mirror of
https://github.com/LOLBAS-Project/LOLBAS
synced 2025-01-27 14:01:04 +01:00
Adding Windows file path validation for values of File_Path (#403)
This commit is contained in:
Wietze
GitHub
parent
d8402e6651
commit
39a7120d40
@ -74,6 +74,7 @@ mapping:
|
||||
"Path":
|
||||
type: str
|
||||
required: true
|
||||
pattern: '^(([cC]:)\\([a-zA-Z0-9\-\_\. \(\)\<\>]+\\)*([a-zA-Z0-9_\-\.]+\.[a-z0-9]{3})|no default)$'
|
||||
"Code_Sample":
|
||||
type: seq
|
||||
required: false
|
||||
|
||||
@ -12,7 +12,7 @@ Commands:
|
||||
MitreID: T1219
|
||||
OperatingSystem: Windows 10, Windows 11
|
||||
Full_Path:
|
||||
- Path: '%LOCALAPPDATA%\Programs\Microsoft VS Code\Code.exe'
|
||||
- Path: 'C:\Users\<username>\AppData\Local\Programs\Microsoft VS Code\Code.exe'
|
||||
- Path: C:\Program Files\Microsoft VS Code\Code.exe
|
||||
- Path: C:\Program Files (x86)\Microsoft VS Code\Code.exe
|
||||
Detection:
|
||||
|
||||
@ -26,8 +26,8 @@ Commands:
|
||||
MitreID: T1059.001
|
||||
OperatingSystem: Windows 7 and up
|
||||
Full_Path:
|
||||
- Path: '%SystemRoot%\system32\WindowsPowerShell\v1.0\powershell.exe'
|
||||
- Path: '%SystemRoot%\SysWOW64\WindowsPowerShell\v1.0\powershell.exe'
|
||||
- Path: 'C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe'
|
||||
- Path: 'C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe'
|
||||
Detection:
|
||||
- Sigma: https://github.com/SigmaHQ/sigma/tree/71ae004b32bb3c7fb04714f8a051fc8e5edda68c/rules/windows/powershell
|
||||
Resources:
|
||||
|
||||
@ -12,7 +12,7 @@ Commands:
|
||||
MitreID: T1105
|
||||
OperatingSystem: Windows 10
|
||||
Full_Path:
|
||||
- Path: '%localappdata%\Microsoft\OneDrive\OneDriveStandaloneUpdater.exe'
|
||||
- Path: 'C:\Users\<username>\AppData\Local\Microsoft\OneDrive\OneDriveStandaloneUpdater.exe'
|
||||
Detection:
|
||||
- IOC: HKCU\Software\Microsoft\OneDrive\UpdateOfficeConfig\UpdateRingSettingURLFromOC being set to a suspicious non-Microsoft controlled URL
|
||||
- IOC: Reports of downloading from suspicious URLs in %localappdata%\OneDrive\setup\logs\StandaloneUpdate_*.log files
|
||||
|
||||
@ -1,7 +1,7 @@
|
||||
---
|
||||
Name: msedge_proxy.exe
|
||||
Full_Path:
|
||||
- Path: C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge_proxy.exe
|
||||
- Path: C:\Program Files (x86)\Microsoft\Edge\Application\msedge_proxy.exe
|
||||
Description: Microsoft Edge Browser
|
||||
Author: 'Mert Daş'
|
||||
Created: 2023-08-18
|
||||
|
||||
@ -26,8 +26,7 @@ Commands:
|
||||
MitreID: T1216
|
||||
OperatingSystem: Windows 10, Windows 11
|
||||
Full_Path:
|
||||
- Path: c:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\bin\Pester.bat
|
||||
- Path: c:\Program Files\WindowsPowerShell\Modules\Pester\*\bin\Pester.bat
|
||||
- Path: c:\Program Files\WindowsPowerShell\Modules\Pester\<version>\bin\Pester.bat
|
||||
Code_Sample:
|
||||
- Code:
|
||||
Detection:
|
||||
|
||||
@ -59,7 +59,7 @@ Commands:
|
||||
Tags:
|
||||
- Execute: WSH
|
||||
Full_Path:
|
||||
- Path: No fixed path
|
||||
- Path: no default
|
||||
Detection:
|
||||
- Sigma: https://github.com/SigmaHQ/sigma/blob/683b63f8184b93c9564c4310d10c571cbe367e1e/rules/windows/process_creation/proc_creation_win_lolbin_bginfo.yml
|
||||
