From 400158f2df81279cf245e8ad27f6cadbad5fb347 Mon Sep 17 00:00:00 2001
From: Wietze <wietze@users.noreply.github.com>
Date: Fri, 2 Sep 2022 17:16:58 +0100
Subject: [PATCH] Add sigma references to CL_LoadAssembly, CLMutexVerifiers
 entries (#221)

---
 yml/OSScripts/CL_LoadAssembly.yml   | 28 ++++++++++++++++++++++++++++
 yml/OSScripts/CL_mutexverifiers.yml |  1 +
 2 files changed, 29 insertions(+)

diff --git a/yml/OSScripts/CL_LoadAssembly.yml b/yml/OSScripts/CL_LoadAssembly.yml
index c9ca1ab..5954984 100644
--- a/yml/OSScripts/CL_LoadAssembly.yml
+++ b/yml/OSScripts/CL_LoadAssembly.yml
@@ -1,3 +1,4 @@
+<<<<<<< HEAD
 ---
 Name: CL_LoadAssembly.ps1
 Description: PowerShell Diagnostic Script
@@ -22,3 +23,30 @@ Acknowledgement:
   - Person: Jimmy
     Handle: '@bohops'
 ---
+=======
+---
+Name: CL_LoadAssembly.ps1
+Description: PowerShell Diagnostic Script
+Author: Jimmy (@bohops)
+Created: 2021-09-26
+Commands:
+  - Command: 'powershell.exe -ep bypass -command "set-location -path C:\Windows\diagnostics\system\Audio; import-module .\CL_LoadAssembly.ps1; LoadAssemblyFromPath ..\..\..\..\testing\fun.dll;[Program]::Fun()"'
+    Description: Proxy execute Managed DLL with PowerShell
+    Usecase: Execute proxied payload with Microsoft signed binary
+    Category: Execute
+    Privileges: User
+    MitreID: T1216
+    OperatingSystem: Windows 10 21H1 (likely other versions as well), Windows 11
+Full_Path:
+  - Path: C:\Windows\diagnostics\system\Audio\CL_LoadAssembly.ps1
+Code_Sample:
+  - Code:
+Detection:
+  - Sigma: https://github.com/SigmaHQ/sigma/blob/ff6c54ded6b52f379cec11fe17c1ccb956faa660/rules/windows/process_creation/proc_creation_win_lolbas_cl_loadassembly.yml
+Resources:
+  - Link: https://bohops.com/2018/01/07/executing-commands-and-bypassing-applocker-with-powershell-diagnostic-scripts/
+Acknowledgement:
+  - Person: Jimmy
+    Handle: '@bohops'
+---
+>>>>>>> 9135005 (Add sigma references to CL_LoadAssembly, CLMutexVerifiers entries (#221))
diff --git a/yml/OSScripts/CL_mutexverifiers.yml b/yml/OSScripts/CL_mutexverifiers.yml
index 3f8748e..5877b72 100644
--- a/yml/OSScripts/CL_mutexverifiers.yml
+++ b/yml/OSScripts/CL_mutexverifiers.yml
@@ -20,6 +20,7 @@ Full_Path:
 Code_Sample:
   - Code:
 Detection:
+  - Sigma: https://github.com/SigmaHQ/sigma/blob/ff6c54ded6b52f379cec11fe17c1ccb956faa660/rules/windows/process_creation/proc_creation_win_lolbas_cl_mutexverifiers.yml
 Resources:
   - Link: https://twitter.com/pabraeken/status/995111125447577600
 Acknowledgement: