From a224fc32a36d4172f802b089043da0c25ea3a209 Mon Sep 17 00:00:00 2001 From: David Sarkisyan <281478990+srkyn@users.noreply.github.com> Date: Thu, 4 Jun 2026 09:28:49 -0400 Subject: [PATCH] Fix broken regex alternation in detections --- ...copilot_impersonation_jailbreak_attack.yml | 14 +- .../endpoint/linux_proxy_socks_curl.yml | 7 +- .../endpoint/powershell_4104_hunting.yml | 176 +----------------- ...connect_to_internet_with_hidden_window.yml | 10 +- ...2_silent_and_install_param_dll_loading.yml | 7 +- ...svr32_with_known_silent_switch_cmdline.yml | 7 +- 6 files changed, 24 insertions(+), 197 deletions(-) diff --git a/detections/application/m365_copilot_impersonation_jailbreak_attack.yml b/detections/application/m365_copilot_impersonation_jailbreak_attack.yml index c18d6af649..cba621255a 100644 --- a/detections/application/m365_copilot_impersonation_jailbreak_attack.yml +++ b/detections/application/m365_copilot_impersonation_jailbreak_attack.yml @@ -1,8 +1,8 @@ name: M365 Copilot Impersonation Jailbreak Attack id: cc26aba8-7f4a-4078-b91a-052d6a53cb13 -version: 5 +version: 6 creation_date: '2025-10-13' -modification_date: '2026-05-13' +modification_date: '2026-06-04' author: Rod Soto status: experimental type: TTP @@ -13,15 +13,7 @@ search: |- `m365_exported_ediscovery_prompt_logs` | search Subject_Title="*Pretend you are*" OR Subject_Title="*act as*" OR Subject_Title="*you are now*" OR Subject_Title="*amoral*" OR Subject_Title="*being*" OR Subject_Title="*roleplay as*" OR Subject_Title="*imagine you are*" OR Subject_Title="*behave like*" | eval user = Sender - | eval impersonation_type=case(match(Subject_Title, "(?i)pretend you are.*AI"), "AI_Impersonation", match(Subject_Title, "(?i)(act as - | roleplay as).*AI"), "AI_Roleplay", match(Subject_Title, "(?i)amoral.*AI"), "Amoral_AI", match(Subject_Title, "(?i)transcendent being"), "Fictional_Entity", match(Subject_Title, "(?i)(act as - | pretend you are).*(entities - | multiple)"), "Multi_Entity", match(Subject_Title, "(?i)(imagine you are - | behave like).*AI"), "AI_Behavioral_Change", match(Subject_Title, "(?i)you are now.*AI"), "AI_Identity_Override", match(Subject_Title, "(?i)(evil - | malicious - | harmful).*AI"), "Malicious_AI_Persona", match(Subject_Title, "(?i)(unrestricted - | unlimited - | uncensored).*AI"), "Unrestricted_AI_Persona", 1=1, "Generic_Roleplay") + | eval impersonation_type=case(match(Subject_Title, "(?i)pretend you are.*AI"), "AI_Impersonation", match(Subject_Title, "(?i)(act as|roleplay as).*AI"), "AI_Roleplay", match(Subject_Title, "(?i)amoral.*AI"), "Amoral_AI", match(Subject_Title, "(?i)transcendent being"), "Fictional_Entity", match(Subject_Title, "(?i)(act as|pretend you are).*(entities|multiple)"), "Multi_Entity", match(Subject_Title, "(?i)(imagine you are|behave like).*AI"), "AI_Behavioral_Change", match(Subject_Title, "(?i)you are now.*AI"), "AI_Identity_Override", match(Subject_Title, "(?i)(evil|malicious|harmful).*AI"), "Malicious_AI_Persona", match(Subject_Title, "(?i)(unrestricted|unlimited|uncensored).