Adding Windows file path validation for values of File_Path (#403)

2024-10-22 16:49:11 +02:00 · 2024-10-01 23:14:19 +01:00 · 2024-10-01 23:14:19 +01:00 · 39a7120d40
commit 39a7120d40
parent d8402e6651
22 changed files with 35 additions and 35 deletions
--- a/YML-Schema.yml
+++ b/YML-Schema.yml
@ -74,6 +74,7 @@ mapping:
          "Path":
            type: str
            required: true
+            pattern: '^(([cC]:)\\([a-zA-Z0-9\-\_\. \(\)\<\>]+\\)*([a-zA-Z0-9_\-\.]+\.[a-z0-9]{3})|no default)$'
  "Code_Sample":
    type: seq
    required: false
--- a/yml/HonorableMentions/Code.yml
+++ b/yml/HonorableMentions/Code.yml
@ -12,7 +12,7 @@ Commands:
    MitreID: T1219
    OperatingSystem: Windows 10, Windows 11
 Full_Path:
-  - Path: '%LOCALAPPDATA%\Programs\Microsoft VS Code\Code.exe'
+  - Path: 'C:\Users\<username>\AppData\Local\Programs\Microsoft VS Code\Code.exe'
  - Path: C:\Program Files\Microsoft VS Code\Code.exe
  - Path: C:\Program Files (x86)\Microsoft VS Code\Code.exe
 Detection:
--- a/yml/HonorableMentions/PowerShell.yml
+++ b/yml/HonorableMentions/PowerShell.yml
@ -26,8 +26,8 @@ Commands:
    MitreID: T1059.001
    OperatingSystem: Windows 7 and up
 Full_Path:
-  - Path: '%SystemRoot%\system32\WindowsPowerShell\v1.0\powershell.exe'
-  - Path: '%SystemRoot%\SysWOW64\WindowsPowerShell\v1.0\powershell.exe'
+  - Path: 'C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe'
+  - Path: 'C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe'
 Detection:
  - Sigma: https://github.com/SigmaHQ/sigma/tree/71ae004b32bb3c7fb04714f8a051fc8e5edda68c/rules/windows/powershell
 Resources:
--- a/yml/OSBinaries/OneDriveStandaloneUpdater.yml
+++ b/yml/OSBinaries/OneDriveStandaloneUpdater.yml
@ -12,7 +12,7 @@ Commands:
    MitreID: T1105
    OperatingSystem: Windows 10
 Full_Path:
-  - Path: '%localappdata%\Microsoft\OneDrive\OneDriveStandaloneUpdater.exe'
+  - Path: 'C:\Users\<username>\AppData\Local\Microsoft\OneDrive\OneDriveStandaloneUpdater.exe'
 Detection:
  - IOC: HKCU\Software\Microsoft\OneDrive\UpdateOfficeConfig\UpdateRingSettingURLFromOC being set to a suspicious non-Microsoft controlled URL
  - IOC: Reports of downloading from suspicious URLs in %localappdata%\OneDrive\setup\logs\StandaloneUpdate_*.log files
--- a/yml/OSBinaries/msedge_proxy.yml
+++ b/yml/OSBinaries/msedge_proxy.yml
@ -1,7 +1,7 @@
 ---
 Name: msedge_proxy.exe
 Full_Path:
-  - Path: C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge_proxy.exe
+  - Path: C:\Program Files (x86)\Microsoft\Edge\Application\msedge_proxy.exe
 Description: Microsoft Edge Browser
 Author: 'Mert Daş'
 Created: 2023-08-18
--- a/yml/OSScripts/pester.yml
+++ b/yml/OSScripts/pester.yml
@ -26,8 +26,7 @@ Commands:
    MitreID: T1216
    OperatingSystem: Windows 10, Windows 11
 Full_Path:
-  - Path: c:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\bin\Pester.bat
-  - Path: c:\Program Files\WindowsPowerShell\Modules\Pester\*\bin\Pester.bat
+  - Path: c:\Program Files\WindowsPowerShell\Modules\Pester\<version>\bin\Pester.bat
 Code_Sample:
  - Code:
 Detection:
--- a/yml/OtherMSBinaries/Bginfo.yml
+++ b/yml/OtherMSBinaries/Bginfo.yml
@ -59,7 +59,7 @@ Commands:
    Tags:
      - Execute: WSH
 Full_Path:
-  - Path: No fixed path
+  - Path: no default
 Detection:
  - Sigma: https://github.com/SigmaHQ/sigma/blob/683b63f8184b93c9564c4310d10c571cbe367e1e/rules/windows/process_creation/proc_creation_win_lolbin_bginfo.yml
  - Elastic: https://github.com/elastic/detection-rules/blob/414d32027632a49fb239abb8fbbb55d3fa8dd861/rules/windows/defense_evasion_unusual_process_network_connection.toml
--- a/yml/OtherMSBinaries/Createdump.yml
+++ b/yml/OtherMSBinaries/Createdump.yml
@ -12,10 +12,10 @@ Commands:
    MitreID: T1003
    OperatingSystem: Windows 10, Windows 11
 Full_Path:
-  - Path: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\*\createdump.exe
-  - Path: C:\Program Files (x86)\dotnet\shared\Microsoft.NETCore.App\*\createdump.exe
-  - Path: C:\Program Files\Microsoft Visual Studio\*\Community\dotnet\runtime\shared\Microsoft.NETCore.App\6.0.0\createdump.exe
-  - Path: C:\Program Files (x86)\Microsoft Visual Studio\*\Community\dotnet\runtime\shared\Microsoft.NETCore.App\6.0.0\createdump.exe
+  - Path: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\<version>\createdump.exe
+  - Path: C:\Program Files (x86)\dotnet\shared\Microsoft.NETCore.App\<version>\createdump.exe
+  - Path: C:\Program Files\Microsoft Visual Studio\<version>\Community\dotnet\runtime\shared\Microsoft.NETCore.App\6.0.0\createdump.exe
+  - Path: C:\Program Files (x86)\Microsoft Visual Studio\<version>\Community\dotnet\runtime\shared\Microsoft.NETCore.App\6.0.0\createdump.exe
 Detection:
  - Sigma: https://github.com/SigmaHQ/sigma/blob/19396788dbedc57249a46efed2bb1927abc376d4/rules/windows/process_creation/proc_creation_win_proc_dump_createdump.yml
  - Sigma: https://github.com/SigmaHQ/sigma/blob/683b63f8184b93c9564c4310d10c571cbe367e1e/rules/windows/process_creation/proc_creation_win_renamed_createdump.yml
--- a/yml/OtherMSBinaries/DefaultPack.yml
+++ b/yml/OtherMSBinaries/DefaultPack.yml
@ -12,7 +12,7 @@ Commands:
    MitreID: T1218
    OperatingSystem: Windows
 Full_Path:
-  - Path: C:\Program Files (x86)\Microsoft\DefaultPack\
+  - Path: C:\Program Files (x86)\Microsoft\DefaultPack\DefaultPack.exe
 Code_Sample:
  - Code:
 Detection:
--- a/yml/OtherMSBinaries/Devinit.yml
+++ b/yml/OtherMSBinaries/Devinit.yml
@ -12,8 +12,8 @@ Commands:
    MitreID: T1218.007
    OperatingSystem: Windows 10, Windows 11
 Full_Path:
-  - Path: C:\Program Files\Microsoft Visual Studio\*\Community\Common7\Tools\devinit\devinit.exe
-  - Path: C:\Program Files (x86)\Microsoft Visual Studio\*\Community\Common7\Tools\devinit\devinit.exe
+  - Path: C:\Program Files\Microsoft Visual Studio\<version>\Community\Common7\Tools\devinit\devinit.exe
+  - Path: C:\Program Files (x86)\Microsoft Visual Studio\<version>\Community\Common7\Tools\devinit\devinit.exe
 Detection:
  - Sigma: https://github.com/SigmaHQ/sigma/blob/b02e3b698afbaae143ac4fb36236eb0b41122ed7/rules/windows/process_creation/proc_creation_win_devinit_lolbin_usage.yml
 Resources:
--- a/yml/OtherMSBinaries/Dnx.yml
+++ b/yml/OtherMSBinaries/Dnx.yml
@ -12,7 +12,7 @@ Commands:
    MitreID: T1127
    OperatingSystem: Windows
 Full_Path:
-  - Path: N/A
+  - Path: no default
 Code_Sample:
  - Code:
 Detection:
--- a/yml/OtherMSBinaries/DumpMinitool.yml
+++ b/yml/OtherMSBinaries/DumpMinitool.yml
@ -12,7 +12,7 @@ Commands:
    MitreID: T1003.001
    OperatingSystem: Windows 10, Windows 11
 Full_Path:
-  - Path: C:\Program Files\Microsoft Visual Studio\2022\Community\Common7\IDE\Extensions\TestPlatform\Extensions
+  - Path: C:\Program Files\Microsoft Visual Studio\2022\Community\Common7\IDE\Extensions\TestPlatform\Extensions\DumpMinitool.exe
 Detection:
  - Sigma: https://github.com/SigmaHQ/sigma/blob/b02e3b698afbaae143ac4fb36236eb0b41122ed7/rules/windows/process_creation/proc_creation_win_dumpminitool_execution.yml
  - Sigma: https://github.com/SigmaHQ/sigma/blob/b02e3b698afbaae143ac4fb36236eb0b41122ed7/rules/windows/process_creation/proc_creation_win_dumpminitool_susp_execution.yml
--- a/yml/OtherMSBinaries/Fsi.yml
+++ b/yml/OtherMSBinaries/Fsi.yml
@ -19,7 +19,7 @@ Commands:
    MitreID: T1059
    OperatingSystem: Windows 10 2004 (likely previous and newer versions as well)
 Full_Path:
-  - Path: C:\Program Files\dotnet\sdk\[sdk version]\FSharp\fsi.exe
+  - Path: C:\Program Files\dotnet\sdk\<version>\FSharp\fsi.exe
  - Path: C:\Program Files (x86)\Microsoft Visual Studio\2019\Professional\Common7\IDE\CommonExtensions\Microsoft\FSharp\fsi.exe
 Code_Sample:
  - Code: https://gist.github.com/NickTyrer/51eb8c774a909634fa69b4d06fc79ae1
--- a/yml/OtherMSBinaries/Mftrace.yml
+++ b/yml/OtherMSBinaries/Mftrace.yml
@ -19,10 +19,10 @@ Commands:
    MitreID: T1127
    OperatingSystem: Windows
 Full_Path:
-  - Path: C:\Program Files (x86)\Windows Kits\10\bin\10.0.16299.0\x86
-  - Path: C:\Program Files (x86)\Windows Kits\10\bin\10.0.16299.0\x64
-  - Path: C:\Program Files (x86)\Windows Kits\10\bin\x86
-  - Path: C:\Program Files (x86)\Windows Kits\10\bin\x64
+  - Path: C:\Program Files (x86)\Windows Kits\10\bin\10.0.16299.0\x86\mftrace.exe
+  - Path: C:\Program Files (x86)\Windows Kits\10\bin\10.0.16299.0\x64\mftrace.exe
+  - Path: C:\Program Files (x86)\Windows Kits\10\bin\x86\mftrace.exe
+  - Path: C:\Program Files (x86)\Windows Kits\10\bin\x64\mftrace.exe
 Code_Sample:
  - Code:
 Detection:
--- a/yml/OtherMSBinaries/Microsoft.NodejsTools.PressAnyKey.yml
+++ b/yml/OtherMSBinaries/Microsoft.NodejsTools.PressAnyKey.yml
@ -12,8 +12,8 @@ Commands:
    MitreID: T1127
    OperatingSystem: Windows
 Full_Path:
-  - Path: C:\Program Files\Microsoft Visual Studio\*\Community\Common7\IDE\Extensions\Microsoft\NodeJsTools\NodeJsTools\Microsoft.NodejsTools.PressAnyKey.exe
-  - Path: C:\Program Files (x86)\Microsoft Visual Studio\*\Community\Common7\IDE\Extensions\Microsoft\NodeJsTools\NodeJsTools\Microsoft.NodejsTools.PressAnyKey.exe
+  - Path: C:\Program Files\Microsoft Visual Studio\<version>\Community\Common7\IDE\Extensions\Microsoft\NodeJsTools\NodeJsTools\Microsoft.NodejsTools.PressAnyKey.exe
+  - Path: C:\Program Files (x86)\Microsoft Visual Studio\<version>\Community\Common7\IDE\Extensions\Microsoft\NodeJsTools\NodeJsTools\Microsoft.NodejsTools.PressAnyKey.exe
 Detection:
  - Sigma: https://github.com/SigmaHQ/sigma/blob/b02e3b698afbaae143ac4fb36236eb0b41122ed7/rules/windows/process_creation/proc_creation_win_renamed_pressanykey.yml
  - Sigma: https://github.com/SigmaHQ/sigma/blob/b02e3b698afbaae143ac4fb36236eb0b41122ed7/rules/windows/process_creation/proc_creation_win_pressanykey_lolbin_execution.yml
--- a/yml/OtherMSBinaries/Squirrel.yml
+++ b/yml/OtherMSBinaries/Squirrel.yml
@ -40,7 +40,7 @@ Commands:
    MitreID: T1218
    OperatingSystem: Windows 7 and up with Microsoft Teams installed
 Full_Path:
-  - Path: '%localappdata%\Microsoft\Teams\current\Squirrel.exe'
+  - Path: 'C:\Users\<username>\AppData\Local\Microsoft\Teams\current\Squirrel.exe'
 Code_Sample:
  - Code: https://github.com/jreegun/POC-s/tree/master/nuget-squirrel
 Detection:
--- a/yml/OtherMSBinaries/Teams.yml
+++ b/yml/OtherMSBinaries/Teams.yml
