public-mirrors/LOLBAS
1
0
Fork 0
mirror of https://github.com/LOLBAS-Project/LOLBAS synced 2024-12-27 07:18:05 +01:00
Code Issues Projects Releases Wiki Activity

Add Sigma rule references to various LOLBAS (#260)

Browse Source
This commit is contained in:
frack113 2022-10-26 10:10:39 +02:00 committed by GitHub
parent 5449be3e95
commit 01d7580886
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
5 changed files with 5 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
yml/OSBinaries/CustomShellHost.yml
View File

@ -15,6 +15,7 @@ Full_Path:
- Path: C:\Windows\System32\CustomShellHost.exe
Detection:
- IOC: CustomShellHost.exe is unlikely to run on normal workstations
- Sigma: https://github.com/SigmaHQ/sigma/blob/ff5102832031425f6eed011dd3a2e62653008c94/rules/windows/process_creation/proc_creation_win_lolbin_customshellhost.yml
Resources:
- Link: https://twitter.com/YoSignals/status/1381353520088113154
- Link: https://docs.microsoft.com/en-us/windows/configuration/kiosk-shelllauncher

1
yml/OSBinaries/DeviceCredentialDeployment.yml
View File

@ -15,6 +15,7 @@ Full_Path:
- Path: C:\Windows\System32\DeviceCredentialDeployment.exe
Detection:
- IOC: DeviceCredentialDeployment.exe should not be run on a normal workstation
- Sigma: https://github.com/SigmaHQ/sigma/blob/ff5102832031425f6eed011dd3a2e62653008c94/rules/windows/process_creation/proc_creation_win_lolbin_device_credential_deployment.yml
Acknowledgement:
- Person: Elliot Killick
Handle: '@elliotkillick'

1
yml/OSBinaries/OneDriveStandaloneUpdater.yml
View File

@ -16,6 +16,7 @@ Full_Path:
Detection:
- IOC: HKCU\Software\Microsoft\OneDrive\UpdateOfficeConfig\UpdateRingSettingURLFromOC being set to a suspicious non-Microsoft controlled URL
- IOC: Reports of downloading from suspicious URLs in %localappdata%\OneDrive\setup\logs\StandaloneUpdate_*.log files
- Sigma: https://github.com/SigmaHQ/sigma/blob/ff5102832031425f6eed011dd3a2e62653008c94/rules/windows/registry/registry_set/registry_set_lolbin_onedrivestandaloneupdater.yml
Resources:
- Link: https://github.com/LOLBAS-Project/LOLBAS/pull/153
Acknowledgement:

1
yml/OSBinaries/fsutil.yml
View File

@ -24,6 +24,7 @@ Full_Path:
Detection:
- IOC: fsutil.exe should not be run on a normal workstation
- IOC: file setZeroData (not case-sensitive) in the process arguments
- Sigma: https://github.com/SigmaHQ/sigma/blob/ff5102832031425f6eed011dd3a2e62653008c94/rules/windows/process_creation/proc_creation_win_susp_fsutil_usage.yml
Acknowledgement:
- Person: Elliot Killick
Handle: '@elliotkillick'

1
yml/OSScripts/Pubprn.yml
View File

@ -18,6 +18,7 @@ Code_Sample:
- Code: https://raw.githubusercontent.com/LOLBAS-Project/LOLBAS/master/OSScripts/Payload/Pubprn_calc.sct
Detection:
- BlockRule: https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules
- Sigma: https://github.com/SigmaHQ/sigma/blob/ff5102832031425f6eed011dd3a2e62653008c94/rules/windows/process_creation/proc_creation_win_lolbin_pubprn.yml
Resources:
- Link: https://enigma0x3.net/2017/08/03/wsh-injection-a-case-study/
- Link: https://www.slideshare.net/enigma0x3/windows-operating-system-archaeology