LOLBAS/YML-Template.yml

---
Name: Binary.exe
Description: Something general about the binary
Author: The name of the person that created this file
Created: YYYY-MM-DD (date the person created this file)
Commands:
  - Command: The command
    Description: Description of the command
    Usecase: A description of the usecase
    Category: Execute
    Privileges: Required privs
    MitreID: T1055
    OperatingSystem: Windows 10 1803, Windows 10 1703
  - Command: The second command
    Description: Description of the second command
    Usecase: A description of the usecase
    Category: AWL Bypass
    Privileges: Required privs
    MitreID: T1033
    OperatingSystem: Windows 10 All
Full_Path:
  - Path: c:\windows\system32\bin.exe
  - Path: c:\windows\syswow64\bin.exe
Code_Sample:
  - Code: http://url.com/git.txt
Detection:
  - IOC: Event ID 10
  - IOC: binary.exe spawned
  - Analysis: https://link/to/blog/gist/writeup/if/applicable
  - Sigma: https://link/to/sigma/rule/if/applicable
  - Elastic: https://link/to/elastic/rule/if/applicable
  - Splunk: https://link/to/splunk/rule/if/applicable
  - BlockRule: https://link/to/microsoft/block/rules/if/applicable
Resources:
  - Link: http://blogpost.com
  - Link: http://twitter.com/something
  - Link: Threatintelreport...
Acknowledgement:
  - Person: John Doe
    Handle: '@johndoe'
  - Person: Ola Norman
    Handle: '@olaNor'
Update YML-Template.yml 2018-09-18 16:32:50 +02:00			`---`
New yml template 2018-09-18 16:31:27 +02:00			`Name: Binary.exe`
			`Description: Something general about the binary`
MITRE ATT&CK realignment sprint 2021-11-05 19:58:26 +01:00			`Author: The name of the person that created this file`
			`Created: YYYY-MM-DD (date the person created this file)`
New yml template 2018-09-18 16:31:27 +02:00			`Commands:`
			`- Command: The command`
			`Description: Description of the command`
			`Usecase: A description of the usecase`
Major changes to Web portal - Small fixes to source files to adjust 2018-12-10 14:28:12 +01:00			`Category: Execute`
New yml template 2018-09-18 16:31:27 +02:00			`Privileges: Required privs`
			`MitreID: T1055`
			`OperatingSystem: Windows 10 1803, Windows 10 1703`
			`- Command: The second command`
			`Description: Description of the second command`
			`Usecase: A description of the usecase`
Major changes to Web portal - Small fixes to source files to adjust 2018-12-10 14:28:12 +01:00			`Category: AWL Bypass`
New yml template 2018-09-18 16:31:27 +02:00			`Privileges: Required privs`
			`MitreID: T1033`
			`OperatingSystem: Windows 10 All`
Major changes to Web portal - Small fixes to source files to adjust 2018-12-10 14:28:12 +01:00			`Full_Path:`
Adjusted template (some space errors) 2019-06-27 17:02:21 +02:00			`- Path: c:\windows\system32\bin.exe`
			`- Path: c:\windows\syswow64\bin.exe`
MITRE ATT&CK realignment sprint 2021-11-05 19:58:26 +01:00			`Code_Sample:`
Adjusted template (some space errors) 2019-06-27 17:02:21 +02:00			`- Code: http://url.com/git.txt`
MITRE ATT&CK realignment sprint 2021-11-05 19:58:26 +01:00			`Detection:`
Adjusted template (some space errors) 2019-06-27 17:02:21 +02:00			`- IOC: Event ID 10`
			`- IOC: binary.exe spawned`
Detection Resources and Other Updates (#179) * Add detection links for scripts * Add detection links for OtherMSBins. Fixed and updated as needed. * Add detection links for MSBins. Fixed and updated as needed. * Add detection links for oslibraries * Updating template for Detections * Removing empty Detection:Sigma entries * Remove redundant blank line * Replacing commit URL with file URL Co-authored-by: root <root@DESKTOP-5CR935D.localdomain> Co-authored-by: Wietze <wietze@users.noreply.github.com> 2021-11-15 14:19:03 +01:00			`- Analysis: https://link/to/blog/gist/writeup/if/applicable`
			`- Sigma: https://link/to/sigma/rule/if/applicable`
			`- Elastic: https://link/to/elastic/rule/if/applicable`
			`- Splunk: https://link/to/splunk/rule/if/applicable`
			`- BlockRule: https://link/to/microsoft/block/rules/if/applicable`
New yml template 2018-09-18 16:31:27 +02:00			`Resources:`
Adjusted template (some space errors) 2019-06-27 17:02:21 +02:00			`- Link: http://blogpost.com`
			`- Link: http://twitter.com/something`
			`- Link: Threatintelreport...`
			`Acknowledgement:`
New yml template 2018-09-18 16:31:27 +02:00			`- Person: John Doe`
syntax: encapsulating strings with special char 2021-03-09 14:13:52 +01:00			`Handle: '@johndoe'`
New yml template 2018-09-18 16:31:27 +02:00			`- Person: Ola Norman`
MITRE ATT&CK realignment sprint 2021-11-05 19:58:26 +01:00			`Handle: '@olaNor'`