From a7f7ec2cc236481ea64f2901b235505d37657fc8 Mon Sep 17 00:00:00 2001 From: akshat pradhan Date: Mon, 24 Jan 2022 03:54:59 +0530 Subject: [PATCH 01/22] Changing ATT&CK TID of wuauclt.exe entry (#193) --- yml/OSBinaries/Wuauclt.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/yml/OSBinaries/Wuauclt.yml b/yml/OSBinaries/Wuauclt.yml index 3e5df11..c5608aa 100644 --- a/yml/OSBinaries/Wuauclt.yml +++ b/yml/OSBinaries/Wuauclt.yml @@ -4,12 +4,12 @@ Description: Windows Update Client Author: 'David Middlehurst' Created: 2020-09-23 Commands: - - Command: wuauclt.exe /UpdateDeploymentProvider /RunHandlerComServer + - Command: wuauclt.exe /UpdateDeploymentProvider Full_Path_To_DLL /RunHandlerComServer Description: Full_Path_To_DLL would be the abosolute path to .DLL file and would execute code on attach. Usecase: Execute dll via attach/detach methods Category: Execute Privileges: User - MitreID: T1218.011 + MitreID: T1218 OperatingSystem: Windows 10 Full_Path: - Path: C:\Windows\System32\wuauclt.exe From 12c85eb8f07fe53e4d1d68795b414f7c25514c2b Mon Sep 17 00:00:00 2001 From: Moshe Kaplan Date: Wed, 16 Feb 2022 15:41:14 -0500 Subject: [PATCH 02/22] Create wlrmdr.yml (#194) Co-authored-by: Wietze --- yml/OSBinaries/wlrmdr.yml | 31 +++++++++++++++++++++++++++++++ 1 file changed, 31 insertions(+) create mode 100644 yml/OSBinaries/wlrmdr.yml diff --git a/yml/OSBinaries/wlrmdr.yml b/yml/OSBinaries/wlrmdr.yml new file mode 100644 index 0000000..5a7a993 --- /dev/null +++ b/yml/OSBinaries/wlrmdr.yml @@ -0,0 +1,31 @@ +--- +Name: Wlrmdr.exe +Description: Windows Logon Reminder executable +Author: 'Moshe Kaplan' +Created: 2021-11-08 +Commands: + - Command: wlrmdr.exe -s 3600 -f 0 -t _ -m _ -a 11 -u calc.exe + Description: Execute calc.exe with the parent process spawning from wlrmdr.exe + Usecase: Use wlrmdr as a proxy binary to evade defensive countermeasures + Category: Execute + Privileges: User + MitreID: T1202 + OperatingSystem: Windows 10 +Full_Path: + - Path: c:\windows\system32\wlrmdr.exe +Code_Sample: + - Code: +Detection: + - IOC: wlrmdr.exe spawning any new processes +Resources: + - Link: https://twitter.com/0gtweet/status/1493963591745220608 + - Link: https://twitter.com/Oddvarmoe/status/927437787242090496 + - Link: https://twitter.com/falsneg/status/1461625526640992260 + - Link: https://docs.microsoft.com/en-us/windows/win32/api/shellapi/ns-shellapi-notifyicondataw +Acknowledgement: + - Person: Grzegorz Tworek + Handle: '@0gtweet' + - Person: Oddvar Moe + Handle: '@Oddvarmoe' + - Person: Freddy + Handle: '@falsneg' From 55a7ea9a81fa024b1dd8ca2eeff6da66f9e8a9d4 Mon Sep 17 00:00:00 2001 From: Wietze Date: Wed, 16 Feb 2022 21:02:24 +0000 Subject: [PATCH 03/22] Fixing wlrmdr entry --- yml/OSBinaries/{wlrmdr.yml => Wlrmdr.yml} | 11 ++++++----- 1 file changed, 6 insertions(+), 5 deletions(-) rename yml/OSBinaries/{wlrmdr.yml => Wlrmdr.yml} (78%) diff --git a/yml/OSBinaries/wlrmdr.yml b/yml/OSBinaries/Wlrmdr.yml similarity index 78% rename from yml/OSBinaries/wlrmdr.yml rename to yml/OSBinaries/Wlrmdr.yml index 5a7a993..bc1faa0 100644 --- a/yml/OSBinaries/wlrmdr.yml +++ b/yml/OSBinaries/Wlrmdr.yml @@ -1,16 +1,16 @@ --- Name: Wlrmdr.exe Description: Windows Logon Reminder executable -Author: 'Moshe Kaplan' -Created: 2021-11-08 +Author: Moshe Kaplan +Created: 2022-02-16 Commands: - - Command: wlrmdr.exe -s 3600 -f 0 -t _ -m _ -a 11 -u calc.exe - Description: Execute calc.exe with the parent process spawning from wlrmdr.exe + - Command: "wlrmdr.exe -s 3600 -f 0 -t _ -m _ -a 11 -u calc.exe" + Description: Execute calc.exe with wlrmdr.exe as parent process Usecase: Use wlrmdr as a proxy binary to evade defensive countermeasures Category: Execute Privileges: User MitreID: T1202 - OperatingSystem: Windows 10 + OperatingSystem: Windows 10, Windows 11 Full_Path: - Path: c:\windows\system32\wlrmdr.exe Code_Sample: @@ -29,3 +29,4 @@ Acknowledgement: Handle: '@Oddvarmoe' - Person: Freddy Handle: '@falsneg' +--- From 4df2e43c825e6fa19b01d1f735b0af1b59005d13 Mon Sep 17 00:00:00 2001 From: Wietze Date: Tue, 5 Apr 2022 18:38:43 +0100 Subject: [PATCH 04/22] Adding Conhost.exe LOLBAS --- yml/OSBinaries/Conhost.yml | 23 +++++++++++++++++++++++ 1 file changed, 23 insertions(+) create mode 100644 yml/OSBinaries/Conhost.yml diff --git a/yml/OSBinaries/Conhost.yml b/yml/OSBinaries/Conhost.yml new file mode 100644 index 0000000..8fed6e3 --- /dev/null +++ b/yml/OSBinaries/Conhost.yml @@ -0,0 +1,23 @@ +--- +Name: Conhost.exe +Description: Console Window host +Author: Wietze Beukema +Created: 2022-04-05 +Commands: + - Command: "conhost.exe calc.exe" + Description: Execute calc.exe with conhost.exe as parent process + Usecase: Use conhost.exe as a proxy binary to evade defensive counter-measures + Category: Execute + Privileges: User + MitreID: T1202 + OperatingSystem: Windows 10, Windows 11 +Full_Path: + - Path: c:\windows\system32\conhost.exe +Detection: + - IOC: conhost.exe spawning unexpected processes +Resources: + - Link: https://twitter.com/Wietze/status/1511397781159751680 +Acknowledgement: + - Person: Wietze + Handle: '@wietze' +--- From 5c46dd63f5e4e74a0522748f887d4c4fa7f331b8 Mon Sep 17 00:00:00 2001 From: Wietze Date: Thu, 7 Apr 2022 15:50:39 +0100 Subject: [PATCH 05/22] Giving Hexacorn the proper credit --- yml/OSBinaries/Conhost.yml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/yml/OSBinaries/Conhost.yml b/yml/OSBinaries/Conhost.yml index 8fed6e3..7ce1d4e 100644 --- a/yml/OSBinaries/Conhost.yml +++ b/yml/OSBinaries/Conhost.yml @@ -16,8 +16,11 @@ Full_Path: Detection: - IOC: conhost.exe spawning unexpected processes Resources: + - Link: https://www.hexacorn.com/blog/2020/05/25/how-to-con-your-host/ - Link: https://twitter.com/Wietze/status/1511397781159751680 Acknowledgement: + - Person: Adam + Handle: '@hexacorn' - Person: Wietze Handle: '@wietze' --- From e4261b1f021a439a16cbb548f799513d808d6bbf Mon Sep 17 00:00:00 2001 From: Wietze Date: Tue, 26 Apr 2022 16:59:14 +0100 Subject: [PATCH 06/22] Fixing typo --- yml/OtherMSBinaries/Coregen.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/yml/OtherMSBinaries/Coregen.yml b/yml/OtherMSBinaries/Coregen.yml index 641b1da..7026e44 100644 --- a/yml/OtherMSBinaries/Coregen.yml +++ b/yml/OtherMSBinaries/Coregen.yml @@ -4,7 +4,7 @@ Description: Binary coregen.exe (Microsoft CoreCLR Native Image Generator) loads Author: Martin Sohn Christensen Created: 2020-10-09 Commands: - - Command: coregon.exe.exe /L C:\folder\evil.dll dummy_assembly_name + - Command: coregen.exe /L C:\folder\evil.dll dummy_assembly_name Description: Loads the target .DLL in arbitrary path specified with /L. Usecase: Execute DLL code Category: Execute From 6ed0fb932623468444bfccd7a51272a4dc3143ea Mon Sep 17 00:00:00 2001 From: LuxNoBu!!shit <51244609+LuxNoBulIshit@users.noreply.github.com> Date: Wed, 27 Apr 2022 13:15:15 +0300 Subject: [PATCH 07/22] Create Desk.cpl (#207) Co-authored-by: Wietze --- yml/OSLibraries/desk.yml | 34 ++++++++++++++++++++++++++++++++++ 1 file changed, 34 insertions(+) create mode 100644 yml/OSLibraries/desk.yml diff --git a/yml/OSLibraries/desk.yml b/yml/OSLibraries/desk.yml new file mode 100644 index 0000000..3eb7f3a --- /dev/null +++ b/yml/OSLibraries/desk.yml @@ -0,0 +1,34 @@ +--- +Name: desk.cpl +Description: Desktop Settings Control Panel +Author: Hai Vaknin +Created: 2022-04-21 +Commands: + - Command: rundll32.exe desk.cpl,InstallScreenSaver C:\temp\file.scr + Description: Launch an executable with a .scr extension by calling the InstallScreenSaver function. + Usecase: Launch any executable payload, as long as it uses the .scr extension. + Category: Execute + Privileges: User + MitreID: T1218.011 + OperatingSystem: Windows 10, Windows 11 + - Command: rundll32.exe desk.cpl,InstallScreenSaver \\127.0.0.1\c$\temp\file.scr + Description: Launch a remote executable with a .scr extension, located on an SMB share, by calling the InstallScreenSaver function. + Usecase: Launch any executable payload, as long as it uses the .scr extension. + Category: Execute + Privileges: User + MitreID: T1218.011 + OperatingSystem: Windows 10, Windows 11 +Full_Path: + - Path: C:\Windows\System32\desk.cpl + - Path: C:\Windows\SysWOW64\desk.cpl +Detection: + - IOC: +Resources: + - Link: https://twitter.com/pabraeken/status/998627081360695297 + - Link: https://twitter.com/VakninHai/status/1517027824984547329 +Acknowledgement: + - Person: Pierre-Alexandre Braeken + Handle: '@pabraeken' + - Person: hai + Handle: '@VakninHai' +--- From 4a8bdf4844c715e11e50a5abff9abcce2cadb3a8 Mon Sep 17 00:00:00 2001 From: Wietze Date: Wed, 27 Apr 2022 11:20:13 +0100 Subject: [PATCH 08/22] Fix casing on Desk.cpl entry --- yml/OSLibraries/{desk.yml => Desk.yml} | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) rename yml/OSLibraries/{desk.yml => Desk.yml} (98%) diff --git a/yml/OSLibraries/desk.yml b/yml/OSLibraries/Desk.yml similarity index 98% rename from yml/OSLibraries/desk.yml rename to yml/OSLibraries/Desk.yml index 3eb7f3a..246e0ae 100644 --- a/yml/OSLibraries/desk.yml +++ b/yml/OSLibraries/Desk.yml @@ -1,5 +1,5 @@ --- -Name: desk.cpl +Name: Desk.cpl Description: Desktop Settings Control Panel Author: Hai Vaknin Created: 2022-04-21 From 619aafbfa20f8d824d628d7113e1d3c38a1c8920 Mon Sep 17 00:00:00 2001 From: Wietze Date: Thu, 28 Apr 2022 13:01:35 +0100 Subject: [PATCH 09/22] Adding extra contributor to Desk.cpl entry --- yml/OSLibraries/Desk.yml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/yml/OSLibraries/Desk.yml b/yml/OSLibraries/Desk.yml index 246e0ae..110ac70 100644 --- a/yml/OSLibraries/Desk.yml +++ b/yml/OSLibraries/Desk.yml @@ -24,9 +24,12 @@ Full_Path: Detection: - IOC: Resources: + - Link: https://vxug.fakedoma.in/zines/29a/29a7/Articles/29A-7.030.txt - Link: https://twitter.com/pabraeken/status/998627081360695297 - Link: https://twitter.com/VakninHai/status/1517027824984547329 Acknowledgement: + - Person: Rafael S Marques + Handle: '@pegabizu' - Person: Pierre-Alexandre Braeken Handle: '@pabraeken' - Person: hai From 666e6e86458c9d0583268372e334278aaece28ad Mon Sep 17 00:00:00 2001 From: cr1sp4 <61173578+cr1sp4@users.noreply.github.com> Date: Fri, 29 Apr 2022 22:52:57 -0400 Subject: [PATCH 10/22] Update Desk.yml (#210) Added Sigma rules. --- yml/OSLibraries/Desk.yml | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/yml/OSLibraries/Desk.yml b/yml/OSLibraries/Desk.yml index 110ac70..28a11c9 100644 --- a/yml/OSLibraries/Desk.yml +++ b/yml/OSLibraries/Desk.yml @@ -23,6 +23,8 @@ Full_Path: - Path: C:\Windows\SysWOW64\desk.cpl Detection: - IOC: + - Sigma: https://github.com/SigmaHQ/sigma/blob/master/rules/windows/file_event/file_event_win_new_src_file.yml + - Sigma: https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_rundll32_installscreensaver.yml Resources: - Link: https://vxug.fakedoma.in/zines/29a/29a7/Articles/29A-7.030.txt - Link: https://twitter.com/pabraeken/status/998627081360695297 @@ -34,4 +36,6 @@ Acknowledgement: Handle: '@pabraeken' - Person: hai Handle: '@VakninHai' + Person: Christopher Peacock + Handle: '@SecurePeacock' --- From d93539bf9b7ae09bb613eee8e9788e48b7fdb532 Mon Sep 17 00:00:00 2001 From: bohops Date: Fri, 29 Apr 2022 23:06:41 -0400 Subject: [PATCH 11/22] Quick fix for syntax and removed IOC --- yml/OSLibraries/Desk.yml | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/yml/OSLibraries/Desk.yml b/yml/OSLibraries/Desk.yml index 28a11c9..7691a60 100644 --- a/yml/OSLibraries/Desk.yml +++ b/yml/OSLibraries/Desk.yml @@ -22,7 +22,6 @@ Full_Path: - Path: C:\Windows\System32\desk.cpl - Path: C:\Windows\SysWOW64\desk.cpl Detection: - - IOC: - Sigma: https://github.com/SigmaHQ/sigma/blob/master/rules/windows/file_event/file_event_win_new_src_file.yml - Sigma: https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_rundll32_installscreensaver.yml Resources: @@ -36,6 +35,6 @@ Acknowledgement: Handle: '@pabraeken' - Person: hai Handle: '@VakninHai' - Person: Christopher Peacock + - Person: Christopher Peacock Handle: '@SecurePeacock' --- From 00bc9177bd210450f3643e9dfb26fbd3c0613847 Mon Sep 17 00:00:00 2001 From: jstnk9 Date: Sun, 15 May 2022 16:42:44 +0200 Subject: [PATCH 12/22] Added new sigma rule and references Added new sigma rule and references --- yml/OSLibraries/Desk.yml | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/yml/OSLibraries/Desk.yml b/yml/OSLibraries/Desk.yml index 7691a60..532c0e7 100644 --- a/yml/OSLibraries/Desk.yml +++ b/yml/OSLibraries/Desk.yml @@ -24,10 +24,12 @@ Full_Path: Detection: - Sigma: https://github.com/SigmaHQ/sigma/blob/master/rules/windows/file_event/file_event_win_new_src_file.yml - Sigma: https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_rundll32_installscreensaver.yml + - Sigma: https://github.com/SigmaHQ/sigma/blob/master/rules/windows/registry/registry_set/registry_set_scr_file_executed_by_rundll32.yml Resources: - Link: https://vxug.fakedoma.in/zines/29a/29a7/Articles/29A-7.030.txt - Link: https://twitter.com/pabraeken/status/998627081360695297 - Link: https://twitter.com/VakninHai/status/1517027824984547329 + - Link: https://jstnk9.github.io/jstnk9/research/InstallScreenSaver-SCR-files Acknowledgement: - Person: Rafael S Marques Handle: '@pegabizu' @@ -37,4 +39,6 @@ Acknowledgement: Handle: '@VakninHai' - Person: Christopher Peacock Handle: '@SecurePeacock' + - Person: Jose Luis Sanchez + Handle: '@Joseliyo_Jstnk' --- From 79f4cbdb7f1ddee847d8850c25abeffb5e879c1d Mon Sep 17 00:00:00 2001 From: akshat pradhan Date: Mon, 16 May 2022 01:08:24 +0530 Subject: [PATCH 13/22] Changed tid to T1105 for downloads (#195) --- yml/OSBinaries/Findstr.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/yml/OSBinaries/Findstr.yml b/yml/OSBinaries/Findstr.yml index 5f47e2f..22fcbb0 100644 --- a/yml/OSBinaries/Findstr.yml +++ b/yml/OSBinaries/Findstr.yml @@ -30,7 +30,7 @@ Commands: Usecase: Download/Copy file from webdav server Category: Download Privileges: User - MitreID: T1185 + MitreID: T1105 OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 Full_Path: - Path: C:\Windows\System32\findstr.exe From b333db4f91f4594e3e36f0d30ccabc8878ddab73 Mon Sep 17 00:00:00 2001 From: Wietze Date: Sun, 15 May 2022 21:06:33 +0100 Subject: [PATCH 14/22] Fixing typo (ieaframe -> ieframe) --- yml/OSLibraries/Ieframe.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/yml/OSLibraries/Ieframe.yml b/yml/OSLibraries/Ieframe.yml index 34f939d..7d8bc1b 100644 --- a/yml/OSLibraries/Ieframe.yml +++ b/yml/OSLibraries/Ieframe.yml @@ -1,5 +1,5 @@ --- -Name: Ieaframe.dll +Name: Ieframe.dll Description: Internet Browser DLL for translating HTML code. Author: Created: '2018-05-25' From 7c2f3231d3b4f535fdd08c8d2b722745d4fed88e Mon Sep 17 00:00:00 2001 From: mrd0x Date: Sun, 15 May 2022 16:21:45 -0400 Subject: [PATCH 15/22] Adding Dump64.exe (#182) Co-authored-by: mrd0x Co-authored-by: Wietze --- yml/OtherMSBinaries/Dump64.yml | 24 ++++++++++++++++++++++++ 1 file changed, 24 insertions(+) create mode 100644 yml/OtherMSBinaries/Dump64.yml diff --git a/yml/OtherMSBinaries/Dump64.yml b/yml/OtherMSBinaries/Dump64.yml new file mode 100644 index 0000000..4adb7c9 --- /dev/null +++ b/yml/OtherMSBinaries/Dump64.yml @@ -0,0 +1,24 @@ +--- +Name: Dump64.exe +Description: Memory dump tool that comes with Microsoft Visual Studio +Author: mr.d0x +Created: 2021-11-16 +Commands: + - Command: dump64.exe out.dmp + Description: Creates a memory dump of the LSASS process. + Usecase: Create memory dump and parse it offline to retrieve credentials. + Category: Dump + Privileges: Administrator + MitreID: T1003.001 + OperatingSystem: Windows 10, Windows 11 +Full_Path: + - Path: C:\Program Files (x86)\Microsoft Visual Studio\Installer\Feedback\dump64.exe +Detection: + - Sigma: https://github.com/SigmaHQ/sigma/blob/138b06628380468fb8a41fc27770e1630cb64326/rules/windows/process_creation/process_creation_win_lolbas_dump64.yml + - IOC: As a Windows SDK binary, execution on a system may be suspicious +Resources: + - Link: https://twitter.com/mrd0x/status/1460597833917251595 +Acknowledgement: + - Person: mr.d0x + Handle: '@mrd0x' +--- From 3571a7ad88c37eb4f6853d78a6dc9d6f1183dc21 Mon Sep 17 00:00:00 2001 From: bohops Date: Sun, 15 May 2022 16:55:16 -0400 Subject: [PATCH 16/22] Create AccCheckConsole.yml (#187) --- yml/OtherMSBinaries/AccCheckConsole.yml | 37 +++++++++++++++++++++++++ 1 file changed, 37 insertions(+) create mode 100644 yml/OtherMSBinaries/AccCheckConsole.yml diff --git a/yml/OtherMSBinaries/AccCheckConsole.yml b/yml/OtherMSBinaries/AccCheckConsole.yml new file mode 100644 index 0000000..6c21705 --- /dev/null +++ b/yml/OtherMSBinaries/AccCheckConsole.yml @@ -0,0 +1,37 @@ +--- +Name: AccCheckConsole.exe +Description: Verifies UI accessibility requirements +Author: 'bohops' +Created: 2022-01-02 +Commands: + - Command: AccCheckConsole.exe -window "Untitled - Notepad" C:\path\to\your\lolbas.dll + Description: Load a managed DLL in the context of AccCheckConsole.exe. The -window switch value can be set to an arbitrary active window name. + Usecase: Local execution of managed code from assembly DLL. + Category: Execute + Privileges: User + MitreID: T1218 + OperatingSystem: Windows + - Command: AccCheckConsole.exe -window "Untitled - Notepad" C:\path\to\your\lolbas.dll + Description: Load a managed DLL in the context of AccCheckConsole.exe. The -window switch value can be set to an arbitrary active window name. + Usecase: Local execution of managed code to bypass AppLocker. + Category: AWL Bypass + Privileges: User + MitreID: T1218 + OperatingSystem: Windows +Full_Path: + - Path: C:\Program Files (x86)\Windows Kits\10\bin\10.0.22000.0\x86\AccChecker\AccCheckConsole.exe + - Path: C:\Program Files (x86)\Windows Kits\10\bin\10.0.22000.0\x64\AccChecker\AccCheckConsole.exe + - Path: C:\Program Files (x86)\Windows Kits\10\bin\10.0.22000.0\arm\AccChecker\AccCheckConsole.exe + - Path: C:\Program Files (x86)\Windows Kits\10\bin\10.0.22000.0\arm64\AccChecker\AccCheckConsole.exe +Code_Sample: + - Code: https://docs.microsoft.com/en-us/windows/win32/winauto/custom-verification-routines +Detection: + - IOC: Sysmon Event ID 1 - Process Creation + - Analysis: https://gist.github.com/bohops/2444129419c8acf837aedda5f0e7f340 +Resources: + - Link: https://gist.github.com/bohops/2444129419c8acf837aedda5f0e7f340 + - Link: https://twitter.com/bohops/status/1477717351017680899 +Acknowledgement: + - Person: Jimmy + Handle: '@bohops' +--- From d1738b946bd3c1d339847ed0b2d9b57314b46741 Mon Sep 17 00:00:00 2001 From: frack113 <62423083+frack113@users.noreply.github.com> Date: Tue, 17 May 2022 10:18:45 +0200 Subject: [PATCH 17/22] Adding various Sigma references (#213) Co-authored-by: Wietze --- yml/OSBinaries/Gpscript.yml | 1 + yml/OSBinaries/IMEWDBLD.yml | 1 + yml/OSBinaries/Jsc.yml | 1 + yml/OSBinaries/OfflineScannerShell.yml | 1 + yml/OSBinaries/Pktmon.yml | 1 + yml/OSBinaries/PrintBrm.yml | 1 + yml/OSBinaries/Register-cimprovider.yml | 1 + yml/OSBinaries/Ttdinject.yml | 2 ++ yml/OSBinaries/Wlrmdr.yml | 1 + 9 files changed, 10 insertions(+) diff --git a/yml/OSBinaries/Gpscript.yml b/yml/OSBinaries/Gpscript.yml index 53d547f..22ecd6a 100644 --- a/yml/OSBinaries/Gpscript.yml +++ b/yml/OSBinaries/Gpscript.yml @@ -24,6 +24,7 @@ Full_Path: Code_Sample: - Code: Detection: + - Sigma: https://github.com/SigmaHQ/sigma/blob/35a7244c62820fbc5a832e50b1e224ac3a1935da/rules/windows/process_creation/proc_creation_win_lolbin_gpscript.yml - IOC: Scripts added in local group policy - IOC: Execution of Gpscript.exe after logon Resources: diff --git a/yml/OSBinaries/IMEWDBLD.yml b/yml/OSBinaries/IMEWDBLD.yml index 2401ae7..1dba16d 100644 --- a/yml/OSBinaries/IMEWDBLD.yml +++ b/yml/OSBinaries/IMEWDBLD.yml @@ -15,6 +15,7 @@ Full_Path: - Path: C:\Windows\System32\IME\SHARED\IMEWDBLD.exe Detection: Resources: + - Sigma: https://github.com/SigmaHQ/sigma/blob/35a7244c62820fbc5a832e50b1e224ac3a1935da/rules/windows/network_connection/net_connection_win_imewdbld.yml - Link: https://twitter.com/notwhickey/status/1367493406835040265 Acknowledgement: - Person: Wade Hickey diff --git a/yml/OSBinaries/Jsc.yml b/yml/OSBinaries/Jsc.yml index 57e8c83..9e2af4a 100644 --- a/yml/OSBinaries/Jsc.yml +++ b/yml/OSBinaries/Jsc.yml @@ -26,6 +26,7 @@ Full_Path: Code_Sample: - Code: Detection: + - Sigma: https://github.com/SigmaHQ/sigma/blob/35a7244c62820fbc5a832e50b1e224ac3a1935da/rules/windows/process_creation/proc_creation_win_lolbin_jsc.yml - IOC: Jsc.exe should normally not run a system unless it is used for development. Resources: - Link: https://twitter.com/DissectMalware/status/998797808907046913 diff --git a/yml/OSBinaries/OfflineScannerShell.yml b/yml/OSBinaries/OfflineScannerShell.yml index e12ad2c..cb5f184 100644 --- a/yml/OSBinaries/OfflineScannerShell.yml +++ b/yml/OSBinaries/OfflineScannerShell.yml @@ -12,6 +12,7 @@ Commands: MitreID: T1218 OperatingSystem: Windows 10 Full_Path: + - Sigma: https://github.com/SigmaHQ/sigma/blob/35a7244c62820fbc5a832e50b1e224ac3a1935da/rules/windows/process_creation/proc_creation_win_lolbas_offlinescannershell.yml - Path: C:\Program Files\Windows Defender\Offline\OfflineScannerShell.exe Detection: - IOC: OfflineScannerShell.exe should not be run on a normal workstation diff --git a/yml/OSBinaries/Pktmon.yml b/yml/OSBinaries/Pktmon.yml index 77fd42b..3a0e4af 100644 --- a/yml/OSBinaries/Pktmon.yml +++ b/yml/OSBinaries/Pktmon.yml @@ -24,6 +24,7 @@ Full_Path: Code_Sample: - Code: Detection: + - Sigma: https://github.com/SigmaHQ/sigma/blob/35a7244c62820fbc5a832e50b1e224ac3a1935da/rules/windows/process_creation/proc_creation_win_lolbin_pktmon.yml - IOC: .etl files found on system Resources: - Link: https://binar-x79.com/windows-10-secret-sniffer/ diff --git a/yml/OSBinaries/PrintBrm.yml b/yml/OSBinaries/PrintBrm.yml index ab90165..8dec4db 100644 --- a/yml/OSBinaries/PrintBrm.yml +++ b/yml/OSBinaries/PrintBrm.yml @@ -21,6 +21,7 @@ Commands: Full_Path: - Path: C:\Windows\System32\spool\tools\PrintBrm.exe Detection: + - Sigma: https://github.com/SigmaHQ/sigma/blob/35a7244c62820fbc5a832e50b1e224ac3a1935da/rules/windows/process_creation/proc_creation_win_lolbin_printbrm.yml - IOC: PrintBrm.exe should not be run on a normal workstation Resources: - Link: https://twitter.com/elliotkillick/status/1404117015447670800 diff --git a/yml/OSBinaries/Register-cimprovider.yml b/yml/OSBinaries/Register-cimprovider.yml index d7543ab..f3a98f2 100644 --- a/yml/OSBinaries/Register-cimprovider.yml +++ b/yml/OSBinaries/Register-cimprovider.yml @@ -17,6 +17,7 @@ Full_Path: Code_Sample: - Code: Detection: + - Sigma: https://github.com/SigmaHQ/sigma/blob/35a7244c62820fbc5a832e50b1e224ac3a1935da/rules/windows/process_creation/proc_creation_win_susp_register_cimprovider.yml - IOC: Register-cimprovider.exe execution and cmdline DLL load may be supsicious Resources: - Link: https://twitter.com/PhilipTsukerman/status/992021361106268161 diff --git a/yml/OSBinaries/Ttdinject.yml b/yml/OSBinaries/Ttdinject.yml index a1b6052..84f92ca 100644 --- a/yml/OSBinaries/Ttdinject.yml +++ b/yml/OSBinaries/Ttdinject.yml @@ -24,6 +24,8 @@ Full_Path: Code_Sample: - Code: Detection: + - Sigma: https://github.com/SigmaHQ/sigma/blob/7ea6ed3db65e0bd812b051d9bb4fffd27c4c4d0a/rules/windows/create_remote_thread/create_remote_thread_win_ttdinjec.yml + - Sigma: https://github.com/SigmaHQ/sigma/blob/7ea6ed3db65e0bd812b051d9bb4fffd27c4c4d0a/rules/windows/process_creation/proc_creation_win_lolbin_ttdinject.yml - IOC: Parent child relationship. Ttdinject.exe parent for executed command - IOC: Multiple queries made to the IFEO registry key of an untrusted executable (Ex. "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\payload.exe") from the ttdinject.exe process Resources: diff --git a/yml/OSBinaries/Wlrmdr.yml b/yml/OSBinaries/Wlrmdr.yml index bc1faa0..303a5fc 100644 --- a/yml/OSBinaries/Wlrmdr.yml +++ b/yml/OSBinaries/Wlrmdr.yml @@ -16,6 +16,7 @@ Full_Path: Code_Sample: - Code: Detection: + - Sigma: https://github.com/SigmaHQ/sigma/blob/35a7244c62820fbc5a832e50b1e224ac3a1935da/rules/windows/process_creation/proc_creation_win_lolbin_wlrmdr.yml - IOC: wlrmdr.exe spawning any new processes Resources: - Link: https://twitter.com/0gtweet/status/1493963591745220608 From d935f096fd5c25913086c64ed2a3431aeb2eee07 Mon Sep 17 00:00:00 2001 From: John Dwyer Date: Wed, 18 May 2022 18:58:04 +0000 Subject: [PATCH 18/22] Added rdrleakdiag dump Added yaml for rdrleakdiag process dumping capability --- yml/OSBinaries/Rdrleakdiag.yml | 43 ++++++++++++++++++++++++++++++++++ 1 file changed, 43 insertions(+) create mode 100644 yml/OSBinaries/Rdrleakdiag.yml diff --git a/yml/OSBinaries/Rdrleakdiag.yml b/yml/OSBinaries/Rdrleakdiag.yml new file mode 100644 index 0000000..c1f207a --- /dev/null +++ b/yml/OSBinaries/Rdrleakdiag.yml @@ -0,0 +1,43 @@ +--- +Name: rdrleakdiag.exe +Description: Microsoft Windows resource leak diagnostic tool +Author: 'John Dwyer' +Created: 2022-05-18 +Commands: + - Command: rdrleakdiag.exe /p 940 /o c:\evil /fullmemdmp /wait 1 + Description: Dump process by PID and create a dump file (Creates files called minidump_.dmp and results_.hlk). + Usecase: Dump process by PID. + Category: Dump + Privileges: User + MitreID: T1003 + OperatingSystem: Windows + - Command: rdrleakdiag.exe /p 832 /o c:\evil /fullmemdmp /wait 1 + Description: Dump LSASS process by PID and create a dump file (Creates files called minidump_.dmp and results_.hlk). + Usecase: Dump LSASS process. + Category: Dump + Privileges: Administrator + MitreID: T1003.001 + OperatingSystem: Windows + - Command: rdrleakdiag.exe /p 832 /o c:\evil /fullmemdmp /snap + Description: After dumping a process using /wait 1, subsequent dumps must use /snap (Creates files called minidump_.dmp and results_.hlk). + Usecase: Dump LSASS process mutliple times. + Category: Dump + Privileges: Administrator + MitreID: T1003.001 + OperatingSystem: Windows +Full_Path: + - Path: c:\windows\system32\rdrleakdiag.exe + - Path: c:\Windows\SysWOW64\rdrleakdiag.exe +Code_Sample: + - Code: +Detection: + - Sigma: https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_process_dump_rdrleakdiag.yml + - Elastic: https://www.elastic.co/guide/en/security/current/potential-credential-access-via-windows-utilities.html + - Elastic: https://github.com/elastic/detection-rules/blob/5bdf70e72c6cd4547624c521108189af994af449/rules/windows/credential_access_cmdline_dump_tool.toml +Resources: + - Link: https://twitter.com/0gtweet/status/1299071304805560321?s=21 + - Link: https://www.pureid.io/dumping-abusing-windows-credentials-part-1/ +Acknowledgement: + - Person: Grzegorz Tworek + Handle: '@0gtweet' +--- \ No newline at end of file From e2493d8ccf0428ae30382631957de34b58292060 Mon Sep 17 00:00:00 2001 From: John Dwyer Date: Wed, 18 May 2022 19:00:26 +0000 Subject: [PATCH 19/22] Detection Resources and Other Updates (LOLBAS-Project#84) https://github.com/LOLBAS-Project/LOLBAS/issues/84 --- yml/OSBinaries/Rdrleakdiag.