*AI"), "Unrestricted_AI_Persona", 1=1, "Generic_Roleplay") | table _time, user, Subject_Title, impersonation_type, Workload | sort -_time | `m365_copilot_impersonation_jailbreak_attack_filter` diff --git a/detections/endpoint/linux_proxy_socks_curl.yml b/detections/endpoint/linux_proxy_socks_curl.yml index d696c06bd8..b3588ef8b5 100644 --- a/detections/endpoint/linux_proxy_socks_curl.yml +++ b/detections/endpoint/linux_proxy_socks_curl.yml @@ -1,8 +1,8 @@ name: Linux Proxy Socks Curl id: bd596c22-ad1e-44fc-b242-817253ce8b08 -version: 13 +version: 14 creation_date: '2022-07-29' -modification_date: '2026-05-13' +modification_date: '2026-06-04' author: Michael Haag, Splunk, 0xC0FFEEEE, Github Community status: production type: TTP @@ -22,8 +22,7 @@ search: |- | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` - | where match(process, "-x\s") OR match(process, "(?i)socks\d\w?:\/\/ - | --(pre)?proxy") + | where match(process, "-x\s") OR match(process, "(?i)(socks\d\w?:\/\/|--(pre)?proxy)") | `linux_proxy_socks_curl_filter` how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. known_false_positives: False positives may be present based on proxy usage internally. Filter as needed. diff --git a/detections/endpoint/powershell_4104_hunting.yml b/detections/endpoint/powershell_4104_hunting.yml index 9c45449160..83eeffd851 100644 --- a/detections/endpoint/powershell_4104_hunting.yml +++ b/detections/endpoint/powershell_4104_hunting.yml @@ -1,8 +1,8 @@ name: PowerShell 4104 Hunting id: d6f2b006-0041-11ec-8885-acde48001122 -version: 25 +version: 26 creation_date: '2021-08-19' -modification_date: '2026-05-13' +modification_date: '2026-06-04' author: Michael Haag, Splunk status: production type: Hunting @@ -12,180 +12,22 @@ data_source: search: |- `powershell` EventCode=4104 | eval DoIt = if(match(ScriptBlockText,"(?i)(\$doit)"), "4", 0) - | eval enccom=if(match(ScriptBlockText,"[A-Za-z0-9+\/]{44,}([A-Za-z0-9+\/]{4} - | [A-Za-z0-9+\/]{3}= - | [A-Za-z0-9+\/]{2}==)") OR match(ScriptBlockText, "(?i)[-]e(nc*o*d*e*d*c*o*m*m*a*n*d*)*\s+[^-]"),4,0) - | eval suspcmdlet=if(match(ScriptBlockText, "(?i)Add-Exfiltration - | Add-Persistence - | Add-RegBackdoor - | Add-ScrnSaveBackdoor - | Check-VM - | Do-Exfiltration - | Enabled-DuplicateToken - | Exploit-Jboss - | Find-Fruit - | Find-GPOLocation - | Find-TrustedDocuments - | Get-ApplicationHost - | Get-ChromeDump - | Get-ClipboardContents - | Get-FoxDump - | Get-GPPPassword - | Get-IndexedItem - | Get-Keystrokes - | LSASecret - | Get-PassHash - | Get-RegAlwaysInstallElevated - | Get-RegAutoLogon - | Get-RickAstley - | Get-Screenshot - | Get-SecurityPackages - | Get-ServiceFilePermission - | Get-ServicePermission - | Get-ServiceUnquoted - | Get-SiteListPassword - | Get-System - | Get-TimedScreenshot - | Get-UnattendedInstallFile - | Get-Unconstrained - | Get-VaultCredential - | Get-VulnAutoRun - | Get-VulnSchTask - | Gupt-Backdoor - | HTTP-Login - | Install-SSP - | Install-ServiceBinary - | Invoke-ACLScanner - | Invoke-ADSBackdoor - | Invoke-ARPScan - | Invoke-AllChecks - | Invoke-BackdoorLNK - | Invoke-BypassUAC - | Invoke-CredentialInjection - | Invoke-DCSync - | Invoke-DllInjection - | Invoke-DowngradeAccount - | Invoke-EgressCheck - | Invoke-Inveigh - | Invoke-InveighRelay - | Invoke-Mimikittenz - | Invoke-NetRipper - | Invoke-NinjaCopy - | Invoke-PSInject - | Invoke-Paranoia - | Invoke-PortScan - | Invoke-PoshRat - | Invoke-PostExfil - | Invoke-PowerDump - | Invoke-PowerShellTCP - | Invoke-PsExec - | Invoke-PsUaCme - | Invoke-ReflectivePEInjection - | Invoke-ReverseDNSLookup - | Invoke-RunAs - | Invoke-SMBScanner - | Invoke-SSHCommand - | Invoke-Service - | Invoke-Shellcode - | Invoke-Tater - | Invoke-ThunderStruck - | Invoke-Token - | Invoke-UserHunter - | Invoke-VoiceTroll - | Invoke-WScriptBypassUAC - | Invoke-WinEnum - | MailRaider - | New-HoneyHash - | Out-Minidump - | Port-Scan - | PowerBreach - | PowerUp - | PowerView - | Remove-Update - | Set-MacAttribute - | Set-Wallpaper - | Show-TargetScreen - | Start-CaptureServer - | VolumeShadowCopyTools - | NEEEEWWW - | (Computer - | User)Property - | CachedRDPConnection - | get-net\S+ - | invoke-\S+hunter - | Install-Service - | get-\S+(credent - | password) - | remoteps - | Kerberos.*(policy - | ticket) - | netfirewall - | Uninstall-Windows - | Verb\s+Runas - | AmsiBypass - | nishang - | Invoke-Interceptor - | EXEonRemote - | NetworkRelay - | PowerShelludp - | PowerShellIcmp - | CreateShortcut - | copy-vss - | invoke-dll - | invoke-mass - | out-shortcut - | Invoke-ShellCommand"),1,0) + | eval enccom=if(match(ScriptBlockText,"[A-Za-z0-9+\/]{44,}([A-Za-z0-9+\/]{4}|[A-Za-z0-9+\/]{3}=|[A-Za-z0-9+\/]{2}==)") OR match(ScriptBlockText, "(?i)[-]e(nc*o*d*e*d*c*o*m*m*a*n*d*)*\s+[^-]"),4,0) + | eval suspcmdlet=if(match(ScriptBlockText, "(?i)Add-Exfiltration|Add-Persistence|Add-RegBackdoor|Add-ScrnSaveBackdoor|Check-VM|Do-Exfiltration|Enabled-DuplicateToken|Exploit-Jboss|Find-Fruit|Find-GPOLocation|Find-TrustedDocuments|Get-ApplicationHost|Get-ChromeDump|Get-ClipboardContents|Get-FoxDump|Get-GPPPassword|Get-IndexedItem|Get-Keystrokes|LSASecret|Get-PassHash|Get-RegAlwaysInstallElevated|Get-RegAutoLogon|Get-RickAstley|Get-Screenshot|Get-SecurityPackages|Get-ServiceFilePermission|Get-ServicePermission|Get-ServiceUnquoted|Get-SiteListPassword|Get-System|Get-TimedScreenshot|Get-UnattendedInstallFile|Get-Unconstrained|Get-VaultCredential|Get-VulnAutoRun|Get-VulnSchTask|Gupt-Backdoor|HTTP-Login|Install-SSP|Install-ServiceBinary|Invoke-ACLScanner|Invoke-ADSBackdoor|Invoke-ARPScan|Invoke-AllChecks|Invoke-BackdoorLNK|Invoke-BypassUAC|Invoke-CredentialInjection|Invoke-DCSync|Invoke-DllInjection|Invoke-DowngradeAccount|Invoke-EgressCheck|Invoke-Inveigh|Invoke-InveighRelay|Invoke-Mimikittenz|Invoke-NetRipper|Invoke-NinjaCopy|Invoke-PSInject|Invoke-Paranoia|Invoke-PortScan|Invoke-PoshRat|Invoke-PostExfil|Invoke-PowerDump|Invoke-PowerShellTCP|Invoke-PsExec|Invoke-PsUaCme|Invoke-ReflectivePEInjection|Invoke-ReverseDNSLookup|Invoke-RunAs|Invoke-SMBScanner|Invoke-SSHCommand|Invoke-Service|Invoke-Shellcode|Invoke-Tater|Invoke-ThunderStruck|Invoke-Token|Invoke-UserHunter|Invoke-VoiceTroll|Invoke-WScriptBypassUAC|Invoke-WinEnum|MailRaider|New-HoneyHash|Out-Minidump|Port-Scan|PowerBreach|PowerUp|PowerView|Remove-Update|Set-MacAttribute|Set-Wallpaper|Show-TargetScreen|Start-CaptureServer|VolumeShadowCopyTools|NEEEEWWW|(Computer|User)Property|CachedRDPConnection|get-net\S+|invoke-\S+hunter|Install-Service|get-\S+(credent|password)|remoteps|Kerberos.