- Elastic: https://github.com/elastic/detection-rules/blob/414d32027632a49fb239abb8fbbb55d3fa8dd861/rules/windows/defense_evasion_unusual_process_network_connection.toml
|
||||
|
||||
@ -12,10 +12,10 @@ Commands:
|
||||
MitreID: T1003
|
||||
OperatingSystem: Windows 10, Windows 11
|
||||
Full_Path:
|
||||
- Path: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\*\createdump.exe
|
||||
- Path: C:\Program Files (x86)\dotnet\shared\Microsoft.NETCore.App\*\createdump.exe
|
||||
- Path: C:\Program Files\Microsoft Visual Studio\*\Community\dotnet\runtime\shared\Microsoft.NETCore.App\6.0.0\createdump.exe
|
||||
- Path: C:\Program Files (x86)\Microsoft Visual Studio\*\Community\dotnet\runtime\shared\Microsoft.NETCore.App\6.0.0\createdump.exe
|
||||
- Path: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\<version>\createdump.exe
|
||||
- Path: C:\Program Files (x86)\dotnet\shared\Microsoft.NETCore.App\<version>\createdump.exe
|
||||
- Path: C:\Program Files\Microsoft Visual Studio\<version>\Community\dotnet\runtime\shared\Microsoft.NETCore.App\6.0.0\createdump.exe
|
||||
- Path: C:\Program Files (x86)\Microsoft Visual Studio\<version>\Community\dotnet\runtime\shared\Microsoft.NETCore.App\6.0.0\createdump.exe
|
||||
Detection:
|
||||
- Sigma: https://github.com/SigmaHQ/sigma/blob/19396788dbedc57249a46efed2bb1927abc376d4/rules/windows/process_creation/proc_creation_win_proc_dump_createdump.yml
|
||||
- Sigma: https://github.com/SigmaHQ/sigma/blob/683b63f8184b93c9564c4310d10c571cbe367e1e/rules/windows/process_creation/proc_creation_win_renamed_createdump.yml
|
||||
|
||||
@ -12,7 +12,7 @@ Commands:
|
||||
MitreID: T1218
|
||||
OperatingSystem: Windows
|
||||
Full_Path:
|
||||
- Path: C:\Program Files (x86)\Microsoft\DefaultPack\
|
||||
- Path: C:\Program Files (x86)\Microsoft\DefaultPack\DefaultPack.exe
|
||||
Code_Sample:
|
||||
- Code:
|
||||
Detection:
|
||||
|
||||
@ -12,8 +12,8 @@ Commands:
|
||||
MitreID: T1218.007
|
||||
OperatingSystem: Windows 10, Windows 11
|
||||
Full_Path:
|
||||
- Path: C:\Program Files\Microsoft Visual Studio\*\Community\Common7\Tools\devinit\devinit.exe
|
||||
- Path: C:\Program Files (x86)\Microsoft Visual Studio\*\Community\Common7\Tools\devinit\devinit.exe
|
||||
- Path: C:\Program Files\Microsoft Visual Studio\<version>\Community\Common7\Tools\devinit\devinit.exe
|
||||
- Path: C:\Program Files (x86)\Microsoft Visual Studio\<version>\Community\Common7\Tools\devinit\devinit.exe
|
||||
Detection:
|
||||
- Sigma: https://github.com/SigmaHQ/sigma/blob/b02e3b698afbaae143ac4fb36236eb0b41122ed7/rules/windows/process_creation/proc_creation_win_devinit_lolbin_usage.yml
|
||||
Resources:
|
||||
|
||||
@ -12,7 +12,7 @@ Commands:
|
||||
MitreID: T1127
|
||||
OperatingSystem: Windows
|
||||
Full_Path:
|
||||
- Path: N/A
|
||||
- Path: no default
|
||||
Code_Sample:
|
||||
- Code:
|
||||
Detection:
|
||||
|
||||
@ -12,7 +12,7 @@ Commands:
|
||||
MitreID: T1003.001
|
||||
OperatingSystem: Windows 10, Windows 11
|
||||
Full_Path:
|
||||
- Path: C:\Program Files\Microsoft Visual Studio\2022\Community\Common7\IDE\Extensions\TestPlatform\Extensions
|
||||
- Path: C:\Program Files\Microsoft Visual Studio\2022\Community\Common7\IDE\Extensions\TestPlatform\Extensions\DumpMinitool.exe
|
||||
Detection:
|
||||
- Sigma: https://github.com/SigmaHQ/sigma/blob/b02e3b698afbaae143ac4fb36236eb0b41122ed7/rules/windows/process_creation/proc_creation_win_dumpminitool_execution.yml
|
||||
- Sigma: https://github.com/SigmaHQ/sigma/blob/b02e3b698afbaae143ac4fb36236eb0b41122ed7/rules/windows/process_creation/proc_creation_win_dumpminitool_susp_execution.yml
|
||||
|
||||
@ -19,7 +19,7 @@ Commands:
|
||||
MitreID: T1059
|
||||
OperatingSystem: Windows 10 2004 (likely previous and newer versions as well)
|
||||
Full_Path:
|
||||
- Path: C:\Program Files\dotnet\sdk\[sdk version]\FSharp\fsi.exe
|
||||
- Path: C:\Program Files\dotnet\sdk\<version>\FSharp\fsi.exe
|
||||
- Path: C:\Program Files (x86)\Microsoft Visual Studio\2019\Professional\Common7\IDE\CommonExtensions\Microsoft\FSharp\fsi.exe
|
||||
Code_Sample:
|
||||
- Code: https://gist.github.com/NickTyrer/51eb8c774a909634fa69b4d06fc79ae1
|
||||
|
||||
@ -19,10 +19,10 @@ Commands:
|
||||
MitreID: T1127
|
||||
OperatingSystem: Windows
|
||||
Full_Path:
|
||||
- Path: C:\Program Files (x86)\Windows Kits\10\bin\10.0.16299.0\x86
|
||||
- Path: C:\Program Files (x86)\Windows Kits\10\bin\10.0.16299.0\x64
|
||||
- Path: C:\Program Files (x86)\Windows Kits\10\bin\x86
|
||||
- Path: C:\Program Files (x86)\Windows Kits\10\bin\x64
|
||||
- Path: C:\Program Files (x86)\Windows Kits\10\bin\10.0.16299.0\x86\mftrace.exe
|
||||
- Path: C:\Program Files (x86)\Windows Kits\10\bin\10.0.16299.0\x64\mftrace.exe
|
||||
- Path: C:\Program Files (x86)\Windows Kits\10\bin\x86\mftrace.exe
|
||||
- Path: C:\Program Files (x86)\Windows Kits\10\bin\x64\mftrace.exe
|
||||
Code_Sample:
|
||||
- Code:
|
||||
Detection:
|
||||
|
||||
@ -12,8 +12,8 @@ Commands:
|
||||
MitreID: T1127
|
||||
OperatingSystem: Windows
|
||||
Full_Path:
|
||||
- Path: C:\Program Files\Microsoft Visual Studio\*\Community\Common7\IDE\Extensions\Microsoft\NodeJsTools\NodeJsTools\Microsoft.NodejsTools.PressAnyKey.exe
|
||||
- Path: C:\Program Files (x86)\Microsoft Visual Studio\*\Community\Common7\IDE\Extensions\Microsoft\NodeJsTools\NodeJsTools\Microsoft.NodejsTools.PressAnyKey.exe
|
||||
- Path: C:\Program Files\Microsoft Visual Studio\<version>\Community\Common7\IDE\Extensions\Microsoft\NodeJsTools\NodeJsTools\Microsoft.NodejsTools.PressAnyKey.exe
|
||||
- Path: C:\Program Files (x86)\Microsoft Visual Studio\<version>\Community\Common7\IDE\Extensions\Microsoft\NodeJsTools\NodeJsTools\Microsoft.NodejsTools.PressAnyKey.exe
|
||||
Detection:
|
||||
- Sigma: https://github.com/SigmaHQ/sigma/blob/b02e3b698afbaae143ac4fb36236eb0b41122ed7/rules/windows/process_creation/proc_creation_win_renamed_pressanykey.yml
|
||||
- Sigma: https://github.com/SigmaHQ/sigma/blob/b02e3b698afbaae143ac4fb36236eb0b41122ed7/rules/windows/process_creation/proc_creation_win_pressanykey_lolbin_execution.yml
|
||||
|
||||
@ -40,7 +40,7 @@ Commands:
|
||||
MitreID: T1218
|
||||
OperatingSystem: Windows 7 and up with Microsoft Teams installed
|
||||
Full_Path:
|
||||
- Path: '%localappdata%\Microsoft\Teams\current\Squirrel.exe'
|
||||
- Path: 'C:\Users\<username>\AppData\Local\Microsoft\Teams\current\Squirrel.exe'
|
||||
Code_Sample:
|
||||
- Code: https://github.com/jreegun/POC-s/tree/master/nuget-squirrel
|
||||
Detection:
|
||||
|
||||
@ -26,7 +26,7 @@ Commands:
|
||||
MitreID: T1218.015
|
||||
OperatingSystem: Windows 10, Windows 11
|
||||
