program Files\\\\Microsoft\\\\Exchange Server\\\\%' ESCAPE '\\' AND Path LIKE '%\\\\bin\\\\servicecontrol.ps1' ESCAPE '\\' AND ScriptBlockText LIKE '%`r`n%' ESCAPE '\\')))"
"SELECT * FROM logs WHERE ((EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational')) AND (ScriptBlockText REGEXP '\\w+`(\\w+|-|.)`[\\w+|\\s]' OR ScriptBlockText REGEXP '\"(\\{\\d\\}){2,}\"\\s*-f' OR ScriptBlockText REGEXP '(?i)\\$\\{(?=.*`)+?`?e`?n`?v`?:`?p`?a`?t`?h`?\\}') AND NOT (((ScriptBlockText LIKE '%it will return true or false instead%' ESCAPE '\\' OR ScriptBlockText LIKE '%The function also prevents `Get-ItemProperty` from failing%' ESCAPE '\\')) OR (Path LIKE 'C:\\\\Program Files\\\\Microsoft\\\\Exchange Server\\\\%' ESCAPE '\\' AND Path LIKE '%\\\\bin\\\\servicecontrol.ps1' ESCAPE '\\' AND ScriptBlockText LIKE '%`r`n%' ESCAPE '\\')))"
],
"filename": "posh_ps_token_obfuscation.yml"
},
Expand Down
4 changes: 2 additions & 2 deletions rules_windows_generic_full.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -20527,7 +20527,7 @@
],
"level": "high",
"rule": [
"SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (CommandLine REGEXP '\\w+`(\\w+|-|.)`[\\w+|\\s]' OR CommandLine REGEXP '\"(\\{\\d\\})+\"\\s*-f' OR CommandLine REGEXP '\\$\\{((e|n|v)*`(e|n|v)*)+:path\\}|\\$\\{((e|n|v)*`(e|n|v)*)+:((p|a|t|h)*`(p|a|t|h)*)+\\}|\\$\\{env:((p|a|t|h)*`(p|a|t|h)*)+\\}'))"
"SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (CommandLine REGEXP '\\w+`(\\w+|-|.)`[\\w+|\\s]' OR CommandLine REGEXP '\"(\\{\\d\\})+\"\\s*-f' OR CommandLine REGEXP '(?i)\\$\\{(?=.*`)+?`?e`?n`?v`?:`?p`?a`?t`?h`?\\}'))"
],
"filename": "proc_creation_win_powershell_token_obfuscation.yml"
},
Expand Down Expand Up @@ -44835,7 +44835,7 @@
],
"level": "high",
"rule": [
"SELECT * FROM logs WHERE ((EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational')) AND (ScriptBlockText REGEXP '\\w+`(\\w+|-|.)`[\\w+|\\s]' OR ScriptBlockText REGEXP '\"(\\{\\d\\}){2,}\"\\s*-f' OR ScriptBlockText REGEXP '\\$\\{((e|n|v)*`(e|n|v)*)+:path\\}|\\$\\{((e|n|v)*`(e|n|v)*)+:((p|a|t|h)*`(p|a|t|h)*)+\\}|\\$\\{env:((p|a|t|h)*`(p|a|t|h)*)+\\}') AND NOT (((ScriptBlockText LIKE '%it will return true or false instead%' ESCAPE '\\' OR ScriptBlockText LIKE '%The function also prevents `Get-ItemProperty` from failing%' ESCAPE '\\')) OR (Path LIKE 'C:\\\\Program Files\\\\Microsoft\\\\Exchange Server\\\\%' ESCAPE '\\' AND Path LIKE '%\\\\bin\\\\servicecontrol.ps1' ESCAPE '\\' AND ScriptBlockText LIKE '%`r`n%' ESCAPE '\\')))"
"SELECT * FROM logs WHERE ((EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational')) AND (ScriptBlockText REGEXP '\\w+`(\\w+|-|.)`[\\w+|\\s]' OR ScriptBlockText REGEXP '\"(\\{\\d\\}){2,}\"\\s*-f' OR ScriptBlockText REGEXP '(?i)\\$\\{(?=.*`)+?`?e`?n`?v`?:`?p`?a`?t`?h`?\\}') AND NOT (((ScriptBlockText LIKE '%it will return true or false instead%' ESCAPE '\\' OR ScriptBlockText LIKE '%The function also prevents `Get-ItemProperty` from failing%' ESCAPE '\\')) OR (Path LIKE 'C:\\\\Program Files\\\\Microsoft\\\\Exchange Server\\\\%' ESCAPE '\\' AND Path LIKE '%\\\\bin\\\\servicecontrol.ps1' ESCAPE '\\' AND ScriptBlockText LIKE '%`r`n%' ESCAPE '\\')))"