@ -26,7 +26,7 @@ Commands:
    MitreID: T1218.015
    OperatingSystem: Windows 10, Windows 11
 Full_Path:
-  - Path: "%LOCALAPPDATA%\\Microsoft\\Teams\\current\\Teams.exe"
+  - Path: 'C:\Users\<username>\AppData\Local\Microsoft\Teams\current\Teams.exe'
 Code_Sample:
  - Code: https://github.com/lltltk/LOLBAS-research/tree/master/Teams
 Detection:
--- a/yml/OtherMSBinaries/Update.yml
+++ b/yml/OtherMSBinaries/Update.yml
@ -96,7 +96,7 @@ Commands:
    MitreID: T1070
    OperatingSystem: Windows 7 and up with Microsoft Teams installed
 Full_Path:
-  - Path: '%localappdata%\Microsoft\Teams\update.exe'
+  - Path: 'C:\Users\<username>\AppData\Local\Microsoft\Teams\update.exe'
 Code_Sample:
  - Code: https://github.com/jreegun/POC-s/tree/master/nuget-squirrel
 Detection:
--- a/yml/OtherMSBinaries/VisualUiaVerifyNative.yml
+++ b/yml/OtherMSBinaries/VisualUiaVerifyNative.yml
@ -12,9 +12,9 @@ Commands:
    MitreID: T1218
    OperatingSystem: Windows 10 2004 (likely previous and newer versions as well)
 Full_Path:
-  - Path: c:\Program Files (x86)\Windows Kits\10\bin\[SDK version]\arm64\UIAVerify\VisualUiaVerifyNative.exe
-  - Path: c:\Program Files (x86)\Windows Kits\10\bin\[SDK version]\x64\UIAVerify\VisualUiaVerifyNative.exe
-  - Path: c:\Program Files (x86)\Windows Kits\10\bin\[SDK version]\UIAVerify\VisualUiaVerifyNative.exe
+  - Path: c:\Program Files (x86)\Windows Kits\10\bin\<version>\arm64\UIAVerify\VisualUiaVerifyNative.exe
+  - Path: c:\Program Files (x86)\Windows Kits\10\bin\<version>\x64\UIAVerify\VisualUiaVerifyNative.exe
+  - Path: c:\Program Files (x86)\Windows Kits\10\bin\<version>\UIAVerify\VisualUiaVerifyNative.exe
 Code_Sample:
  - Code:
 Detection:
--- a/yml/OtherMSBinaries/VsLaunchBrowser.yml
+++ b/yml/OtherMSBinaries/VsLaunchBrowser.yml
@ -28,8 +28,8 @@ Commands:
    MitreID: T1127
    OperatingSystem: Windows
 Full_Path:
-  - Path: C:\Program Files\Microsoft Visual Studio\{version}\Community\Common7\IDE\VSLaunchBrowser.exe
-  - Path: C:\Program Files (x86)\Microsoft Visual Studio\{version}\Community\Common7\IDE\VSLaunchBrowser.exe
+  - Path: C:\Program Files\Microsoft Visual Studio\<version>\Community\Common7\IDE\VSLaunchBrowser.exe
+  - Path: C:\Program Files (x86)\Microsoft Visual Studio\<version>\Community\Common7\IDE\VSLaunchBrowser.exe
 Detection:
  - IOC: cmd.exe as sub-process of VSLaunchBrowser
  - IOC: URL on a VSLaunchBrowser command line
--- a/yml/OtherMSBinaries/devtunnels.yml
+++ b/yml/OtherMSBinaries/devtunnels.yml
@ -12,8 +12,8 @@ Commands:
    MitreID: T1105
    OperatingSystem: Windows 10, Windows 11, MacOS
 Full_Path:
-  - Path: C:\Users\<username>\AppData\Local\Temp\.net\devtunnel\
-  - Path: C:\Users\<username>\AppData\Local\Temp\DevTunnels
+  - Path: C:\Users\<username>\AppData\Local\Temp\.net\devtunnel\devtunnel.exe
+  - Path: C:\Users\<username>\AppData\Local\Temp\DevTunnels\devtunnel.exe
 Detection:
  - IOC: devtunnel.exe binary spawned
  - IOC: '*.devtunnels.ms'
--- a/yml/OtherMSBinaries/xsd.yml
+++ b/yml/OtherMSBinaries/xsd.yml
@ -14,7 +14,7 @@ Commands:
    Tags:
      - Download: INetCache
 Full_Path:
-  - Path: C:\Program Files (x86)\Microsoft SDKs\Windows\{version}\bin\NETFX {version} Tools\xsd.exe
+  - Path: C:\Program Files (x86)\Microsoft SDKs\Windows\<version>\bin\NETFX <version> Tools\xsd.exe
 Detection:
  - IOC: URL on a xsd.exe command line
  - IOC: xsd.exe making unexpected network connections or DNS requests