*(policy|ticket)|netfirewall|Uninstall-Windows|Verb\s+Runas|AmsiBypass|nishang|Invoke-Interceptor|EXEonRemote|NetworkRelay|PowerShelludp|PowerShellIcmp|CreateShortcut|copy-vss|invoke-dll|invoke-mass|out-shortcut|Invoke-ShellCommand"),1,0) | eval base64 = if(match(lower(ScriptBlockText),"frombase64"), "4", 0) | eval empire=if(match(lower(ScriptBlockText),"system.net.webclient") AND match(lower(ScriptBlockText), "frombase64string") ,5,0) | eval mimikatz=if(match(lower(ScriptBlockText),"mimikatz") OR match(lower(ScriptBlockText), "-dumpcr") OR match(lower(ScriptBlockText), "SEKURLSA::Pth") OR match(lower(ScriptBlockText), "kerberos::ptt") OR match(lower(ScriptBlockText), "kerberos::golden") ,5,0) - | eval iex=if(match(ScriptBlockText, "(?i)iex - | invoke-expression"),2,0) - | eval webclient=if(match(lower(ScriptBlockText),"http") OR match(lower(ScriptBlockText),"web(client - | request)") OR match(lower(ScriptBlockText),"socket") OR match(lower(ScriptBlockText),"download(file - | string)") OR match(lower(ScriptBlockText),"bitstransfer") OR match(lower(ScriptBlockText),"internetexplorer.application") OR match(lower(ScriptBlockText),"xmlhttp"),5,0) + | eval iex=if(match(ScriptBlockText, "(?i)iex|invoke-expression"),2,0) + | eval webclient=if(match(lower(ScriptBlockText),"http") OR match(lower(ScriptBlockText),"web(client|request)") OR match(lower(ScriptBlockText),"socket") OR match(lower(ScriptBlockText),"download(file|string)") OR match(lower(ScriptBlockText),"bitstransfer") OR match(lower(ScriptBlockText),"internetexplorer.application") OR match(lower(ScriptBlockText),"xmlhttp"),5,0) | eval get = if(match(lower(ScriptBlockText),"get-"), "1", 0) | eval rundll32 = if(match(lower(ScriptBlockText),"rundll32"), "4", 0) - | eval suspkeywrd=if(match(ScriptBlockText, "(?i)(bitstransfer - | mimik - | metasp - | AssemblyBuilderAccess - | Reflection\.Assembly - | shellcode - | injection - | cnvert - | shell\.application - | start-process - | Rc4ByteStream - | System\.Security\.Cryptography - | lsass\.exe - | localadmin - | LastLoggedOn - | hijack - | BackupPrivilege - | ngrok - | comsvcs - | backdoor - | brute.?force - | Port.?Scan - | Exfiltration - | exploit - | DisableRealtimeMonitoring - | beacon)"),1,0) + | eval suspkeywrd=if(match(ScriptBlockText, "(?i)(bitstransfer|mimik|metasp|AssemblyBuilderAccess|Reflection\.Assembly|shellcode|injection|cnvert|shell\.application|start-process|Rc4ByteStream|System\.Security\.Cryptography|lsass\.exe|localadmin|LastLoggedOn|hijack|BackupPrivilege|ngrok|comsvcs|backdoor|brute.?force|Port.?Scan|Exfiltration|exploit|DisableRealtimeMonitoring|beacon)"),1,0) | eval syswow64 = if(match(lower(ScriptBlockText),"syswow64"), "3", 0) | eval httplocal = if(match(lower(ScriptBlockText),"http://127.0.0.1"), "4", 0) | eval reflection = if(match(lower(ScriptBlockText),"reflection"), "1", 0) - | eval invokewmi=if(match(lower(ScriptBlockText), "(?i)(wmiobject - | WMIMethod - | RemoteWMI - | PowerShellWmi - | wmicommand)"),5,0) + | eval invokewmi=if(match(lower(ScriptBlockText), "(?i)(wmiobject|WMIMethod|RemoteWMI|PowerShellWmi|wmicommand)"),5,0) | eval downgrade=if(match(ScriptBlockText, "(?i)([-]ve*r*s*i*o*n*\s+2)") OR match(lower(ScriptBlockText),"powershell -version"),3,0) - | eval compressed=if(match(ScriptBlockText, "(?i)GZipStream - | ::Decompress - | IO.Compression - | write-zip - | (expand - | compress)-Archive"),5,0) + | eval compressed=if(match(ScriptBlockText, "(?i)GZipStream|::Decompress|IO.Compression|write-zip|(expand|compress)-Archive"),5,0) | eval invokecmd = if(match(lower(ScriptBlockText),"invoke-command"), "4", 0) | addtotals fieldname=Score DoIt, enccom, suspcmdlet, suspkeywrd, compressed, downgrade, mimikatz, iex, empire, rundll32, webclient, syswow64, httplocal, reflection, invokewmi, invokecmd, base64, get | stats values(Score) diff --git a/detections/endpoint/powershell___connect_to_internet_with_hidden_window.yml b/detections/endpoint/powershell___connect_to_internet_with_hidden_window.yml index a18f6adf36..3cb94a9595 100644 --- a/detections/endpoint/powershell___connect_to_internet_with_hidden_window.yml +++ b/detections/endpoint/powershell___connect_to_internet_with_hidden_window.yml @@ -1,8 +1,8 @@ name: PowerShell - Connect To Internet With Hidden Window id: ee18ed37-0802-4268-9435-b3b91aaa18db -version: 16 +version: 17 creation_date: '2020-04-29' -modification_date: '2026-05-13' +modification_date: '2026-06-04' author: David Dorsey, Michael Haag Splunk status: production type: Hunting @@ -24,11 +24,7 @@ search: |- | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` - | where match(process,"(?i)[\- - | \/ - | – - | — - | ―]w(in*d*o*w*s*t*y*l*e*)*\s+[^-]") + | where match(process,"(?i)[\-\/–—―]w(in*d*o*w*s*t*y*l*e*)*\s+[^-]") | `powershell___connect_to_internet_with_hidden_window_filter` how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. known_false_positives: Legitimate process can have this combination of command-line options, but it's not common. diff --git a/detections/endpoint/regsvr32_silent_and_install_param_dll_loading.yml b/detections/endpoint/regsvr32_silent_and_install_param_dll_loading.yml index 2fe2b55d19..e64cd79859 100644 --- a/detections/endpoint/regsvr32_silent_and_install_param_dll_loading.yml +++ b/detections/endpoint/regsvr32_silent_and_install_param_dll_loading.yml @@ -1,8 +1,8 @@ name: Regsvr32 Silent and Install Param Dll Loading id: f421c250-24e7-11ec-bc43-acde48001122 -version: 14 +version: 15 creation_date: '2021-10-04' -modification_date: '2026-05-13' +modification_date: '2026-06-04' author: Teoderick Contreras, Splunk status: production type: Anomaly @@ -26,8 +26,7 @@ search: |- | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` - | where match(process,"(?i)[\- - | \/][Ss]{1}") + | where match(process,"(?i)[\-\/][Ss]{1}") | `regsvr32_silent_and_install_param_dll_loading_filter` how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. known_false_positives: | diff --git a/detections/endpoint/regsvr32_with_known_silent_switch_cmdline.yml b/detections/endpoint/regsvr32_with_known_silent_switch_cmdline.yml index 6e093f9729..b6417b7101 100644 --- a/detections/endpoint/regsvr32_with_known_silent_switch_cmdline.yml +++ b/detections/endpoint/regsvr32_with_known_silent_switch_cmdline.yml @@ -1,8 +1,8 @@ name: Regsvr32 with Known Silent Switch Cmdline id: c9ef7dc4-eeaf-11eb-b2b6-acde48001122 -version: 14 +version: 15 creation_date: '2021-07-29' -modification_date: '2026-05-13' +modification_date: '2026-06-04' author: Teoderick Contreras, Splunk status: production type: Anomaly @@ -24,8 +24,7 @@ search: |- | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` - | where match(process,"(?i)[\- - | \/][Ss]{1}") + | where match(process,"(?i)[\-\/][Ss]{1}") | `regsvr32_with_known_silent_switch_cmdline_filter` how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. known_false_positives: minimal. but network operator can use this application to load dll.