mirror of
https://github.com/LOLBAS-Project/LOLBAS
synced 2024-06-01 20:36:02 +02:00
Fixing errors found in yaml lint action.
This commit is contained in:
xenoscr
parent
7bb5a8a8e3
commit
98813fe01b
Binary file not shown.
|
|
@ -14,14 +14,12 @@ Commands:
|
|||
Full_Path:
|
||||
- Path: C:\Windows\System32\Atbroker.exe
|
||||
- Path: C:\Windows\SysWOW64\Atbroker.exe
|
||||
Code_Sample:
|
||||
- Code:
|
||||
Detection:
|
||||
- Sigma: https://github.com/SigmaHQ/sigma/blob/eb406ba36fc607986970c09e53058af412093647/rules/windows/process_creation/win_susp_atbroker.yml
|
||||
- Sigma: https://github.com/SigmaHQ/sigma/blob/7bca85e40618126643b9712b80bd663c21908e26/rules/windows/registry_event/sysmon_susp_atbroker_change.yml
|
||||
- IOC: Changes to HKCU\Software\Microsoft\Windows NT\CurrentVersion\Accessibility\Configuration
|
||||
- IOC: Changes to HKLM\Software\Microsoft\Windows NT\CurrentVersion\Accessibility\ATs
|
||||
- IOC: Unknown AT starting C:\Windows\System32\ATBroker.exe /start malware
|
||||
- Sigma: https://github.com/SigmaHQ/sigma/blob/eb406ba36fc607986970c09e53058af412093647/rules/windows/process_creation/win_susp_atbroker.yml
|
||||
- Sigma: https://github.com/SigmaHQ/sigma/blob/7bca85e40618126643b9712b80bd663c21908e26/rules/windows/registry_event/sysmon_susp_atbroker_change.yml
|
||||
- IOC: Changes to HKCU\Software\Microsoft\Windows NT\CurrentVersion\Accessibility\Configuration
|
||||
- IOC: Changes to HKLM\Software\Microsoft\Windows NT\CurrentVersion\Accessibility\ATs
|
||||
- IOC: Unknown AT starting C:\Windows\System32\ATBroker.exe /start malware
|
||||
Resources:
|
||||
- Link: http://www.hexacorn.com/blog/2016/07/22/beyond-good-ol-run-key-part-42/
|
||||
Acknowledgement:
|
||||
|
|
|
|||
|
|
@ -21,14 +21,12 @@ Commands:
|
|||
Full_Path:
|
||||
- Path: C:\Windows\System32\cmd.exe
|
||||
- Path: C:\Windows\SysWOW64\cmd.exe
|
||||
Code_Sample:
|
||||
- Code:
|
||||
Detection:
|
||||
- Sigma: https://github.com/SigmaHQ/sigma/blob/688df3405afd778d63a2ea36a084344a2052848c/rules/windows/process_creation/process_creation_alternate_data_streams.yml
|
||||
- Elastic: https://github.com/elastic/detection-rules/blob/414d32027632a49fb239abb8fbbb55d3fa8dd861/rules/windows/defense_evasion_unusual_ads_file_creation.toml
|
||||
- Elastic: https://github.com/elastic/detection-rules/blob/61afb1c1c0c3f50637b1bb194f3e6fb09f476e50/rules/windows/defense_evasion_unusual_dir_ads.toml
|
||||
- IOC: cmd.exe executing files from alternate data streams.
|
||||
- IOC: cmd.exe creating/modifying file contents in an alternate data stream.
|
||||
- Sigma: https://github.com/SigmaHQ/sigma/blob/688df3405afd778d63a2ea36a084344a2052848c/rules/windows/process_creation/process_creation_alternate_data_streams.yml
|
||||
- Elastic: https://github.com/elastic/detection-rules/blob/414d32027632a49fb239abb8fbbb55d3fa8dd861/rules/windows/defense_evasion_unusual_ads_file_creation.toml
|
||||
- Elastic: https://github.com/elastic/detection-rules/blob/61afb1c1c0c3f50637b1bb194f3e6fb09f476e50/rules/windows/defense_evasion_unusual_dir_ads.toml
|
||||
- IOC: cmd.exe executing files from alternate data streams.
|
||||
- IOC: cmd.exe creating/modifying file contents in an alternate data stream.