],
"filename": "posh_ps_token_obfuscation.yml"
},
Expand Down
4 changes: 2 additions & 2 deletions rules_windows_generic_high.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -12294,7 +12294,7 @@
],
"level": "high",
"rule": [
"SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (CommandLine REGEXP '\\w+`(\\w+|-|.)`[\\w+|\\s]' OR CommandLine REGEXP '\"(\\{\\d\\})+\"\\s*-f' OR CommandLine REGEXP '\\$\\{((e|n|v)*`(e|n|v)*)+:path\\}|\\$\\{((e|n|v)*`(e|n|v)*)+:((p|a|t|h)*`(p|a|t|h)*)+\\}|\\$\\{env:((p|a|t|h)*`(p|a|t|h)*)+\\}'))"
"SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (CommandLine REGEXP '\\w+`(\\w+|-|.)`[\\w+|\\s]' OR CommandLine REGEXP '\"(\\{\\d\\})+\"\\s*-f' OR CommandLine REGEXP '(?i)\\$\\{(?=.*`)+?`?e`?n`?v`?:`?p`?a`?t`?h`?\\}'))"
],
"filename": "proc_creation_win_powershell_token_obfuscation.yml"
},
Expand Down Expand Up @@ -24487,7 +24487,7 @@
],
"level": "high",
"rule": [
"SELECT * FROM logs WHERE ((EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational')) AND (ScriptBlockText REGEXP '\\w+`(\\w+|-|.)`[\\w+|\\s]' OR ScriptBlockText REGEXP '\"(\\{\\d\\}){2,}\"\\s*-f' OR ScriptBlockText REGEXP '\\$\\{((e|n|v)*`(e|n|v)*)+:path\\}|\\$\\{((e|n|v)*`(e|n|v)*)+:((p|a|t|h)*`(p|a|t|h)*)+\\}|\\$\\{env:((p|a|t|h)*`(p|a|t|h)*)+\\}') AND NOT (((ScriptBlockText LIKE '%it will return true or false instead%' ESCAPE '\\' OR ScriptBlockText LIKE '%The function also prevents `Get-ItemProperty` from failing%' ESCAPE '\\')) OR (Path LIKE 'C:\\\\Program Files\\\\Microsoft\\\\Exchange Server\\\\%' ESCAPE '\\' AND Path LIKE '%\\\\bin\\\\servicecontrol.ps1' ESCAPE '\\' AND ScriptBlockText LIKE '%`r`n%' ESCAPE '\\')))"
"SELECT * FROM logs WHERE ((EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational')) AND (ScriptBlockText REGEXP '\\w+`(\\w+|-|.)`[\\w+|\\s]' OR ScriptBlockText REGEXP '\"(\\{\\d\\}){2,}\"\\s*-f' OR ScriptBlockText REGEXP '(?i)\\$\\{(?=.*`)+?`?e`?n`?v`?:`?p`?a`?t`?h`?\\}') AND NOT (((ScriptBlockText LIKE '%it will return true or false instead%' ESCAPE '\\' OR ScriptBlockText LIKE '%The function also prevents `Get-ItemProperty` from failing%' ESCAPE '\\')) OR (Path LIKE 'C:\\\\Program Files\\\\Microsoft\\\\Exchange Server\\\\%' ESCAPE '\\' AND Path LIKE '%\\\\bin\\\\servicecontrol.ps1' ESCAPE '\\' AND ScriptBlockText LIKE '%`r`n%' ESCAPE '\\')))"
],
"filename": "posh_ps_token_obfuscation.yml"
},
Expand Down
4 changes: 2 additions & 2 deletions rules_windows_generic_medium.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -19071,7 +19071,7 @@
],
"level": "high",
"rule": [
"SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (CommandLine REGEXP '\\w+`(\\w+|-|.)`[\\w+|\\s]' OR CommandLine REGEXP '\"(\\{\\d\\})+\"\\s*-f' OR CommandLine REGEXP '\\$\\{((e|n|v)*`(e|n|v)*)+:path\\}|\\$\\{((e|n|v)*`(e|n|v)*)+:((p|a|t|h)*`(p|a|t|h)*)+\\}|\\$\\{env:((p|a|t|h)*`(p|a|t|h)*)+\\}'))"
"SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (CommandLine REGEXP '\\w+`(\\w+|-|.)`[\\w+|\\s]' OR CommandLine REGEXP '\"(\\{\\d\\})+\"\\s*-f' OR CommandLine REGEXP '(?i)\\$\\{(?=.*`)+?`?e`?n`?v`?:`?p`?a`?t`?h`?\\}'))"
],
"filename": "proc_creation_win_powershell_token_obfuscation.yml"
},
Expand Down Expand Up @@ -41622,7 +41622,7 @@
],
"level": "high",
"rule": [
"SELECT * FROM logs WHERE ((EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational')) AND (ScriptBlockText REGEXP '\\w+`(\\w+|-|.)`[\\w+|\\s]' OR ScriptBlockText REGEXP '\"(\\{\\d\\}){2,}\"\\s*-f' OR ScriptBlockText REGEXP '\\$\\{((e|n|v)*`(e|n|v)*)+:path\\}|\\$\\{((e|n|v)*`(e|n|v)*)+:((p|a|t|h)*`(p|a|t|h)*)+\\}|\\$\\{env:((p|a|t|h)*`(p|a|t|h)*)+\\}') AND NOT (((ScriptBlockText LIKE '%it will return true or false instead%' ESCAPE '\\' OR ScriptBlockText LIKE '%The function also prevents `Get-ItemProperty` from failing%' ESCAPE '\\')) OR (Path LIKE 'C:\\\\Program Files\\\\Microsoft\\\\Exchange Server\\\\%' ESCAPE '\\' AND Path LIKE '%\\\\bin\\\\servicecontrol.ps1' ESCAPE '\\' AND ScriptBlockText LIKE '%`r`n%' ESCAPE '\\')))"
"SELECT * FROM logs WHERE ((EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational')) AND (ScriptBlockText REGEXP '\\w+`(\\w+|-|.)`[\\w+|\\s]' OR ScriptBlockText REGEXP '\"(\\{\\d\\}){2,}\"\\s*-f' OR ScriptBlockText REGEXP '(?i)\\$\\{(?=.*`)+?`?e`?n`?v`?:`?p`?a`?t`?h`?\\}') AND NOT (((ScriptBlockText LIKE '%it will return true or false instead%' ESCAPE '\\' OR ScriptBlockText LIKE '%The function also prevents `Get-ItemProperty` from failing%' ESCAPE '\\')) OR (Path LIKE 'C:\\\\Program Files\\\\Microsoft\\\\Exchange Server\\\\%' ESCAPE '\\' AND Path LIKE '%\\\\bin\\\\servicecontrol.ps1' ESCAPE '\\' AND ScriptBlockText LIKE '%`r`n%' ESCAPE '\\')))"
],
"filename": "posh_ps_token_obfuscation.yml"
},
Expand Down
4 changes: 2 additions & 2 deletions rules_windows_sysmon.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -12294,7 +12294,7 @@
],
"level": "high",
"rule": [
"SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (CommandLine REGEXP '\\w+`(\\w+|-|.)`[\\w+|\\s]' OR CommandLine REGEXP '\"(\\{\\d\\})+\"\\s*-f' OR CommandLine REGEXP '\\$\\{((e|n|v)*`(e|n|v)*)+:path\\}|\\$\\{((e|n|v)*`(e|n|v)*)+:((p|a|t|h)*`(p|a|t|h)*)+\\}|\\$\\{env:((p|a|t|h)*`(p|a|t|h)*)+\\}'))"
"SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (CommandLine REGEXP '\\w+`(\\w+|-|.)`[\\w+|\\s]' OR CommandLine REGEXP '\"(\\{\\d\\})+\"\\s*-f' OR CommandLine REGEXP '(?i)\\$\\{(?=.*`)+?`?e`?n`?v`?:`?p`?a`?t`?h`?\\}'))"
],
"filename": "proc_creation_win_powershell_token_obfuscation.yml"
},
Expand Down Expand Up @@ -24487,7 +24487,7 @@
],
"level": "high",
"rule": [
"SELECT * FROM logs WHERE ((EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational')) AND (ScriptBlockText REGEXP '\\w+`(\\w+|-|.)`[\\w+|\\s]' OR ScriptBlockText REGEXP '\"(\\{\\d\\}){2,}\"\\s*-f' OR ScriptBlockText REGEXP '\\$\\{((e|n|v)*`(e|n|v)*)+:path\\}|\\$\\{((e|n|v)*`(e|n|v)*)+:((p|a|t|h)*`(p|a|t|h)*)+\\}|\\$\\{env:((p|a|t|h)*`(p|a|t|h)*)+\\}') AND NOT (((ScriptBlockText LIKE '%it will return true or false instead%' ESCAPE '\\' OR ScriptBlockText LIKE '%The function also prevents `Get-ItemProperty` from failing%' ESCAPE '\\')) OR (Path LIKE 'C:\\\\Program Files\\\\Microsoft\\\\Exchange Server\\\\%' ESCAPE '\\' AND Path LIKE '%\\\\bin\\\\servicecontrol.ps1' ESCAPE '\\' AND ScriptBlockText LIKE '%`r`n%' ESCAPE '\\')))"
"SELECT * FROM logs WHERE ((EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational')) AND (ScriptBlockText REGEXP '\\w+`(\\w+|-|.)`[\\w+|\\s]' OR ScriptBlockText REGEXP '\"(\\{\\d\\}){2,}\"\\s*-f' OR ScriptBlockText REGEXP '(?i)\\$\\{(?=.*`)+?`?e`?n`?v`?:`?p`?a`?t`?h`?\\}') AND NOT (((ScriptBlockText LIKE '%it will return true or false instead%' ESCAPE '\\' OR ScriptBlockText LIKE '%The function also prevents `Get-ItemProperty` from failing%' ESCAPE '\\')) OR (Path LIKE 'C:\\\\Program Files\\\\Microsoft\\\\Exchange Server\\\\%' ESCAPE '\\' AND Path LIKE '%\\\\bin\\\\servicecontrol.ps1' ESCAPE '\\' AND ScriptBlockText LIKE '%`r`n%' ESCAPE '\\')))"
],
"filename": "posh_ps_token_obfuscation.yml"
},
Expand Down
4 changes: 2 additions & 2 deletions rules_windows_sysmon_full.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -20527,7 +20527,7 @@
],
"level": "high",
"rule": [
"SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (CommandLine REGEXP '\\w+`(\\w+|-|.)`[\\w+|\\s]' OR CommandLine REGEXP '\"(\\{\\d\\})+\"\\s*-f' OR CommandLine REGEXP '\\$\\{((e|n|v)*`(e|n|v)*)+:path\\}|\\$\\{((e|n|v)*`(e|n|v)*)+:((p|a|t|h)*`(p|a|t|h)*)+\\}|\\$\\{env:((p|a|t|h)*`(p|a|t|h)*)+\\}'))"
"SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (CommandLine REGEXP '\\w+`(\\w+|-|.)`[\\w+|\\s]' OR CommandLine REGEXP '\"(\\{\\d\\})+\"\\s*-f' OR CommandLine REGEXP '(?i)\\$\\{(?=.*`)+?`?e`?n`?v`?:`?p`?a`?t`?h`?\\}'))"
],
"filename": "proc_creation_win_powershell_token_obfuscation.yml"
},
Expand Down Expand Up @@ -44835,7 +44835,7 @@
],
"level": "high",
"rule": [
"SELECT * FROM logs WHERE ((EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational')) AND (ScriptBlockText REGEXP '\\w+`(\\w+|-|.)`[\\w+|\\s]' OR ScriptBlockText REGEXP '\"(\\{\\d\\}){2,}\"\\s*-f' OR ScriptBlockText REGEXP '\\$\\{((e|n|v)*`(e|n|v)*)+:path\\}|\\$\\{((e|n|v)*`(e|n|v)*)+:((p|a|t|h)*`(p|a|t|h)*)+\\}|\\$\\{env:((p|a|t|h)*`(p|a|t|h)*)+\\}') AND NOT (((ScriptBlockText LIKE '%it will return true or false instead%' ESCAPE '\\' OR ScriptBlockText LIKE '%The function also prevents `Get-ItemProperty` from failing%' ESCAPE '\\')) OR (Path LIKE 'C:\\\\Program Files\\\\Microsoft\\\\Exchange Server\\\\%' ESCAPE '\\' AND Path LIKE '%\\\\bin\\\\servicecontrol.ps1' ESCAPE '\\' AND ScriptBlockText LIKE '%`r`n%' ESCAPE '\\')))"
"SELECT * FROM logs WHERE ((EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational')) AND (ScriptBlockText REGEXP '\\w+`(\\w+|-|.)`[\\w+|\\s]' OR ScriptBlockText REGEXP '\"(\\{\\d\\}){2,}\"\\s*-f' OR ScriptBlockText REGEXP '(?i)\\$\\{(?=.*`)+?`?e`?n`?v`?:`?p`?a`?t`?h`?\\}') AND NOT (((ScriptBlockText LIKE '%it will return true or false instead%' ESCAPE '\\' OR ScriptBlockText LIKE '%The function also prevents `Get-ItemProperty` from failing%' ESCAPE '\\')) OR (Path LIKE 'C:\\\\Program Files\\\\Microsoft\\\\Exchange Server\\\\%' ESCAPE '\\' AND Path LIKE '%\\\\bin\\\\servicecontrol.ps1' ESCAPE '\\' AND ScriptBlockText LIKE '%`r`n%' ESCAPE '\\')))"
],
"filename": "posh_ps_token_obfuscation.yml"
},
Expand Down
4 changes: 2 additions & 2 deletions rules_windows_sysmon_high.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -12294,7 +12294,7 @@
],
"level": "high",
"rule": [
"SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (CommandLine REGEXP '\\w+`(\\w+|-|.)`[\\w+|\\s]' OR CommandLine REGEXP '\"(\\{\\d\\})+\"\\s*-f' OR CommandLine REGEXP '\\$\\{((e|n|v)*`(e|n|v)*)+:path\\}|\\$\\{((e|n|v)*`(e|n|v)*)+:((p|a|t|h)*`(p|a|t|h)*)+\\}|\\$\\{env:((p|a|t|h)*`(p|a|t|h)*)+\\}'))"
"SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (CommandLine REGEXP '\\w+`(\\w+|-|.)`[\\w+|\\s]' OR CommandLine REGEXP '\"(\\{\\d\\})+\"\\s*-f' OR CommandLine REGEXP '(?i)\\$\\{(?=.*`)+?`?e`?n`?v`?:`?p`?a`?t`?h`?\\}'))"
],
"filename": "proc_creation_win_powershell_token_obfuscation.yml"
},
Expand Down Expand Up @@ -24487,7 +24487,7 @@
],
"level": "high",
"rule": [
"SELECT * FROM logs WHERE ((EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational')) AND (ScriptBlockText REGEXP '\\w+`(\\w+|-|.)`[\\w+|\\s]' OR ScriptBlockText REGEXP '\"(\\{\\d\\}){2,}\"\\s*-f' OR ScriptBlockText REGEXP '\\$\\{((e|n|v)*`(e|n|v)*)+:path\\}|\\$\\{((e|n|v)*`(e|n|v)*)+:((p|a|t|h)*`(p|a|t|h)*)+\\}|\\$\\{env:((p|a|t|h)*`(p|a|t|h)*)+\\}') AND NOT (((ScriptBlockText LIKE '%it will return true or false instead%' ESCAPE '\\' OR ScriptBlockText LIKE '%The function also prevents `Get-ItemProperty` from failing%' ESCAPE '\\')) OR (Path LIKE 'C:\\\\Program Files\\\\Microsoft\\\\Exchange Server\\\\%' ESCAPE '\\' AND Path LIKE '%\\\\bin\\\\servicecontrol.ps1' ESCAPE '\\' AND ScriptBlockText LIKE '%`r`n%' ESCAPE '\\')))"
"SELECT * FROM logs WHERE ((EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational')) AND (ScriptBlockText REGEXP '\\w+`(\\w+|-|.)`[\\w+|\\s]' OR ScriptBlockText REGEXP '\"(\\{\\d\\}){2,}\"\\s*-f' OR ScriptBlockText REGEXP '(?i)\\$\\{(?=.*`)+?`?e`?n`?v`?:`?p`?a`?t`?h`?\\}') AND NOT (((ScriptBlockText LIKE '%it will return true or false instead%' ESCAPE '\\' OR ScriptBlockText LIKE '%The function also prevents `Get-ItemProperty` from failing%' ESCAPE '\\')) OR (Path LIKE 'C:\\\\Program Files\\\\Microsoft\\\\Exchange Server\\\\%' ESCAPE '\\' AND Path LIKE '%\\\\bin\\\\servicecontrol.ps1' ESCAPE '\\' AND ScriptBlockText LIKE '%`r`n%' ESCAPE '\\')))"
],
"filename": "posh_ps_token_obfuscation.yml"
},
Expand Down
Loading

0 comments on commit d3030d3

Please sign in to comment.