Merge 3a7f13130a into 2cc0ee99e6

Applying MITRE ATT&CK v15 changes (#370 )
https://attack.mitre.org/resources/updates/updates-april-2024/
2024-05-08 00:26:19 +02:00 · 2024-04-26 15:25:57 -07:00 · 2024-04-24 15:10:59 +01:00 · 2024-04-19 18:53:37 +01:00 · 2024-04-02 21:20:11 -04:00 · 2024-04-02 21:18:08 -04:00
10 changed files with 56 additions and 13 deletions
--- a/yml/HonorableMentions/PowerShell.yml
+++ b/yml/HonorableMentions/PowerShell.yml
@ -0,0 +1,38 @@
+---
+Name: Powershell.exe
+Description: Powershell.exe is a a task-based command-line shell built on .NET.
+Author: 'Everyone'
+Created: 2024-04-03
+Commands:
+  - Command: powershell.exe -ep bypass -file c:\path\to\a\script.ps1
+    Description: Set the execution policy to bypass and execute a PowerShell script without warning
+    Usecase: Execute PowerShell cmdlets, .NET code, and just about anything else your heart desires
+    Category: Execute
+    Privileges: User
+    MitreID: T1059.001
+    OperatingSystem: Windows 7 and up
+  - Command: powershell.exe -ep bypass -command "Invoke-AllTheThings..."
+    Description: Set the execution policy to bypass and execute a PowerShell command
+    Usecase: Execute PowerShell cmdlets, .NET code, and just about anything else your heart desires
+    Category: Execute
+    Privileges: User
+    MitreID: T1059.001
+    OperatingSystem: Windows 7 and up
+  - Command: powershell.exe -ep bypass -ec IgBXAGUAIAA8ADMAIABMAE8ATABCAEEAUwAiAA==
+    Description: Set the execution policy to bypass and execute a very malicious PowerShell encoded command
+    Usecase: Execute PowerShell cmdlets, .NET code, and just about anything else your heart desires
+    Category: Execute
+    Privileges: User
+    MitreID: T1059.001
+    OperatingSystem: Windows 7 and up
+Full_Path:
+  - Path: '%SystemRoot%\system32\WindowsPowerShell\v1.0\powershell.exe'
+  - Path: '%SystemRoot%\SysWOW64\WindowsPowerShell\v1.0\powershell.exe'
+Detection:
+  - Sigma: https://github.com/SigmaHQ/sigma/tree/71ae004b32bb3c7fb04714f8a051fc8e5edda68c/rules/windows/powershell
+Resources:
+  - Link: https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.core/about/about_powershell_exe?view=powershell-5.1
+  - Link: https://attack.mitre.org/techniques/T1059/001/
+Acknowledgement:
+  - Person: Everyone
+    Handle: '@alltheoffensivecyberers'
--- a/yml/OSBinaries/Certutil.yml
+++ b/yml/OSBinaries/Certutil.yml
@ -30,7 +30,7 @@ Commands:
    Usecase: Encode files to evade defensive measures
    Category: Encode
    Privileges: User
-    MitreID: T1027
+    MitreID: T1027.013
    OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
  - Command: certutil -decode encodedInputFileName decodedOutputFileName
    Description: Command to decode a Base64 encoded file.
--- a/yml/OSBinaries/Msedge.yml
+++ b/yml/OSBinaries/Msedge.yml
@ -23,7 +23,7 @@ Commands:
    Usecase: Executes a process under a trusted Microsoft signed binary
    Category: Execute
    Privileges: User
-    MitreID: T1218
+    MitreID: T1218.015
    OperatingSystem: Windows 10, Windows 11
 Full_Path:
  - Path: c:\Program Files\Microsoft\Edge\Application\msedge.exe
--- a/yml/OSBinaries/Tar.yml
+++ b/yml/OSBinaries/Tar.yml
@ -35,6 +35,8 @@ Full_Path:
  - Path: C:\Windows\System32\tar.exe
  - Path: C:\Windows\SysWOW64\tar.exe
 Detection:
+  - Sigma: https://github.com/SigmaHQ/sigma/blob/e1a713d264ac072bb76b5c4e5f41315a015d3f41/rules/windows/process_creation/proc_creation_win_tar_compression.yml
+  - Sigma: https://github.com/SigmaHQ/sigma/blob/e1a713d264ac072bb76b5c4e5f41315a015d3f41/rules/windows/process_creation/proc_creation_win_tar_extraction.yml
  - IOC: tar.exe extracting files from a remote host within the environment
  - IOC: Abnormal processes spawning tar.exe
  - IOC: tar.exe interacting with alternate data streams (ADS)
--- a/yml/OSBinaries/msedge_proxy.yml
+++ b/yml/OSBinaries/msedge_proxy.yml
@ -25,8 +25,10 @@ Commands:
    Usecase: Executes a process under a trusted Microsoft signed binary
    Category: Execute
    Privileges: User
-    MitreID: T1218
+    MitreID: T1218.015
    OperatingSystem: Windows 10, Windows 11
+Detection:
+  - Sigma: https://github.com/SigmaHQ/sigma/blob/e1a713d264ac072bb76b5c4e5f41315a015d3f41/rules/windows/process_creation/proc_creation_win_susp_electron_execution_proxy.yml
 Acknowledgement:
  - Person: Mert Daş
    Handle: '@merterpreter'
--- a/yml/OSBinaries/msedgewebview2.yml
+++ b/yml/OSBinaries/msedgewebview2.yml
@ -9,32 +9,33 @@ Commands:
    Usecase: Proxy execution of binary
    Category: Execute
    Privileges: Low privileges
-    MitreID: T1202
+    MitreID: T1218.015
    OperatingSystem: Windows 10, Windows 11
  - Command: msedgewebview2.exe --utility-cmd-prefix="calc.exe"
    Description: This command launches the Microsoft Edge WebView2 browser control without sandboxing and will spawn calc.exe as its subprocess.
    Usecase: Proxy execution of binary
    Category: Execute
    Privileges: User
-    MitreID: T1202
+    MitreID: T1218.015
    OperatingSystem: Windows 10, Windows 11
  - Command: msedgewebview2.exe --disable-gpu-sandbox --gpu-launcher="calc.exe"
    Description: This command launches the Microsoft Edge WebView2 browser control without sandboxing and will spawn calc.exe as its subprocess.
    Usecase: Proxy execution of binary
    Category: Execute
    Privileges: User
-    MitreID: T1202
+    MitreID: T1218.015
    OperatingSystem: Windows 10, Windows 11
  - Command: msedgewebview2.exe --no-sandbox --renderer-cmd-prefix="calc.exe"
    Description: This command launches the Microsoft Edge WebView2 browser control without sandboxing and will spawn calc.exe as its subprocess.
    Usecase: Proxy execution of binary
    Category: Execute
    Privileges: User
-    MitreID: T1202
+    MitreID: T1218.015
    OperatingSystem: Windows 10, Windows 11
 Full_Path:
  - Path: C:\Program Files (x86)\Microsoft\Edge\Application\114.0.1823.43\msedgewebview2.exe
 Detection:
+  - Sigma: https://github.com/SigmaHQ/sigma/blob/e1a713d264ac072bb76b5c4e5f41315a015d3f41/rules/windows/process_creation/proc_creation_win_susp_electron_execution_proxy.yml
  - IOC: 'msedgewebview2.exe spawned with any of the following: --gpu-launcher, --utility-cmd-prefix, --renderer-cmd-prefix, --browser-subprocess-path'
