escape / in regex

2024-11-06 17:35:19 +00:00 · 2021-07-15 08:13:49 +02:00 · 2021-07-15 08:13:49 +02:00 · 0ef3dc2082
commit 0ef3dc2082
parent 3ff4e99d44
3 changed files with 7 additions and 6 deletions
--- a/rules/windows/powershell/powershell_invoke_obfuscation_via_var++.yml
+++ b/rules/windows/powershell/powershell_invoke_obfuscation_via_var++.yml
@ -4,6 +4,7 @@ description: Detects Obfuscated Powershell via VAR++ LAUNCHER
 status: experimental
 author: Timur Zinniatullin, oscd.community
 date: 2020/10/13
+modified: 2021/07/15
 references:
    - https://github.com/Neo23x0/sigma/issues/1009 #(Task27)
 tags:
@ -17,7 +18,7 @@ logsource:
 detection:
    selection_1:
        EventID: 4104
-        ScriptBlockText|re: '(?i).*&&set.*(\{\d\}){2,}\\\"\s+?\-f.*&&.*cmd.*\/c/c' # FPs with |\/r
+        ScriptBlockText|re: '(?i).*&&set.*(\{\d\}){2,}\\\"\s+?\-f.*&&.*cmd.*\/c' # FPs with |\/r
    selection_2:
        EventID: 4103
        Payload|re: '(?i).*&&set.*(\{\d\}){2,}\\\"\s+?\-f.*&&.*cmd.*\/c' # FPs with |\/r
--- a/rules/windows/process_creation/win_monitoring_for_persistence_via_bits.yml
+++ b/rules/windows/process_creation/win_monitoring_for_persistence_via_bits.yml
@ -4,7 +4,7 @@ description: BITS will allow you to schedule a command to execute after a succes
 status: experimental
 author: Sreeman
 date: 2020/10/29
-modified: 2021/06/11
+modified: 2021/07/15
 tags:
    - attack.defense_evasion
 references:
@ -16,9 +16,9 @@ logsource:
    category: process_creation
 detection:
    selection_1:
-        CommandLine|re: '(?i).*bitsadmin.*/SetNotifyCmdLine.*(%COMSPEC%|cmd.exe|regsvr32.exe).*'
+        CommandLine|re: '(?i).*bitsadmin.*\/SetNotifyCmdLine.*(%COMSPEC%|cmd.exe|regsvr32.exe).*'
    selection_2:
-        CommandLine|re: '(?i).*bitsadmin.*/Addfile.*(http|https|ftp|ftps):.*'
+        CommandLine|re: '(?i).*bitsadmin.*\/Addfile.*(http|https|ftp|ftps):.*'
    condition: selection_1 or selection_2
 falsepositives:
    - None observed yet.
--- a/rules/windows/sysmon/sysmon_abusing_windows_telemetry_for_persistence.yml
+++ b/rules/windows/sysmon/sysmon_abusing_windows_telemetry_for_persistence.yml
@ -12,7 +12,7 @@ tags:
    - attack.t1053
 author: Sreeman
 date: 2020/09/29
-modified: 2021/06/11
+modified: 2021/07/15
 fields:
    - EventID
    - CommandLine
@ -37,5 +37,5 @@ logsource:
    category: process_creation
 detection:
    selection:
-        CommandLine|re: '(?i).*schtasks.*(-|/)r.*\\Application Experience\\Microsoft Compatibility Appraiser.*'
+        CommandLine|re: '(?i).*schtasks.*(-|\/)r.*\\Application Experience\\Microsoft Compatibility Appraiser.*'
    condition: selection