From c67eaec5cf86112783e18d7697327fb069a01527 Mon Sep 17 00:00:00 2001 From: fslds Date: Mon, 8 Aug 2022 20:18:04 +0000 Subject: [PATCH 1/7] Adding aliases key to YAML template --- YML-Template.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/YML-Template.yml b/YML-Template.yml index 8556fd6..b116f07 100644 --- a/YML-Template.yml +++ b/YML-Template.yml @@ -1,6 +1,8 @@ --- Name: Binary.exe Description: Something general about the binary +aliases: + - Binary64.exe Author: The name of the person that created this file Created: YYYY-MM-DD (date the person created this file) Commands: From fbff11e632b26f3eeef59505d974663f719de28b Mon Sep 17 00:00:00 2001 From: fslds Date: Mon, 8 Aug 2022 20:20:08 +0000 Subject: [PATCH 2/7] Added explanatory comments --- YML-Template.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/YML-Template.yml b/YML-Template.yml index b116f07..1527eb6 100644 --- a/YML-Template.yml +++ b/YML-Template.yml @@ -1,8 +1,8 @@ --- Name: Binary.exe Description: Something general about the binary -aliases: - - Binary64.exe +aliases: # Optional field if any common aliases exist of the binary with nearly the same functionality + - Binary64.exe # Think `netcat` and `nc` or `procdump.exe` and `procdump64.exe` Author: The name of the person that created this file Created: YYYY-MM-DD (date the person created this file) Commands: From 55111b05b2efe12c23e5134018cae7443f32d809 Mon Sep 17 00:00:00 2001 From: fslds Date: Mon, 8 Aug 2022 20:22:58 +0000 Subject: [PATCH 3/7] punctuation --- YML-Template.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/YML-Template.yml b/YML-Template.yml index 1527eb6..ce6b5ca 100644 --- a/YML-Template.yml +++ b/YML-Template.yml @@ -1,8 +1,8 @@ --- Name: Binary.exe Description: Something general about the binary -aliases: # Optional field if any common aliases exist of the binary with nearly the same functionality - - Binary64.exe # Think `netcat` and `nc` or `procdump.exe` and `procdump64.exe` +Aliases: # Optional field if any common aliases exist of the binary with nearly the same functionality, + - Binary64.exe # Think `netcat` and `nc` or `procdump.exe` and `procdump64.exe`. Author: The name of the person that created this file Created: YYYY-MM-DD (date the person created this file) Commands: From 3162825fdc5c59934addf9145e8295ab90a4b2cd Mon Sep 17 00:00:00 2001 From: fslds Date: Mon, 8 Aug 2022 20:27:04 +0000 Subject: [PATCH 4/7] Split procdump name pattern into two actual names. --- yml/OtherMSBinaries/Procdump.yml | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/yml/OtherMSBinaries/Procdump.yml b/yml/OtherMSBinaries/Procdump.yml index 65cbb04..6cdafe7 100644 --- a/yml/OtherMSBinaries/Procdump.yml +++ b/yml/OtherMSBinaries/Procdump.yml @@ -1,8 +1,10 @@ --- -Name: Procdump(64).exe +Name: Procdump.exe Description: SysInternals Memory Dump Tool Author: 'Alfie Champion (@ajpc500)' Created: '2020-10-14' +Aliases: + - Procdump64.exe Commands: - Command: procdump.exe -md calc.dll explorer.exe Description: Loads calc.dll where DLL is configured with a 'MiniDumpCallbackRoutine' exported function. Valid process must be provided as dump still created. From da469d0652418b6d73d2e45285b2609989e51709 Mon Sep 17 00:00:00 2001 From: fslds Date: Mon, 8 Aug 2022 20:40:26 +0000 Subject: [PATCH 5/7] Doc update --- YML-Template.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/YML-Template.yml b/YML-Template.yml index ce6b5ca..c1e991d 100644 --- a/YML-Template.yml +++ b/YML-Template.yml @@ -2,7 +2,7 @@ Name: Binary.exe Description: Something general about the binary Aliases: # Optional field if any common aliases exist of the binary with nearly the same functionality, - - Binary64.exe # Think `netcat` and `nc` or `procdump.exe` and `procdump64.exe`. + - Binary64.exe # but for example, is built for different architecture. Author: The name of the person that created this file Created: YYYY-MM-DD (date the person created this file) Commands: From d780de4ece2a6893bf3bab7619b9c972a0c0286f Mon Sep 17 00:00:00 2001 From: Filipe Spencer Date: Fri, 16 Sep 2022 11:29:26 +0000 Subject: [PATCH 6/7] Prep for new yamllint --- yml/OtherMSBinaries/Procdump.yml | 74 ++++++++++++++++---------------- 1 file changed, 37 insertions(+), 37 deletions(-) diff --git a/yml/OtherMSBinaries/Procdump.yml b/yml/OtherMSBinaries/Procdump.yml index b14aba4..5bad32a 100644 --- a/yml/OtherMSBinaries/Procdump.yml +++ b/yml/OtherMSBinaries/Procdump.yml @@ -1,37 +1,37 @@ ---- -Name: Procdump.exe -Description: SysInternals