This repository has been archived by the owner on Jun 5, 2023. It is now read-only.
Deal with exotic DSL queries in configuration INI file with special characters #455
Comments
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
Example:
2020-03-02 16:51:43,427 [sigma-gen][ERROR] '%' must be followed by '%' or '(', found: '%COMSPEC%*"}}]}}, {"bool": {"must": [{"exists": {"field": "WevtFilter.CommandLine.keyword"}}, {"wildcard": {"WevtFilter.CommandLine.keyword": "*/c*"}}]}}, {"bool": {"must": [{"exists": {"field": "WevtFilter.CommandLine.keyword"}}, {"wildcard": {"WevtFilter.CommandLine.keyword": "*echo*"}}]}}, {"bool": {"must": [{"exists": {"field": "WevtFilter.CommandLine.keyword"}}, {"wildcard": {"WevtFilter.CommandLine.keyword": "*\\\\\\\\pipe\\\\\\\\*"}}]}}]}}, {"bool": {"must": [{"bool": {"must": [{"exists": {"field": "WevtFilter.CommandLine.keyword"}}, {"wildcard": {"WevtFilter.CommandLine.keyword": "*rundll32*"}}]}}, {"bool": {"must": [{"exists": {"field": "WevtFilter.CommandLine.keyword"}}, {"wildcard": {"WevtFilter.CommandLine.keyword": "*.dll,a*"}}]}}, {"bool": {"must": [{"exists": {"field": "WevtFilter.CommandLine.keyword"}}, {"wildcard": {"WevtFilter.CommandLine.keyword": "*/p:*"}}]}}]}}]}}]}}}}}'The text was updated successfully, but these errors were encountered: