diff --git a/yml/OSBinaries/Msedge.yml b/yml/OSBinaries/Msedge.yml index 4ec4118..64b3bab 100644 --- a/yml/OSBinaries/Msedge.yml +++ b/yml/OSBinaries/Msedge.yml @@ -21,6 +21,9 @@ Commands: Full_Path: - Path: c:\Program Files\Microsoft\Edge\Application\msedge.exe - Path: c:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe +Detection: + - Sigma: https://github.com/SigmaHQ/sigma/blob/b02e3b698afbaae143ac4fb36236eb0b41122ed7/rules/windows/process_creation/proc_creation_win_browsers_msedge_arbitrary_download.yml + - Sigma: https://github.com/SigmaHQ/sigma/blob/b02e3b698afbaae143ac4fb36236eb0b41122ed7/rules/windows/process_creation/proc_creation_win_browsers_chromium_headless_file_download.yml Resources: - Link: https://twitter.com/mrd0x/status/1478116126005641220 - Link: https://twitter.com/mrd0x/status/1478234484881436672 diff --git a/yml/OtherMSBinaries/Coregen.yml b/yml/OtherMSBinaries/Coregen.yml index d92d2dc..b3d7c4f 100644 --- a/yml/OtherMSBinaries/Coregen.yml +++ b/yml/OtherMSBinaries/Coregen.yml @@ -31,6 +31,7 @@ Full_Path: Code_Sample: - Code: Detection: + - Sigma: https://github.com/SigmaHQ/sigma/blob/b02e3b698afbaae143ac4fb36236eb0b41122ed7/rules/windows/image_load/image_load_side_load_coregen.yml - IOC: coregen.exe loading .dll file not in "C:\Program Files (x86)\Microsoft Silverlight\5.1.50918.0\" - IOC: coregen.exe loading .dll file not named coreclr.dll - IOC: coregen.exe command line containing -L or -l diff --git a/yml/OtherMSBinaries/DefaultPack.yml b/yml/OtherMSBinaries/DefaultPack.yml index dc4eab5..f919cba 100644 --- a/yml/OtherMSBinaries/DefaultPack.yml +++ b/yml/OtherMSBinaries/DefaultPack.yml @@ -16,6 +16,7 @@ Full_Path: Code_Sample: - Code: Detection: + - Sigma: https://github.com/SigmaHQ/sigma/blob/b02e3b698afbaae143ac4fb36236eb0b41122ed7/rules/windows/process_creation/proc_creation_win_lolbin_defaultpack.yml - IOC: DefaultPack.EXE spawned an unknown process Resources: - Link: https://twitter.com/checkymander/status/1311509470275604480. diff --git a/yml/OtherMSBinaries/Devinit.yml b/yml/OtherMSBinaries/Devinit.yml index 6fe7783..9bc0fe0 100644 --- a/yml/OtherMSBinaries/Devinit.yml +++ b/yml/OtherMSBinaries/Devinit.yml @@ -14,6 +14,8 @@ Commands: Full_Path: - Path: C:\Program Files\Microsoft Visual Studio\*\Community\Common7\Tools\devinit\devinit.exe - Path: C:\Program Files (x86)\Microsoft Visual Studio\*\Community\Common7\Tools\devinit\devinit.exe +Detection: + - Sigma: https://github.com/SigmaHQ/sigma/blob/b02e3b698afbaae143ac4fb36236eb0b41122ed7/rules/windows/process_creation/proc_creation_win_devinit_lolbin_usage.yml Resources: - Link: https://twitter.com/mrd0x/status/1460815932402679809 Acknowledgement: diff --git a/yml/OtherMSBinaries/DumpMinitool.yml b/yml/OtherMSBinaries/DumpMinitool.yml index 127972a..8cd9a97 100644 --- a/yml/OtherMSBinaries/DumpMinitool.yml +++ b/yml/OtherMSBinaries/DumpMinitool.yml @@ -13,6 +13,10 @@ Commands: OperatingSystem: Windows 10, Windows 11 Full_Path: - Path: C:\Program Files\Microsoft Visual Studio\2022\Community\Common7\IDE\Extensions\TestPlatform\Extensions +Detection: + - Sigma: https://github.com/SigmaHQ/sigma/blob/b02e3b698afbaae143ac4fb36236eb0b41122ed7/rules/windows/process_creation/proc_creation_win_dumpminitool_execution.yml + - Sigma: https://github.com/SigmaHQ/sigma/blob/b02e3b698afbaae143ac4fb36236eb0b41122ed7/rules/windows/process_creation/proc_creation_win_dumpminitool_susp_execution.yml + - Sigma: https://github.com/SigmaHQ/sigma/blob/b02e3b698afbaae143ac4fb36236eb0b41122ed7/rules/windows/process_creation/proc_creation_win_devinit_lolbin_usage.yml Resources: - Link: https://twitter.com/mrd0x/status/1511415432888131586 Acknowledgement: diff --git a/yml/OtherMSBinaries/Microsoft.NodejsTools.PressAnyKey.yml b/yml/OtherMSBinaries/Microsoft.NodejsTools.PressAnyKey.yml index 896d921..db73246 100644 --- a/yml/OtherMSBinaries/Microsoft.NodejsTools.PressAnyKey.yml +++ b/yml/OtherMSBinaries/Microsoft.NodejsTools.PressAnyKey.yml @@ -14,6 +14,9 @@ Commands: Full_Path: - Path: C:\Program Files\Microsoft Visual Studio\*\Community\Common7\IDE\Extensions\Microsoft\NodeJsTools\NodeJsTools\Microsoft.NodejsTools.PressAnyKey.exe - Path: C:\Program Files (x86)\Microsoft Visual Studio\*\Community\Common7\IDE\Extensions\Microsoft\NodeJsTools\NodeJsTools\Microsoft.NodejsTools.PressAnyKey.exe +Detection: + - Sigma: https://github.com/SigmaHQ/sigma/blob/b02e3b698afbaae143ac4fb36236eb0b41122ed7/rules/windows/process_creation/proc_creation_win_renamed_pressanykey.yml + - Sigma: https://github.com/SigmaHQ/sigma/blob/b02e3b698afbaae143ac4fb36236eb0b41122ed7/rules/windows/process_creation/proc_creation_win_pressanykey_lolbin_execution.yml Resources: - Link: https://twitter.com/mrd0x/status/1463526834918854661 Acknowledgement: diff --git a/yml/OtherMSBinaries/ProtocolHandler.yml b/yml/OtherMSBinaries/ProtocolHandler.yml index ab2b2ab..4b64ad1 100644 --- a/yml/OtherMSBinaries/ProtocolHandler.yml +++ b/yml/OtherMSBinaries/ProtocolHandler.yml @@ -21,6 +21,7 @@ Full_Path: - Path: C:\Program Files (x86)\Microsoft Office\Office15\ProtocolHandler.exe - Path: C:\Program Files\Microsoft Office\Office15\ProtocolHandler.exe Detection: + - Sigma: https://github.com/SigmaHQ/sigma/blob/b02e3b698afbaae143ac4fb36236eb0b41122ed7/rules/windows/process_creation/proc_creation_win_lolbin_protocolhandler_download.yml - IOC: Suspicious Office application Internet/network traffic Acknowledgement: - Person: Nir Chako (Pentera)