 Resources:
  - Link: https://medium.com/@MalFuzzer/one-electron-to-rule-them-all-dc2e9b263daf
--- a/yml/OSLibraries/Scrobj.yml
+++ b/yml/OSLibraries/Scrobj.yml
@ -17,6 +17,7 @@ Full_Path:
  - Path: c:\windows\system32\scrobj.dll
  - Path: c:\windows\syswow64\scrobj.dll
 Detection:
+  - Sigma: https://github.com/SigmaHQ/sigma/blob/e1a713d264ac072bb76b5c4e5f41315a015d3f41/rules/windows/process_creation/proc_creation_win_rundll32_susp_activity.yml
  - IOC: Execution of rundll32.exe with 'GenerateTypeLib' and a protocol handler ('://') on the command line
 Resources:
  - Link: https://twitter.com/eral4m/status/1479106975967240209
--- a/yml/OSLibraries/Shimgvw.yml
+++ b/yml/OSLibraries/Shimgvw.yml
@ -17,6 +17,7 @@ Full_Path:
  - Path: c:\windows\system32\shimgvw.dll
  - Path: c:\windows\syswow64\shimgvw.dll
 Detection:
+  - Sigma: https://github.com/SigmaHQ/sigma/blob/e1a713d264ac072bb76b5c4e5f41315a015d3f41/rules/windows/process_creation/proc_creation_win_rundll32_susp_activity.yml
  - IOC: Execution of rundll32.exe with 'ImageView_Fullscreen' and a protocol handler ('://') on the command line
 Resources:
  - Link: https://twitter.com/eral4m/status/1479080793003671557
--- a/yml/OSScripts/Syncappvpublishingserver.yml
+++ b/yml/OSScripts/Syncappvpublishingserver.yml
@ -9,12 +9,10 @@ Commands:
    Usecase: Use Powershell host invoked from vbs script
    Category: Execute
    Privileges: User
-    MitreID: T1216
+    MitreID: T1216.002
    OperatingSystem: Windows 10, Windows 11
 Full_Path:
  - Path: C:\Windows\System32\SyncAppvPublishingServer.vbs
-Code_Sample:
-  - Code:
 Detection:
  - Sigma: https://github.com/SigmaHQ/sigma/blob/683b63f8184b93c9564c4310d10c571cbe367e1e/rules/windows/process_creation/proc_creation_win_lolbin_syncappvpublishingserver_vbs_execute_psh.yml
 Resources:
--- a/yml/OtherMSBinaries/Teams.yml
+++ b/yml/OtherMSBinaries/Teams.yml
@ -9,21 +9,21 @@ Commands:
    Usecase: Execute JavaScript code
    Category: Execute
    Privileges: User
-    MitreID: T1218
+    MitreID: T1218.015
    OperatingSystem: Windows 10, Windows 11
  - Command: teams.exe
    Description: Generate JavaScript payload and package.json, archive in ASAR file and save to "%LOCALAPPDATA%\\Microsoft\\Teams\\current\\app.asar" before executing.
    Usecase: Execute JavaScript code
    Category: Execute
    Privileges: User
-    MitreID: T1218
+    MitreID: T1218.015
    OperatingSystem: Windows 10, Windows 11
  - Command: teams.exe --disable-gpu-sandbox --gpu-launcher="C:\Windows\system32\cmd.exe /c ping google.com &&"
    Description: Teams spawns cmd.exe as a child process of teams.exe and executes the ping command
    Usecase: Executes a process under a trusted Microsoft signed binary
    Category: Execute
    Privileges: User
-    MitreID: T1218
+    MitreID: T1218.015
    OperatingSystem: Windows 10, Windows 11
 Full_Path:
  - Path: "%LOCALAPPDATA%\\Microsoft\\Teams\\current\\Teams.exe"
Author	SHA1	Message	Date
bohops	1522badfea	Merge `3a7f13130a` into `2cc0ee99e6`	2024-04-26 15:25:57 -07:00
Wietze	2cc0ee99e6	Applying MITRE ATT&CK v15 changes (#370 ) https://attack.mitre.org/resources/updates/updates-april-2024/	2024-04-24 15:10:59 +01:00
$frack113$ frack113	2cc01b0113	Add Detection Sigma ref (#368 )	2024-04-19 18:53:37 +01:00
root	3a7f13130a	Adding PowerShell to Honorable Mentions	2024-04-02 21:20:11 -04:00
root	462b5a8c61	Adding PowerShell to Honorable Mentions	2024-04-02 21:18:08 -04:00