Full_Path:
|
||||
- Path: "%LOCALAPPDATA%\\Microsoft\\Teams\\current\\Teams.exe"
|
||||
- Path: 'C:\Users\<username>\AppData\Local\Microsoft\Teams\current\Teams.exe'
|
||||
Code_Sample:
|
||||
- Code: https://github.com/lltltk/LOLBAS-research/tree/master/Teams
|
||||
Detection:
|
||||
|
||||
@ -96,7 +96,7 @@ Commands:
|
||||
MitreID: T1070
|
||||
OperatingSystem: Windows 7 and up with Microsoft Teams installed
|
||||
Full_Path:
|
||||
- Path: '%localappdata%\Microsoft\Teams\update.exe'
|
||||
- Path: 'C:\Users\<username>\AppData\Local\Microsoft\Teams\update.exe'
|
||||
Code_Sample:
|
||||
- Code: https://github.com/jreegun/POC-s/tree/master/nuget-squirrel
|
||||
Detection:
|
||||
|
||||
@ -12,9 +12,9 @@ Commands:
|
||||
MitreID: T1218
|
||||
OperatingSystem: Windows 10 2004 (likely previous and newer versions as well)
|
||||
Full_Path:
|
||||
- Path: c:\Program Files (x86)\Windows Kits\10\bin\[SDK version]\arm64\UIAVerify\VisualUiaVerifyNative.exe
|
||||
- Path: c:\Program Files (x86)\Windows Kits\10\bin\[SDK version]\x64\UIAVerify\VisualUiaVerifyNative.exe
|
||||
- Path: c:\Program Files (x86)\Windows Kits\10\bin\[SDK version]\UIAVerify\VisualUiaVerifyNative.exe
|
||||
- Path: c:\Program Files (x86)\Windows Kits\10\bin\<version>\arm64\UIAVerify\VisualUiaVerifyNative.exe
|
||||
- Path: c:\Program Files (x86)\Windows Kits\10\bin\<version>\x64\UIAVerify\VisualUiaVerifyNative.exe
|
||||
- Path: c:\Program Files (x86)\Windows Kits\10\bin\<version>\UIAVerify\VisualUiaVerifyNative.exe
|
||||
Code_Sample:
|
||||
- Code:
|
||||
Detection:
|
||||
|
||||
@ -28,8 +28,8 @@ Commands:
|
||||
MitreID: T1127
|
||||
OperatingSystem: Windows
|
||||
Full_Path:
|
||||
- Path: C:\Program Files\Microsoft Visual Studio\{version}\Community\Common7\IDE\VSLaunchBrowser.exe
|
||||
- Path: C:\Program Files (x86)\Microsoft Visual Studio\{version}\Community\Common7\IDE\VSLaunchBrowser.exe
|
||||
- Path: C:\Program Files\Microsoft Visual Studio\<version>\Community\Common7\IDE\VSLaunchBrowser.exe
|
||||
- Path: C:\Program Files (x86)\Microsoft Visual Studio\<version>\Community\Common7\IDE\VSLaunchBrowser.exe
|
||||
Detection:
|
||||
- IOC: cmd.exe as sub-process of VSLaunchBrowser
|
||||
- IOC: URL on a VSLaunchBrowser command line
|
||||
|
||||
@ -12,8 +12,8 @@ Commands:
|
||||
MitreID: T1105
|
||||
OperatingSystem: Windows 10, Windows 11, MacOS
|
||||
Full_Path:
|
||||
- Path: C:\Users\<username>\AppData\Local\Temp\.net\devtunnel\
|
||||
- Path: C:\Users\<username>\AppData\Local\Temp\DevTunnels
|
||||
- Path: C:\Users\<username>\AppData\Local\Temp\.net\devtunnel\devtunnel.exe
|
||||
- Path: C:\Users\<username>\AppData\Local\Temp\DevTunnels\devtunnel.exe
|
||||
Detection:
|
||||
- IOC: devtunnel.exe binary spawned
|
||||
- IOC: '*.devtunnels.ms'
|
||||
|
||||
@ -14,7 +14,7 @@ Commands:
|
||||
Tags:
|
||||
- Download: INetCache
|
||||
Full_Path:
|
||||
- Path: C:\Program Files (x86)\Microsoft SDKs\Windows\{version}\bin\NETFX {version} Tools\xsd.exe
|
||||
- Path: C:\Program Files (x86)\Microsoft SDKs\Windows\<version>\bin\NETFX <version> Tools\xsd.exe
|
||||
Detection:
|
||||
- IOC: URL on a xsd.exe command line
|
||||
- IOC: xsd.exe making unexpected network connections or DNS requests
|
||||
|
||||
Loading…
Reference in New Issue
Block a user