Clean useless `.*` in regex

frack113 commented 2 months ago

Summary of the Pull Request

Remove useless .* in the regex
Revert back certain CLI rules to use regex for better accuracy

Changelog

update: Invoke-Obfuscation CLIP+ Launcher - PowerShell Module - Remove unnecessary starting wildcard update: Invoke-Obfuscation STDIN+ Launcher - PowerShell Module - Remove unnecessary starting wildcard update: Invoke-Obfuscation VAR+ Launcher - PowerShell Module - Remove unnecessary starting wildcard update: Invoke-Obfuscation Via Stdin - PowerShell Module - Remove unnecessary starting wildcard update: Invoke-Obfuscation Via Use Clip - PowerShell Module - Remove unnecessary starting wildcard update: Invoke-Obfuscation VAR++ LAUNCHER OBFUSCATION - PowerShell Module - Remove unnecessary starting wildcard update: Invoke-Obfuscation CLIP+ Launcher - PowerShell - Remove unnecessary starting wildcard update: Invoke-Obfuscation STDIN+ Launcher - Powershell - Remove unnecessary starting wildcard update: Invoke-Obfuscation VAR+ Launcher - PowerShell - Remove unnecessary starting wildcard update: Invoke-Obfuscation Via Stdin - Powershell - Remove unnecessary starting wildcard update: Invoke-Obfuscation Via Use Clip - Powershell - Remove unnecessary starting wildcard update: Invoke-Obfuscation VAR++ LAUNCHER OBFUSCATION - PowerShell - Remove unnecessary starting wildcard update: Invoke-Obfuscation STDIN+ Launcher - Update rule to use regex for better accuracy in CLI update: Invoke-Obfuscation VAR+ Launcher - Update rule to use regex for better accuracy in CLI update: Invoke-Obfuscation Via Stdin - Update rule to use regex for better accuracy in CLI update: Invoke-Obfuscation Via Use Clip - Update rule to use regex for better accuracy in CLI

Example Log Event

N/A

Fixed Issues

N/A

SigmaHQ Rule Creation Conventions

If your PR adds new rules, please consider following and applying these conventions

nasbench commented 2 months ago

Reverted back the deleted comments @frack113 as they were there in case we wanted to revert back to regex.
I reverted some CLI rules to use regex as its much more accurate and i don't see why we don't keep them as regex anymore. Changing them to contains is basically "regex" for a lot of EDR/SIEMs

@phantinuss can you double check before i merge.

phantinuss commented 2 months ago

Plus of the regex is that the order or arguments is relevant, wheres with contains it's not. Can be upside or downside depending on the specific case.

SigmaHQ / sigma