Closed n0rthl1ght closed 1 year ago
Have this rule.
<rule id="903166" level="13"> <info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_via_var.yml</info> <!--Sigma Rule Author: Timur Zinniatullin, oscd.community--> <!--Description: Detects Obfuscated Powershell via VAR++ LAUNCHER--> <!--Date: 2020/10/13--> <!--Status: experimental--> <!--ID: f3c89218-8c3d-4ba9-9974-f1d8e6a1b4a6--> <mitre> <id>attack.defense_evasion</id> <id>attack.t1027</id> <id>attack.execution</id> <id>attack.t1059.001</id> </mitre> <description>Invoke-Obfuscation VAR++ LAUNCHER OBFUSCATION</description> <options>no_full_log</options> <group>windows,ps_module,</group> <if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid> <field name="win.eventdata.payload" negate="no" type="pcre2">(?i)\(\?i\)\..+\&\&set\..+\(\\\{\\d\\\}\)\{2,\}\\\\\\"\\s\+\?\\\-f\..+\&\&\..+cmd\..+\\/c</field> </rule>
After testing get:
I think error with validating xml connects with it
https://regexr.com/ found this one. Pasted the code and got error
This should be fixed. Problem was Sigma regex logic being escaped instead of left alone.
Have this rule.
After testing get:
I think error with validating xml connects with it