Memory Dump Tool -Aliases: - Alias: Procdump64.exe -Author: 'Alfie Champion (@ajpc500)' -Created: '2020-10-14' -Commands: - - Command: procdump.exe -md calc.dll explorer.exe - Description: Loads calc.dll where DLL is configured with a 'MiniDumpCallbackRoutine' exported function. Valid process must be provided as dump still created. - Usecase: Performs execution of unsigned DLL. - Category: Execute - Privileges: User - MitreID: T1202 - OperatingSystem: Windows 8.1 and higher, Windows Server 2012 and higher. - - Command: procdump.exe -md calc.dll foobar - Description: Loads calc.dll where configured with DLL_PROCESS_ATTACH execution, process argument can be arbitrary. - Usecase: Performs execution of unsigned DLL. - Category: Execute - Privileges: User - MitreID: T1202 - OperatingSystem: Windows 8.1 and higher, Windows Server 2012 and higher. -Full_Path: - - Path: no default -Detection: - - Sigma: https://github.com/SigmaHQ/sigma/blob/f36b1cbd2a3f1a7423f43a67a182549778700615/rules/windows/process_creation/win_susp_procdump.yml - - Sigma: https://github.com/SigmaHQ/sigma/blob/f36b1cbd2a3f1a7423f43a67a182549778700615/rules/windows/process_creation/win_procdump.yml - - Splunk: https://github.com/splunk/security_content/blob/86a5b644a44240f01274c8b74d19a435c7dae66e/detections/endpoint/dump_lsass_via_procdump.yml - - Elastic: https://github.com/elastic/detection-rules/blob/5bdf70e72c6cd4547624c521108189af994af449/rules/windows/credential_access_cmdline_dump_tool.toml - - IOC: Process creation with given '-md' parameter - - IOC: Anomalous child processes of procdump - - IOC: Unsigned DLL load via procdump.exe or procdump64.exe -Resources: - - Link: https://twitter.com/ajpc500/status/1448588362382778372?s=20 -Acknowledgement: - - Person: Alfie Champion - Handle: '@ajpc500' \ No newline at end of file +--- +Name: Procdump.exe +Description: SysInternals Memory Dump Tool +Aliases: + - Alias: Procdump64.exe +Author: 'Alfie Champion (@ajpc500)' +Created: '2020-10-14' +Commands: + - Command: procdump.exe -md calc.dll explorer.exe + Description: Loads calc.dll where DLL is configured with a 'MiniDumpCallbackRoutine' exported function. Valid process must be provided as dump still created. + Usecase: Performs execution of unsigned DLL. + Category: Execute + Privileges: User + MitreID: T1202 + OperatingSystem: Windows 8.1 and higher, Windows Server 2012 and higher. + - Command: procdump.exe -md calc.dll foobar + Description: Loads calc.dll where configured with DLL_PROCESS_ATTACH execution, process argument can be arbitrary. + Usecase: Performs execution of unsigned DLL. + Category: Execute + Privileges: User + MitreID: T1202 + OperatingSystem: Windows 8.1 and higher, Windows Server 2012 and higher. +Full_Path: + - Path: no default +Detection: + - Sigma: https://github.com/SigmaHQ/sigma/blob/f36b1cbd2a3f1a7423f43a67a182549778700615/rules/windows/process_creation/win_susp_procdump.yml + - Sigma: https://github.com/SigmaHQ/sigma/blob/f36b1cbd2a3f1a7423f43a67a182549778700615/rules/windows/process_creation/win_procdump.yml + - Splunk: https://github.com/splunk/security_content/blob/86a5b644a44240f01274c8b74d19a435c7dae66e/detections/endpoint/dump_lsass_via_procdump.yml + - Elastic: https://github.com/elastic/detection-rules/blob/5bdf70e72c6cd4547624c521108189af994af449/rules/windows/credential_access_cmdline_dump_tool.toml + - IOC: Process creation with given '-md' parameter + - IOC: Anomalous child processes of procdump + - IOC: Unsigned DLL load via procdump.exe or procdump64.exe +Resources: + - Link: https://twitter.com/ajpc500/status/1448588362382778372?s=20 +Acknowledgement: + - Person: Alfie Champion + Handle: '@ajpc500' From 37291b90358cf43273b7f661f7281453e5737fbb Mon Sep 17 00:00:00 2001 From: fslds Date: Fri, 16 Sep 2022 11:37:13 +0000 Subject: [PATCH 7/7] Correcting the YML template to match validation. --- YML-Template.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/YML-Template.yml b/YML-Template.yml index 988cefc..a9ff5b3 100644 --- a/YML-Template.yml +++ b/YML-Template.yml @@ -2,7 +2,7 @@ Name: Binary.exe Description: Something general about the binary Aliases: # Optional field if any common aliases exist of the binary with nearly the same functionality, - - Binary64.exe # but for example, is built for different architecture. + - Alias: Binary64.exe # but for example, is built for different architecture. Author: The name of the person that created this file Created: YYYY-MM-DD (date the person created this file) Commands: