public-mirrors/LOLBAS
1
0
Fork 0
mirror of https://github.com/LOLBAS-Project/LOLBAS synced 2025-11-04 02:29:34 +01:00
Code Issues Projects Releases Wiki Activity

Add Sigma ref

Browse Source 
Signed-off-by: frack113 <62423083+frack113@users.noreply.github.com>
This commit is contained in:
frack113
2023-06-10 08:12:12 +02:00
parent 1f7e8a3e57
commit 55b7556b64
7 changed files with 15 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

3
yml/OSBinaries/Msedge.yml
View File

@@ -21,6 +21,9 @@ Commands:
Full_Path:
- Path: c:\Program Files\Microsoft\Edge\Application\msedge.exe
- Path: c:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
Detection:
- Sigma: https://github.com/SigmaHQ/sigma/blob/b02e3b698afbaae143ac4fb36236eb0b41122ed7/rules/windows/process_creation/proc_creation_win_browsers_msedge_arbitrary_download.yml
- Sigma: https://github.com/SigmaHQ/sigma/blob/b02e3b698afbaae143ac4fb36236eb0b41122ed7/rules/windows/process_creation/proc_creation_win_browsers_chromium_headless_file_download.yml
Resources:
- Link: https://twitter.com/mrd0x/status/1478116126005641220
- Link: https://twitter.com/mrd0x/status/1478234484881436672

1
yml/OtherMSBinaries/Coregen.yml
View File

@@ -31,6 +31,7 @@ Full_Path:
Code_Sample:
- Code:
Detection:
- Sigma: https://github.com/SigmaHQ/sigma/blob/b02e3b698afbaae143ac4fb36236eb0b41122ed7/rules/windows/image_load/image_load_side_load_coregen.yml
- IOC: coregen.exe loading .dll file not in "C:\Program Files (x86)\Microsoft Silverlight\5.1.50918.0\"
- IOC: coregen.exe loading .dll file not named coreclr.dll
- IOC: coregen.exe command line containing -L or -l

1
yml/OtherMSBinaries/DefaultPack.yml
View File

@@ -16,6 +16,7 @@ Full_Path:
Code_Sample:
- Code:
Detection:
- Sigma: https://github.com/SigmaHQ/sigma/blob/b02e3b698afbaae143ac4fb36236eb0b41122ed7/rules/windows/process_creation/proc_creation_win_lolbin_defaultpack.yml
- IOC: DefaultPack.EXE spawned an unknown process
Resources:
- Link: https://twitter.com/checkymander/status/1311509470275604480.

2
yml/OtherMSBinaries/Devinit.yml
View File

@@ -14,6 +14,8 @@ Commands:
Full_Path:
- Path: C:\Program Files\Microsoft Visual Studio\*\Community\Common7\Tools\devinit\devinit.exe
- Path: C:\Program Files (x86)\Microsoft Visual Studio\*\Community\Common7\Tools\devinit\devinit.exe
Detection:
- Sigma: https://github.com/SigmaHQ/sigma/blob/b02e3b698afbaae143ac4fb36236eb0b41122ed7/rules/windows/process_creation/proc_creation_win_devinit_lolbin_usage.yml
Resources:
- Link: https://twitter.com/mrd0x/status/1460815932402679809
Acknowledgement:

4
yml/OtherMSBinaries/DumpMinitool.yml
View File

@@ -13,6 +13,10 @@ Commands:
OperatingSystem: Windows 10, Windows 11
Full_Path:
- Path: C:\Program Files\Microsoft Visual Studio\2022\Community\Common7\IDE\Extensions\TestPlatform\Extensions
Detection:
- Sigma: https://github.com/SigmaHQ/sigma/blob/b02e3b698afbaae143ac4fb36236eb0b41122ed7/rules/windows/process_creation/proc_creation_win_dumpminitool_execution.yml
- Sigma: https://github.com/SigmaHQ/sigma/blob/b02e3b698afbaae143ac4fb36236eb0b41122ed7/rules/windows/process_creation/proc_creation_win_dumpminitool_susp_execution.yml
- Sigma: https://github.com/SigmaHQ/sigma/blob/b02e3b698afbaae143ac4fb36236eb0b41122ed7/rules/windows/process_creation/proc_creation_win_devinit_lolbin_usage.yml
Resources:
- Link: https://twitter.com/mrd0x/status/1511415432888131586
Acknowledgement:

3
yml/OtherMSBinaries/Microsoft.NodejsTools.PressAnyKey.yml
View File

@@ -14,6 +14,9 @@ Commands:
Full_Path:
- Path: C:\Program Files\Microsoft Visual Studio\*\Community\Common7\IDE\Extensions\Microsoft\NodeJsTools\NodeJsTools\Microsoft.NodejsTools.PressAnyKey.exe
- Path: C:\Program Files (x86)\Microsoft Visual Studio\*\Community\Common7\IDE\Extensions\Microsoft\NodeJsTools\NodeJsTools\Microsoft.NodejsTools.PressAnyKey.exe
Detection:
- Sigma: https://github.com/SigmaHQ/sigma/blob/b02e3b698afbaae143ac4fb36236eb0b41122ed7/rules/windows/process_creation/proc_creation_win_renamed_pressanykey.yml
- Sigma: https://github.com/SigmaHQ/sigma/blob/b02e3b698afbaae143ac4fb36236eb0b41122ed7/rules/windows/process_creation/proc_creation_win_pressanykey_lolbin_execution.yml
Resources:
- Link: https://twitter.com/mrd0x/status/1463526834918854661
Acknowledgement:

1
yml/OtherMSBinaries/ProtocolHandler.yml
View File

@@ -21,6 +21,7 @@ Full_Path:
- Path: C:\Program Files (x86)\Microsoft Office\Office15\ProtocolHandler.exe
- Path: C:\Program Files\Microsoft Office\Office15\ProtocolHandler.exe
Detection:
- Sigma: https://github.com/SigmaHQ/sigma/blob/b02e3b698afbaae143ac4fb36236eb0b41122ed7/rules/windows/process_creation/proc_creation_win_lolbin_protocolhandler_download.yml
- IOC: Suspicious Office application Internet/network traffic
Acknowledgement:
- Person: Nir Chako (Pentera)