|
||||
Resources:
|
||||
- Link: https://twitter.com/yeyint_mth/status/1143824979139579904
|
||||
Acknowledgement:
|
||||
|
|
|
|||
|
|
@ -14,10 +14,8 @@ Commands:
|
|||
Full_Path:
|
||||
- Path: C:\Windows\System32\cmdkey.exe
|
||||
- Path: C:\Windows\SysWOW64\cmdkey.exe
|
||||
Code_Sample:
|
||||
- Code:
|
||||
Detection:
|
||||
- Sigma: https://github.com/SigmaHQ/sigma/blob/c3c152d457773454f67895008a1abde823be0755/rules/windows/process_creation/win_cmdkey_recon.yml
|
||||
- Sigma: https://github.com/SigmaHQ/sigma/blob/c3c152d457773454f67895008a1abde823be0755/rules/windows/process_creation/win_cmdkey_recon.yml
|
||||
Resources:
|
||||
- Link: https://www.peew.pw/blog/2017/11/26/exploring-cmdkey-an-edge-case-for-privilege-escalation
|
||||
- Link: https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/cmdkey
|
||||
|
|
|
|||
|
|
@ -21,17 +21,15 @@ Commands:
|
|||
Full_Path:
|
||||
- Path: C:\Windows\System32\cmstp.exe
|
||||
- Path: C:\Windows\SysWOW64\cmstp.exe
|
||||
Code_Sample:
|
||||
- Code:
|
||||
Detection:
|
||||
- Sigma: https://github.com/SigmaHQ/sigma/blob/6d0d58dfe240f7ef46e7da928c0b65223a46c3b2/rules/windows/process_creation/sysmon_cmstp_execution_by_creation.yml
|
||||
- Sigma: https://github.com/SigmaHQ/sigma/blob/08ca62cc8860f4660e945805d0dd615ce75258c1/rules/windows/process_creation/win_uac_cmstp.yml
|
||||
- Splunk: https://github.com/splunk/security_content/blob/bee2a4cefa533f286c546cbe6798a0b5dec3e5ef/detections/endpoint/cmlua_or_cmstplua_uac_bypass.yml
|
||||
- Elastic: https://github.com/elastic/detection-rules/blob/82ec6ac1eeb62a1383792719a1943b551264ed16/rules/windows/defense_evasion_suspicious_managedcode_host_process.toml
|
||||
- Elastic: https://github.com/elastic/detection-rules/blob/414d32027632a49fb239abb8fbbb55d3fa8dd861/rules/windows/defense_evasion_unusual_process_network_connection.toml
|
||||
- IOC: Execution of cmstp.exe without a VPN use case is suspicious
|
||||
- IOC: DotNet CLR libraries loaded into cmstp.exe
|
||||
- IOC: DotNet CLR Usage Log - cmstp.exe.log
|
||||
- Sigma: https://github.com/SigmaHQ/sigma/blob/6d0d58dfe240f7ef46e7da928c0b65223a46c3b2/rules/windows/process_creation/sysmon_cmstp_execution_by_creation.yml
|
||||
- Sigma: https://github.com/SigmaHQ/sigma/blob/08ca62cc8860f4660e945805d0dd615ce75258c1/rules/windows/process_creation/win_uac_cmstp.yml
|
||||
- Splunk: https://github.com/splunk/security_content/blob/bee2a4cefa533f286c546cbe6798a0b5dec3e5ef/detections/endpoint/cmlua_or_cmstplua_uac_bypass.yml
|
||||
- Elastic: https://github.com/elastic/detection-rules/blob/82ec6ac1eeb62a1383792719a1943b551264ed16/rules/windows/defense_evasion_suspicious_managedcode_host_process.toml
|
||||
- Elastic: https://github.com/elastic/detection-rules/blob/414d32027632a49fb239abb8fbbb55d3fa8dd861/rules/windows/defense_evasion_unusual_process_network_connection.toml
|
||||
- IOC: Execution of cmstp.exe without a VPN use case is suspicious
|
||||
- IOC: DotNet CLR libraries loaded into cmstp.exe
|
||||
- IOC: DotNet CLR Usage Log - cmstp.exe.log
|
||||
Resources:
|
||||
- Link: https://twitter.com/NickTyrer/status/958450014111633408
|
||||
- Link: https://gist.github.com/NickTyrer/bbd10d20a5bb78f64a9d13f399ea0f80
|
||||
|
|
|
|||
|
|
@ -15,16 +15,16 @@ Full_Path:
|
|||
- Path: C:\Windows\System32\control.exe
|
||||
- Path: C:\Windows\SysWOW64\control.exe
|
||||
Code_Sample:
|
||||
- Code:
|
||||
- Code:
|
||||
Detection:
|
||||
- Sigma: https://github.com/SigmaHQ/sigma/blob/e8b633f54fce88e82b1c3d5e7c7bfa7d3d0beee7/rules/windows/process_creation/win_susp_control_cve_2021_40444.yml
|
||||
- Sigma: https://github.com/SigmaHQ/sigma/blob/08ca62cc8860f4660e945805d0dd615ce75258c1/rules/windows/process_creation/win_susp_control_dll_load.yml
|
||||
- Elastic: https://github.com/elastic/detection-rules/blob/414d32027632a49fb239abb8fbbb55d3fa8dd861/rules/windows/defense_evasion_network_connection_from_windows_binary.toml
|
||||
- Elastic: https://github.com/elastic/detection-rules/blob/0875c1e4c4370ab9fbf453c8160bb5abc8ad95e7/rules/windows/defense_evasion_execution_control_panel_suspicious_args.toml
|
||||
- Elastic: https://github.com/elastic/detection-rules/blob/61afb1c1c0c3f50637b1bb194f3e6fb09f476e50/rules/windows/defense_evasion_unusual_dir_ads.toml
|
||||
- IOC: Control.exe executing files from alternate data streams
|
||||
- IOC: Control.exe executing library file without cpl extension
|
||||
- IOC: Suspicious network connections from control.exe
|
||||
- Sigma: https://github.com/SigmaHQ/sigma/blob/e8b633f54fce88e82b1c3d5e7c7bfa7d3d0beee7/rules/windows/process_creation/win_susp_control_cve_2021_40444.yml
|
||||
- Sigma: https://github.com/SigmaHQ/sigma/blob/08ca62cc8860f4660e945805d0dd615ce75258c1/rules/windows/process_creation/win_susp_control_dll_load.yml
|
||||
- Elastic: https://github.com/elastic/detection-rules/blob/414d32027632a49fb239abb8fbbb55d3fa8dd861/rules/windows/defense_evasion_network_connection_from_windows_binary.toml
|
||||
- Elastic: https://github.com/elastic/detection-rules/blob/0875c1e4c4370ab9fbf453c8160bb5abc8ad95e7/rules/windows/defense_evasion_execution_control_panel_suspicious_args.toml
|
||||
- Elastic: https://github.com/elastic/detection-rules/blob/61afb1c1c0c3f50637b1bb194f3e6fb09f476e50/rules/windows/defense_evasion_unusual_dir_ads.toml
|
||||
- IOC: Control.exe executing files from alternate data streams
|
||||
- IOC: Control.exe executing library file without cpl extension
|
||||
- IOC: Suspicious network connections from control.exe
|
||||
Resources:
|
||||
- Link: https://pentestlab.blog/2017/05/24/applocker-bypass-control-panel/
|
||||
- Link: https://www.contextis.com/resources/blog/applocker-bypass-registry-key-manipulation/
|
||||
|
|
|
|||
|
|
@ -22,13 +22,13 @@ Full_Path:
|
|||
- Path: C:\Windows\Microsoft.NET\Framework\v4.0.30319\Csc.exe
|
||||
- Path: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Csc.exe
|
||||
Code_Sample:
|
||||
- Code:
|
||||
- Code:
|
||||
Detection:
|
||||
- Sigma: https://github.com/SigmaHQ/sigma/blob/08ca62cc8860f4660e945805d0dd615ce75258c1/rules/windows/process_creation/win_susp_csc.yml
|
||||
- Sigma: https://github.com/SigmaHQ/sigma/blob/08ca62cc8860f4660e945805d0dd615ce75258c1/rules/windows/process_creation/win_susp_csc_folder.yml
|
||||
- Elastic: https://github.com/elastic/detection-rules/blob/61afb1c1c0c3f50637b1bb194f3e6fb09f476e50/rules/windows/defense_evasion_dotnet_compiler_parent_process.toml
|
||||
- Elastic: https://github.com/elastic/detection-rules/blob/82ec6ac1eeb62a1383792719a1943b551264ed16/rules/windows/defense_evasion_execution_msbuild_started_unusal_process.toml
|
||||
- IOC: Csc.exe should normally not run as System account unless it is used for development.
|
||||
- Sigma: https://github.com/SigmaHQ/sigma/blob/08ca62cc8860f4660e945805d0dd615ce75258c1/rules/windows/process_creation/win_susp_csc.yml
|
||||
- Sigma: https://github.com/SigmaHQ/sigma/blob/08ca62cc8860f4660e945805d0dd615ce75258c1/rules/windows/process_creation/win_susp_csc_folder.yml
|
||||
- Elastic: https://github.com/elastic/detection-rules/blob/61afb1c1c0c3f50637b1bb194f3e6fb09f476e50/rules/windows/defense_evasion_dotnet_compiler_parent_process.toml
|
||||
- Elastic: https://github.com/elastic/detection-rules/blob/82ec6ac1eeb62a1383792719a1943b551264ed16/rules/windows/defense_evasion_execution_msbuild_started_unusal_process.toml
|
||||
- IOC: Csc.exe should normally not run as System account unless it is used for development.
|
||||
Resources:
|
||||
- Link: https://docs.microsoft.com/en-us/dotnet/csharp/language-reference/compiler-options/command-line-building-with-csc-exe
|
||||
Acknowledgement:
|
||||
|
|
|
|||
|
|
@ -15,18 +15,18 @@ Full_Path:
|
|||
- Path: C:\Windows\System32\cscript.exe
|
||||
- Path: C:\Windows\SysWOW64\cscript.exe
|
||||
Code_Sample:
|
||||
- Code:
|
||||
- Code:
|
||||
Detection:
|
||||
- Sigma: https://github.com/SigmaHQ/sigma/blob/08ca62cc8860f4660e945805d0dd615ce75258c1/rules/windows/process_creation/win_susp_script_execution.yml
|
||||
- Sigma: https://github.com/SigmaHQ/sigma/blob/08ca62cc8860f4660e945805d0dd615ce75258c1/rules/windows/file_event/sysmon_susp_clr_logs.yml
|
||||
- Elastic: https://github.com/elastic/detection-rules/blob/61afb1c1c0c3f50637b1bb194f3e6fb09f476e50/rules/windows/defense_evasion_unusual_dir_ads.toml
|
||||
- Elastic: https://github.com/elastic/detection-rules/blob/cc241c0b5ec590d76cb88ec638d3cc37f68b5d50/rules/windows/command_and_control_remote_file_copy_scripts.toml
|
||||
