From dfb30f194f8a9c21d34d58526a54683209e035ba Mon Sep 17 00:00:00 2001 From: xenoscr Date: Tue, 13 Sep 2022 23:37:10 -0400 Subject: [PATCH] Tweaked the Link regex to allow anchor tags and the handle regex to permit blank entries. --- YML-Schema.yml | 14 +++++++------- yml/OSBinaries/Bitsadmin.yml | 2 +- yml/OSBinaries/Esentutl.yml | 2 +- yml/OSBinaries/Ftp.yml | 2 +- 4 files changed, 10 insertions(+), 10 deletions(-) diff --git a/YML-Schema.yml b/YML-Schema.yml index 363b279..11f3409 100644 --- a/YML-Schema.yml +++ b/YML-Schema.yml @@ -74,19 +74,19 @@ mapping: type: str "Sigma": type: str - pattern: '^http[s]?://(?:[a-zA-Z]|[0-9]|[$-_@.&+]|[!*\(\),]|(?:%[0-9a-fA-F][0-9a-fA-F]))+$' + pattern: '^http[s]?://(?:[a-zA-Z]|[0-9]|[$-_@.&+#]|[!*\(\),]|(?:%[0-9a-fA-F][0-9a-fA-F]))+$' "Analysis": type: str - pattern: '^http[s]?://(?:[a-zA-Z]|[0-9]|[$-_@.&+]|[!*\(\),]|(?:%[0-9a-fA-F][0-9a-fA-F]))+$' + pattern: '^http[s]?://(?:[a-zA-Z]|[0-9]|[$-_@.&+#]|[!*\(\),]|(?:%[0-9a-fA-F][0-9a-fA-F]))+$' "Elastic": type: str - pattern: '^http[s]?://(?:[a-zA-Z]|[0-9]|[$-_@.&+]|[!*\(\),]|(?:%[0-9a-fA-F][0-9a-fA-F]))+$' + pattern: '^http[s]?://(?:[a-zA-Z]|[0-9]|[$-_@.&+#]|[!*\(\),]|(?:%[0-9a-fA-F][0-9a-fA-F]))+$' "Splunk": type: str - pattern: '^http[s]?://(?:[a-zA-Z]|[0-9]|[$-_@.&+]|[!*\(\),]|(?:%[0-9a-fA-F][0-9a-fA-F]))+$' + pattern: '^http[s]?://(?:[a-zA-Z]|[0-9]|[$-_@.&+#]|[!*\(\),]|(?:%[0-9a-fA-F][0-9a-fA-F]))+$' "BlockRule": type: str - pattern: '^http[s]?://(?:[a-zA-Z]|[0-9]|[$-_@.&+]|[!*\(\),]|(?:%[0-9a-fA-F][0-9a-fA-F]))+$' + pattern: '^http[s]?://(?:[a-zA-Z]|[0-9]|[$-_@.&+#]|[!*\(\),]|(?:%[0-9a-fA-F][0-9a-fA-F]))+$' "Resources": type: seq required: false @@ -95,7 +95,7 @@ mapping: mapping: "Link": type: str - pattern: '^http[s]?://(?:[a-zA-Z]|[0-9]|[$-_@.&+]|[!*\(\),]|(?:%[0-9a-fA-F][0-9a-fA-F]))+$' + pattern: '^http[s]?://(?:[a-zA-Z]|[0-9]|[$-_@.&+#]|[!*\(\),]|(?:%[0-9a-fA-F][0-9a-fA-F]))+$' "Acknowledgement": type: seq required: false @@ -106,4 +106,4 @@ mapping: type: str "Handle": type: str - pattern: '^@(\w){1,15}$' + pattern: '^(@(\w){1,15})?$' diff --git a/yml/OSBinaries/Bitsadmin.yml b/yml/OSBinaries/Bitsadmin.yml index 01a868b..a6f9a94 100644 --- a/yml/OSBinaries/Bitsadmin.yml +++ b/yml/OSBinaries/Bitsadmin.yml @@ -46,7 +46,7 @@ Detection: - IOC: bitsadmin creates new files - IOC: bitsadmin adds data to alternate data stream Resources: - - Link: https://www.slideshare.net/chrisgates/windows-attacks-at-is-the-new-black-26672679 - slide 53 + - Link: https://www.slideshare.net/chrisgates/windows-attacks-at-is-the-new-black-26672679 - Link: https://www.youtube.com/watch?v=_8xJaaQlpBo - Link: https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f Acknowledgement: diff --git a/yml/OSBinaries/Esentutl.yml b/yml/OSBinaries/Esentutl.yml index 22a9279..21554b2 100644 --- a/yml/OSBinaries/Esentutl.yml +++ b/yml/OSBinaries/Esentutl.yml @@ -66,4 +66,4 @@ Acknowledgement: - Person: egre55 Handle: '@egre55' - Person: Mike Cary - Handle: 'grayfold3d' + Handle: '@grayfold3d' diff --git a/yml/OSBinaries/Ftp.yml b/yml/OSBinaries/Ftp.yml index 0b86026..6293171 100644 --- a/yml/OSBinaries/Ftp.yml +++ b/yml/OSBinaries/Ftp.yml @@ -37,4 +37,4 @@ Acknowledgement: - Person: BennyHusted Handle: '' - Person: Amit Serper - Handle: '@0xAmit ' + Handle: '@0xAmit'