- Elastic: https://github.com/elastic/detection-rules/blob/82ec6ac1eeb62a1383792719a1943b551264ed16/rules/windows/defense_evasion_suspicious_managedcode_host_process.toml
|
||||
- Splunk: https://github.com/splunk/security_content/blob/a1afa0fa605639cbef7d528dec46ce7c8112194a/detections/endpoint/wscript_or_cscript_suspicious_child_process.yml
|
||||
- BlockRule: https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules
|
||||
- IOC: Cscript.exe executing files from alternate data streams
|
||||
- IOC: DotNet CLR libraries loaded into cscript.exe
|
||||
- IOC: DotNet CLR Usage Log - cscript.exe.log
|
||||
- Sigma: https://github.com/SigmaHQ/sigma/blob/08ca62cc8860f4660e945805d0dd615ce75258c1/rules/windows/process_creation/win_susp_script_execution.yml
|
||||
- Sigma: https://github.com/SigmaHQ/sigma/blob/08ca62cc8860f4660e945805d0dd615ce75258c1/rules/windows/file_event/sysmon_susp_clr_logs.yml
|
||||
- Elastic: https://github.com/elastic/detection-rules/blob/61afb1c1c0c3f50637b1bb194f3e6fb09f476e50/rules/windows/defense_evasion_unusual_dir_ads.toml
|
||||
- Elastic: https://github.com/elastic/detection-rules/blob/cc241c0b5ec590d76cb88ec638d3cc37f68b5d50/rules/windows/command_and_control_remote_file_copy_scripts.toml
|
||||
- Elastic: https://github.com/elastic/detection-rules/blob/82ec6ac1eeb62a1383792719a1943b551264ed16/rules/windows/defense_evasion_suspicious_managedcode_host_process.toml
|
||||
- Splunk: https://github.com/splunk/security_content/blob/a1afa0fa605639cbef7d528dec46ce7c8112194a/detections/endpoint/wscript_or_cscript_suspicious_child_process.yml
|
||||
- BlockRule: https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules
|
||||
- IOC: Cscript.exe executing files from alternate data streams
|
||||
- IOC: DotNet CLR libraries loaded into cscript.exe
|
||||
- IOC: DotNet CLR Usage Log - cscript.exe.log
|
||||
Resources:
|
||||
- Link: https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f
|
||||
- Link: https://oddvar.moe/2018/01/14/putting-data-in-alternate-data-streams-and-how-to-execute-it/
|
||||
|
|
|
|||
|
|
@ -17,9 +17,9 @@ Full_Path:
|
|||
- Path: C:\Windows\Microsoft.NET\Framework\v4.0.30319\Dfsvc.exe
|
||||
- Path: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Dfsvc.exe
|
||||
Code_Sample:
|
||||
- Code:
|
||||
- Code:
|
||||
Detection:
|
||||
- Sigma: https://github.com/SigmaHQ/sigma/blob/08ca62cc8860f4660e945805d0dd615ce75258c1/rules/windows/process_creation/win_susp_rundll32_activity.yml
|
||||
- Sigma: https://github.com/SigmaHQ/sigma/blob/08ca62cc8860f4660e945805d0dd615ce75258c1/rules/windows/process_creation/win_susp_rundll32_activity.yml
|
||||
Resources:
|
||||
- Link: https://github.com/api0cradle/ShmooCon-2015/blob/master/ShmooCon-2015-Simple-WLEvasion.pdf
|
||||
- Link: https://stackoverflow.com/questions/13312273/clickonce-runtime-dfsvc-exe
|
||||
|
|
|
|||
|
|
@ -22,12 +22,12 @@ Full_Path:
|
|||
- Path: C:\Windows\System32\diskshadow.exe
|
||||
- Path: C:\Windows\SysWOW64\diskshadow.exe
|
||||
Code_Sample:
|
||||
- Code:
|
||||
- Code:
|
||||
Detection:
|
||||
- Sigma: https://github.com/SigmaHQ/sigma/blob/b4d5b44ea86cda24f38a87d3b0c5f9d4455bf841/rules/windows/process_creation/win_susp_diskshadow.yml
|
||||
- Sigma: https://github.com/SigmaHQ/sigma/blob/b3df5bf325461df9bcfeb051895b0c8dc3258234/rules/windows/process_creation/win_shadow_copies_deletion.yml
|
||||
- Elastic: https://github.com/elastic/detection-rules/blob/5bdf70e72c6cd4547624c521108189af994af449/rules/windows/credential_access_cmdline_dump_tool.toml
|
||||
- IOC: Child process from diskshadow.exe
|
||||
- Sigma: https://github.com/SigmaHQ/sigma/blob/b4d5b44ea86cda24f38a87d3b0c5f9d4455bf841/rules/windows/process_creation/win_susp_diskshadow.yml
|
||||
- Sigma: https://github.com/SigmaHQ/sigma/blob/b3df5bf325461df9bcfeb051895b0c8dc3258234/rules/windows/process_creation/win_shadow_copies_deletion.yml
|
||||
- Elastic: https://github.com/elastic/detection-rules/blob/5bdf70e72c6cd4547624c521108189af994af449/rules/windows/credential_access_cmdline_dump_tool.toml
|
||||
- IOC: Child process from diskshadow.exe
|
||||
Resources:
|
||||
- Link: https://bohops.com/2018/03/26/diskshadow-the-return-of-vss-evasion-persistence-and-active-directory-database-extraction/
|
||||
Acknowledgement:
|
||||
|
|
|
|||
|
|
@ -15,10 +15,10 @@ Full_Path:
|
|||
- Path: C:\Windows\System32\Dnscmd.exe
|
||||
- Path: C:\Windows\SysWOW64\Dnscmd.exe
|
||||
Code_Sample:
|
||||
- Code:
|
||||
- Code:
|
||||
Detection:
|
||||
- Sigma: https://github.com/SigmaHQ/sigma/blob/b08b3e2b0d5111c637dbede1381b07cb79f8c2eb/rules/windows/process_creation/process_creation_dns_serverlevelplugindll.yml
|
||||
- IOC: Dnscmd.exe loading dll from UNC/arbitrary path
|
||||
- Sigma: https://github.com/SigmaHQ/sigma/blob/b08b3e2b0d5111c637dbede1381b07cb79f8c2eb/rules/windows/process_creation/process_creation_dns_serverlevelplugindll.yml
|
||||
- IOC: Dnscmd.exe loading dll from UNC/arbitrary path
|
||||
Resources:
|
||||
- Link: https://medium.com/@esnesenon/feature-not-bug-dnsadmin-to-dc-compromise-in-one-line-a0f779b8dc83
|
||||
- Link: https://blog.3or.de/hunting-dns-server-level-plugin-dll-injection.html
|
||||
|
|
|
|||
|
|
@ -50,14 +50,14 @@ Full_Path:
|
|||
- Path: C:\Windows\System32\esentutl.exe
|
||||
- Path: C:\Windows\SysWOW64\esentutl.exe
|
||||
Code_Sample:
|
||||
- Code:
|
||||
- Code:
|
||||
Detection:
|
||||
- Sigma: https://github.com/SigmaHQ/sigma/blob/fb750721b25ec4573acc32a0822d047a8ecdf269/rules/windows/deprecated/win_susp_vssadmin_ntds_activity.yml
|
||||
- Sigma: https://github.com/SigmaHQ/sigma/blob/fb750721b25ec4573acc32a0822d047a8ecdf269/rules/windows/deprecated/win_susp_esentutl_activity.yml
|
||||
- Sigma: https://github.com/SigmaHQ/sigma/blob/bacb44ab972343358bae612e4625f8ba2e043573/rules/windows/process_creation/process_susp_esentutl_params.yml
|
||||
- Sigma: https://github.com/SigmaHQ/sigma/blob/08ca62cc8860f4660e945805d0dd615ce75258c1/rules/windows/process_creation/win_copying_sensitive_files_with_credential_data.yml
|
||||
- Splunk: https://github.com/splunk/security_content/blob/86a5b644a44240f01274c8b74d19a435c7dae66e/detections/endpoint/esentutl_sam_copy.yml
|
||||
- Elastic: https://github.com/elastic/detection-rules/blob/f6421d8c534f295518a2c945f530e8afc4c8ad1b/rules/windows/credential_access_copy_ntds_sam_volshadowcp_cmdline.toml
|
||||
- Sigma: https://github.com/SigmaHQ/sigma/blob/fb750721b25ec4573acc32a0822d047a8ecdf269/rules/windows/deprecated/win_susp_vssadmin_ntds_activity.yml
|
||||
- Sigma: https://github.com/SigmaHQ/sigma/blob/fb750721b25ec4573acc32a0822d047a8ecdf269/rules/windows/deprecated/win_susp_esentutl_activity.yml
|
||||
- Sigma: https://github.com/SigmaHQ/sigma/blob/bacb44ab972343358bae612e4625f8ba2e043573/rules/windows/process_creation/process_susp_esentutl_params.yml
|
||||
- Sigma: https://github.com/SigmaHQ/sigma/blob/08ca62cc8860f4660e945805d0dd615ce75258c1/rules/windows/process_creation/win_copying_sensitive_files_with_credential_data.yml
|
||||
- Splunk: https://github.com/splunk/security_content/blob/86a5b644a44240f01274c8b74d19a435c7dae66e/detections/endpoint/esentutl_sam_copy.yml
|
||||
- Elastic: https://github.com/elastic/detection-rules/blob/f6421d8c534f295518a2c945f530e8afc4c8ad1b/rules/windows/credential_access_copy_ntds_sam_volshadowcp_cmdline.toml
|
||||
Resources:
|
||||
- Link: https://twitter.com/egre55/status/985994639202283520
|
||||
- Link: https://dfironthemountain.wordpress.com/2018/12/06/locked-file-access-using-esentutl-exe/
|
||||
|
|
|
|||
|
|
@ -29,10 +29,10 @@ Full_Path:
|
|||
- Path: C:\Windows\System32\Expand.exe
|
||||
- Path: C:\Windows\SysWOW64\Expand.exe
|
||||
Code_Sample:
|
||||
- Code:
|
||||
- Code:
|
||||
Detection:
|
||||
- Sigma: https://github.com/SigmaHQ/sigma/blob/b25fbbea54014565fc4551f94c97c0d7550b1c04/rules/windows/process_creation/sysmon_expand_cabinet_files.yml
|
||||
- Elastic: https://github.com/elastic/detection-rules/blob/12577f7380f324fcee06dab3218582f4a11833e7/rules/windows/defense_evasion_misc_lolbin_connecting_to_the_internet.toml
|
||||
- Sigma: https://github.com/SigmaHQ/sigma/blob/b25fbbea54014565fc4551f94c97c0d7550b1c04/rules/windows/process_creation/sysmon_expand_cabinet_files.yml
|
||||
- Elastic: https://github.com/elastic/detection-rules/blob/12577f7380f324fcee06dab3218582f4a11833e7/rules/windows/defense_evasion_misc_lolbin_connecting_to_the_internet.toml
|
||||
Resources:
|
||||
- Link: https://twitter.com/infosecn1nja/status/986628482858807297
|
||||
- Link: https://twitter.com/Oddvarmoe/status/986709068759949319
|
||||
|
|
|
|||
|
|
@ -38,9 +38,9 @@ Full_Path:
|
|||
Code_Sample:
|
||||
- Code:
|
||||
Detection:
|
||||
- Elastic: https://github.com/elastic/detection-rules/blob/12577f7380f324fcee06dab3218582f4a11833e7/rules/windows/defense_evasion_misc_lolbin_connecting_to_the_internet.toml
|
||||
- Sigma: https://github.com/SigmaHQ/sigma/blob/0f33cbc85bf4b23b8d8308bfcc8b21a9e5431ee7/rules/windows/process_creation/win_pc_lolbas_extrac32.yml
|
||||
- Sigma: https://github.com/SigmaHQ/sigma/blob/0f33cbc85bf4b23b8d8308bfcc8b21a9e5431ee7/rules/windows/process_creation/win_pc_lolbas_extrac32_ads.yml
|
||||
- Elastic: https://github.com/elastic/detection-rules/blob/12577f7380f324fcee06dab3218582f4a11833e7/rules/windows/defense_evasion_misc_lolbin_connecting_to_the_internet.toml
|
||||
- Sigma: https://github.com/SigmaHQ/sigma/blob/0f33cbc85bf4b23b8d8308bfcc8b21a9e5431ee7/rules/windows/process_creation/win_pc_lolbas_extrac32.yml
|
||||
- Sigma: https://github.com/SigmaHQ/sigma/blob/0f33cbc85bf4b23b8d8308bfcc8b21a9e5431ee7/rules/windows/process_creation/win_pc_lolbas_extrac32_ads.yml
|
||||
Resources:
|
||||
- Link: https://oddvar.moe/2018/04/11/putting-data-in-alternate-data-streams-and-how-to-execute-it-part-2/
|
||||
- Link: https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f
|
||||
|
|
|
|||
|
|
@ -36,9 +36,9 @@ Full_Path:
|
|||
- Path: C:\Windows\System32\findstr.exe
|
||||
- Path: C:\Windows\SysWOW64\findstr.exe
|
||||
Code_Sample:
|
||||
- Code:
|
||||
- Code:
|
||||
Detection:
|
||||
- Sigma: https://github.com/SigmaHQ/sigma/blob/08ca62cc8860f4660e945805d0dd615ce75258c1/rules/windows/process_creation/win_susp_findstr.yml
|
||||
- Sigma: https://github.com/SigmaHQ/sigma/blob/08ca62cc8860f4660e945805d0dd615ce75258c1/rules/windows/process_creation/win_susp_findstr.yml
|
||||
Resources:
|
||||
- Link: https://oddvar.moe/2018/04/11/putting-data-in-alternate-data-streams-and-how-to-execute-it-part-2/
|
||||
- Link: https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f
|
||||
|
|
|
|||
|
|
@ -22,9 +22,9 @@ Full_Path:
|
|||
- Path: C:\Windows\System32\forfiles.exe
|
||||
- Path: C:\Windows\SysWOW64\forfiles.exe
|
||||
Code_Sample:
|
||||
- Code:
|
||||
- Code:
|
||||
Detection:
|
||||
- Sigma: https://github.com/SigmaHQ/sigma/blob/ff0f1a0222b5100120ae3e43df18593f904c69c0/rules/windows/process_creation/win_indirect_cmd.yml
|
||||
- Sigma: https://github.com/SigmaHQ/sigma/blob/ff0f1a0222b5100120ae3e43df18593f904c69c0/rules/windows/process_creation/win_indirect_cmd.yml
|
||||
Resources:
|
||||
- Link: https://twitter.com/vector_sec/status/896049052642533376
|
||||
- Link: https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f
|
||||
|
|
|
|||
|
|
@ -22,10 +22,10 @@ Full_Path:
|
|||
- Path: C:\Windows\System32\ftp.exe
|
||||
- Path: C:\Windows\SysWOW64\ftp.exe
|
||||
Code_Sample:
|
||||
- Code:
|
||||
- Code:
|
||||
Detection:
|
||||
- Sigma: https://github.com/SigmaHQ/sigma/blob/08ca62cc8860f4660e945805d0dd615ce75258c1/rules/windows/process_creation/win_susp_ftp.yml
|
||||
- IOC: cmd /c as child process of ftp.exe
|
||||
- Sigma: https://github.com/SigmaHQ/sigma/blob/08ca62cc8860f4660e945805d0dd615ce75258c1/rules/windows/process_creation/win_susp_ftp.yml
|
||||
- IOC: cmd /c as child process of ftp.exe
|
||||
Resources:
|
||||
- Link: https://twitter.com/0xAmit/status/1070063130636640256
|
||||
- Link: https://medium.com/@0xamit/lets-talk-about-security-research-discoveries-and-proper-discussion-etiquette-on-twitter-10f9be6d1939
|
||||
|
|
|
|||
|
|
@ -15,10 +15,10 @@ Full_Path:
|
|||
- Path: C:\Windows\System32\Infdefaultinstall.exe
|
||||
- Path: C:\Windows\SysWOW64\Infdefaultinstall.exe
|
||||
Code_Sample:
|
||||
- Code: https://gist.github.com/KyleHanslovan/5e0f00d331984c1fb5be32c40f3b265a
|
||||
- Code: https://gist.github.com/KyleHanslovan/5e0f00d331984c1fb5be32c40f3b265a
|
||||
Detection:
|
||||
- Sigma: https://github.com/SigmaHQ/sigma/blob/85d47aeabc25bbd023284849f4466c1e00b855ce/rules/windows/process_creation/process_creation_infdefaultinstall.yml
|
||||
- BlockRule: https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules
|
||||
- Sigma: https://github.com/SigmaHQ/sigma/blob/85d47aeabc25bbd023284849f4466c1e00b855ce/rules/windows/process_creation/process_creation_infdefaultinstall.yml
|
||||
- BlockRule: https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules
|
||||
Resources:
|
||||
- Link: https://twitter.com/KyleHanslovan/status/911997635455852544
|
||||
- Link: https://blog.conscioushacker.io/index.php/2017/10/25/evading-microsofts-autoruns/
|
||||
|
|
|
|||
|
|
@ -22,10 +22,10 @@ Full_Path:
|
|||
- Path: C:\Windows\System32\mmc.exe
|
||||
- Path: C:\Windows\SysWOW64\mmc.exe
|
||||
Code_Sample:
|
||||
- Code:
|
||||
- Code:
|
||||
Detection:
|
||||
- Sigma: https://github.com/SigmaHQ/sigma/blob/08ca62cc8860f4660e945805d0dd615ce75258c1/rules/windows/process_creation/win_mmc_spawn_shell.yml
|
||||
- Sigma: https://github.com/SigmaHQ/sigma/blob/b731c2059445eef53e37232a5f3634c3473aae0c/rules/windows/file_event/sysmon_uac_bypass_dotnet_profiler.yml
|
||||
- Sigma: https://github.com/SigmaHQ/sigma/blob/08ca62cc8860f4660e945805d0dd615ce75258c1/rules/windows/process_creation/win_mmc_spawn_shell.yml
|
||||
- Sigma: https://github.com/SigmaHQ/sigma/blob/b731c2059445eef53e37232a5f3634c3473aae0c/rules/windows/file_event/sysmon_uac_bypass_dotnet_profiler.yml
|
||||
Resources:
|
||||
- Link: https://bohops.com/2018/08/18/abusing-the-com-registry-structure-part-2-loading-techniques-for-evasion-and-persistence/
|
||||
- Link: https://offsec.almond.consulting/UAC-bypass-dotnet.html
|
||||
|
|
|
|||
|
|
@ -60,7 +60,7 @@ Detection:
|
|||
- Elastic: https://github.com/elastic/detection-rules/blob/ef7548f04c4341e0d1a172810330d59453f46a21/rules/windows/defense_evasion_execution_msbuild_started_by_script.toml
|
||||
- Elastic: https://github.com/elastic/detection-rules/blob/61afb1c1c0c3f50637b1bb194f3e6fb09f476e50/rules/windows/defense_evasion_execution_msbuild_started_by_office_app.toml
|
||||
- Elastic: https://github.com/elastic/detection-rules/blob/61afb1c1c0c3f50637b1bb194f3e6fb09f476e50/rules/windows/defense_evasion_execution_msbuild_started_renamed.toml
|
||||
- BlockRule: https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules
|
||||
- BlockRule: https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules
|
||||
- IOC: Msbuild.exe should not normally be executed on workstations
|
||||
Resources:
|
||||
- Link: https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1127/T1127.md
|
||||
|
|
|
|||
|
|
@ -13,7 +13,7 @@ Commands:
|
|||
OperatingSystem: Windows 10,7
|
||||
Full_Path:
|
||||
- Path: C:\Windows\system32\pnputil.exe
|
||||
Code_Sample:
|
||||
Code_Sample:
|
||||
- Code: https://github.com/LuxNoBulIshit/test.inf/blob/main/inf
|
||||
Detection:
|
||||
- Sigma: https://github.com/SigmaHQ/sigma/blob/a8a0d546f347febb0423aa920dbc10713cc1f92f/rules/windows/process_creation/process_creation_lolbins_suspicious_driver_installed_by_pnputil.yml
|
||||
|
|
|
|||
|
|
@ -36,7 +36,7 @@ Full_Path:
|
|||
- Path: C:\Windows\System32\regsvr32.exe
|
||||
- Path: C:\Windows\SysWOW64\regsvr32.exe
|
||||
Code_Sample:
|
||||
- Code:
|
||||
- Code:
|
||||
Detection:
|
||||
- Sigma: https://github.com/SigmaHQ/sigma/blob/6fbce11094285e5ba13fe101b9cb70f5b1ece198/rules/windows/process_creation/win_susp_regsvr32_anomalies.yml
|
||||
- Sigma: https://github.com/SigmaHQ/sigma/blob/6d56e400d209daa77a7900d950a7c587dc0cd2e5/rules/windows/network_connection/sysmon_regsvr32_network_activity.yml
|
||||
|
|
|
|||
|
|
@ -18,7 +18,7 @@ Code_Sample:
|
|||
- Code:
|
||||
Detection:
|
||||
- Sigma: https://github.com/SigmaHQ/sigma/blob/08ca62cc8860f4660e945805d0dd615ce75258c1/rules/windows/process_creation/win_susp_runscripthelper.yml
|
||||
- BlockRule: https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules
|
||||
- BlockRule: https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules
|
||||
- IOC: Event 4014 - Powershell logging
|
||||
- IOC: Event 400
|
||||
Resources:
|
||||
|
|
|
|||
|
|
@ -11,7 +11,7 @@ Commands:
|
|||
Privileges: User
|
||||
MitreID: T1053.005
|
||||
OperatingSystem: Windows
|
||||
- Command: schtasks /create /s targetmachine /tn "MyTask" /tr c:\some\directory\notevil.exe /sc daily
|
||||
- Command: schtasks /create /s targetmachine /tn "MyTask" /tr c:\some\directory\notevil.exe /sc daily
|
||||
Description: Create a scheduled task on a remote computer for persistence/lateral movement
|
||||
Usecase: Create a remote task to run daily relative to the the time of creation
|
||||
Category: Execute
|
||||
|
|
|
|||
|
|
@ -31,7 +31,7 @@ Detection:
|
|||
- Elastic: https://github.com/elastic/detection-rules/blob/cc241c0b5ec590d76cb88ec638d3cc37f68b5d50/rules/windows/command_and_control_remote_file_copy_scripts.toml
|
||||
- Elastic: https://github.com/elastic/detection-rules/blob/82ec6ac1eeb62a1383792719a1943b551264ed16/rules/windows/defense_evasion_suspicious_managedcode_host_process.toml
|
||||
- Splunk: https://github.com/splunk/security_content/blob/a1afa0fa605639cbef7d528dec46ce7c8112194a/detections/endpoint/wscript_or_cscript_suspicious_child_process.yml
|
||||
- BlockRule: https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules
|
||||
- BlockRule: https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules
|
||||
- IOC: Wscript.exe executing code from alternate data streams
|
||||
- IOC: DotNet CLR libraries loaded into wscript.exe
|
||||
- IOC: DotNet CLR Usage Log - wscript.exe.log
|
||||
|
|
|
|||
|
|
@ -18,7 +18,7 @@ Code_Sample:
|
|||
Detection:
|
||||
- Sigma: https://github.com/SigmaHQ/sigma/blob/08ca62cc8860f4660e945805d0dd615ce75258c1/rules/windows/network_connection/sysmon_wuauclt_network_connection.yml
|
||||
- Sigma: https://github.com/SigmaHQ/sigma/blob/f16aca7a353bb01d9862ea1f2a10fa0d866e83c3/rules/windows/process_creation/sysmon_proxy_execution_wuauclt.yml
|
||||
- Sigma: https://github.com/SigmaHQ/sigma/blob/30bee7204cc1b98a47635ed8e52f44fdf776c602/rules/windows/process_creation/win_susp_wuauclt.yml
|
||||
- Sigma: https://github.com/SigmaHQ/sigma/blob/30bee7204cc1b98a47635ed8e52f44fdf776c602/rules/windows/process_creation/win_susp_wuauclt.yml
|
||||
- IOC: wuauclt run with a parameter of a DLL path
|
||||
- IOC: Suspicious wuauclt Internet/network connections
|
||||
Resources:
|
||||
|
|
|
|||
|
|
@ -17,7 +17,7 @@ Commands:
|
|||
Category: Execute
|
||||
Privileges: User
|
||||
MitreID: T1218.011
|
||||
OperatingSystem: Windows 10, Windows 11
|
||||
OperatingSystem: Windows 10, Windows 11
|
||||
Full_Path:
|
||||
- Path: C:\Windows\System32\desk.cpl
|
||||
- Path: C:\Windows\SysWOW64\desk.cpl
|
||||
|
|
|
|||
|
|
@ -17,9 +17,9 @@ Full_Path:
|
|||
- Path: C:\Windows\Microsoft.NET\Framework\v4.0.30319\Dfsvc.exe
|
||||
- Path: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Dfsvc.exe
|
||||
Code_Sample:
|
||||
- Code:
|
||||
- Code:
|
||||
Detection:
|
||||
- Sigma: https://github.com/SigmaHQ/sigma/blob/08ca62cc8860f4660e945805d0dd615ce75258c1/rules/windows/process_creation/win_susp_rundll32_activity.yml
|
||||
- Sigma: https://github.com/SigmaHQ/sigma/blob/08ca62cc8860f4660e945805d0dd615ce75258c1/rules/windows/process_creation/win_susp_rundll32_activity.yml
|
||||
Resources:
|
||||
- Link: https://github.com/api0cradle/ShmooCon-2015/blob/master/ShmooCon-2015-Simple-WLEvasion.pdf
|
||||
- Link: https://stackoverflow.com/questions/13312273/clickonce-runtime-dfsvc-exe
|
||||
|
|
|
|||
|
|
@ -19,10 +19,10 @@ Code_Sample:
|
|||
Detection:
|
||||
- Sigma: https://github.com/SigmaHQ/sigma/blob/08ca62cc8860f4660e945805d0dd615ce75258c1/rules/windows/process_creation/win_susp_rundll32_activity.yml
|
||||
Resources:
|
||||
- Link: http://www.hexacorn.com/blog/2018/03/15/running-programs-via-proxy-jumping-on-a-edr-bypass-trampoline-part-5/
|
||||
- Link: https://bohops.com/2018/03/17/abusing-exported-functions-and-exposed-dcom-interfaces-for-pass-thru-command-execution-and-lateral-movement/
|
||||
- Link: https://twitter.com/bohops/status/997690405092290561
|
||||
- Link: https://windows10dll.nirsoft.net/shdocvw_dll.html
|
||||
- Link: http://www.hexacorn.com/blog/2018/03/15/running-programs-via-proxy-jumping-on-a-edr-bypass-trampoline-part-5/
|
||||
- Link: https://bohops.com/2018/03/17/abusing-exported-functions-and-exposed-dcom-interfaces-for-pass-thru-command-execution-and-lateral-movement/
|
||||
- Link: https://twitter.com/bohops/status/997690405092290561
|
||||
- Link: https://windows10dll.nirsoft.net/shdocvw_dll.html
|
||||
Acknowledgement:
|
||||
- Person: Adam
|
||||
Handle: '@hexacorn'
|
||||
|
|
|
|||
|
|
@ -33,4 +33,4 @@ Acknowledgement:
|
|||
- Person: Emin Atac
|
||||
Handle: '@p0w3rsh3ll'
|
||||
- Person: Stamatis Chatzimangou
|
||||
Handle: '@_st0pp3r_'
|
||||
Handle: '@_st0pp3r_'
|
||||
|
|
|
|||
Loading…
Reference in New Issue