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/yml/OSBinaries/Rdrleakdiag.yml b/yml/OSBinaries/Rdrleakdiag.yml index c1f207a..cab0da4 100644 --- a/yml/OSBinaries/Rdrleakdiag.yml +++ b/yml/OSBinaries/Rdrleakdiag.yml @@ -37,6 +37,7 @@ Detection: Resources: - Link: https://twitter.com/0gtweet/status/1299071304805560321?s=21 - Link: https://www.pureid.io/dumping-abusing-windows-credentials-part-1/ + - Link: https://github.com/LOLBAS-Project/LOLBAS/issues/84 Acknowledgement: - Person: Grzegorz Tworek Handle: '@0gtweet' From 90b6082f1d10c2bf89aad581e070473993af5ddd Mon Sep 17 00:00:00 2001 From: John Dwyer Date: Thu, 19 May 2022 13:30:11 +0000 Subject: [PATCH 20/22] Update Rdrleakdiag.yml --- yml/OSBinaries/Rdrleakdiag.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/yml/OSBinaries/Rdrleakdiag.yml b/yml/OSBinaries/Rdrleakdiag.yml index cab0da4..dedb202 100644 --- a/yml/OSBinaries/Rdrleakdiag.yml +++ b/yml/OSBinaries/Rdrleakdiag.yml @@ -1,6 +1,6 @@ --- Name: rdrleakdiag.exe -Description: Microsoft Windows resource leak diagnostic tool +Description: Microsoft Windows resource leak diagnostic tool Author: 'John Dwyer' Created: 2022-05-18 Commands: From 68b772a567413f1abbed3b97b97be1e880b1e96a Mon Sep 17 00:00:00 2001 From: ManuelBerrueta Date: Thu, 19 May 2022 07:12:37 -0700 Subject: [PATCH 21/22] Updated yml/OtherMSBinaries/Sqlps.yml, used recently in a campaign shared my Microsoft Security Intelligence. Would be useful reference for Red Teamers/Offensive Security Engineers as well as Blue Teamers/Defenders who reference this open source project/library. --- yml/OtherMSBinaries/Sqlps.yml | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/yml/OtherMSBinaries/Sqlps.yml b/yml/OtherMSBinaries/Sqlps.yml index 89d4fbe..235cbf4 100644 --- a/yml/OtherMSBinaries/Sqlps.yml +++ b/yml/OtherMSBinaries/Sqlps.yml @@ -16,6 +16,7 @@ Full_Path: - Path: C:\Program files (x86)\Microsoft SQL Server\110\Tools\Binn\sqlps.exe - Path: C:\Program files (x86)\Microsoft SQL Server\120\Tools\Binn\sqlps.exe - Path: C:\Program files (x86)\Microsoft SQL Server\130\Tools\Binn\sqlps.exe + - Path: C:\Program Files (x86)\Microsoft SQL Server\150\Tools\Binn\SQLPS.exe Code_Sample: - Code: Detection: @@ -24,9 +25,12 @@ Detection: - Elastic: https://github.com/elastic/detection-rules/blob/5bdf70e72c6cd4547624c521108189af994af449/rules/windows/execution_suspicious_powershell_imgload.toml - Splunk: https://github.com/splunk/security_content/blob/aa9f7e0d13a61626c69367290ed1b7b71d1281fd/docs/_posts/2021-10-05-suspicious_copy_on_system32.md Resources: + - Link: https://twitter.com/ManuelBerrueta/status/1527289261350760455 - Link: https://twitter.com/bryon_/status/975835709587075072 - Link: https://docs.microsoft.com/en-us/sql/powershell/sql-server-powershell?view=sql-server-2017 Acknowledgement: - Person: Bryon Handle: '@bryon_' + - Person: Manny + Handle: '@ManuelBerrueta' --- From f85eeb748aad1c6fe1497e76f07662eda6a61cef Mon Sep 17 00:00:00 2001 From: frack113 <62423083+frack113@users.noreply.github.com> Date: Mon, 23 May 2022 13:35:58 +0200 Subject: [PATCH 22/22] Add Sigma references to conhost, imewdbld, ie4uinit, ilasm, offlinescannershell and replace (#219) --- yml/OSBinaries/Conhost.yml | 1 + yml/OSBinaries/IMEWDBLD.yml | 2 +- yml/OSBinaries/Ie4uinit.yml | 1 + yml/OSBinaries/Ilasm.yml | 1 + yml/OSBinaries/OfflineScannerShell.yml | 2 +- yml/OSBinaries/Replace.yml | 1 + 6 files changed, 6 insertions(+), 2 deletions(-) diff --git a/yml/OSBinaries/Conhost.yml b/yml/OSBinaries/Conhost.yml index 7ce1d4e..0ed5c87 100644 --- a/yml/OSBinaries/Conhost.yml +++ b/yml/OSBinaries/Conhost.yml @@ -15,6 +15,7 @@ Full_Path: - Path: c:\windows\system32\conhost.exe Detection: - IOC: conhost.exe spawning unexpected processes + - Sigma: https://github.com/SigmaHQ/sigma/blob/bea6f18d350d9c9fdc067f93dde0e9b11cc22dc2/rules/windows/process_creation/proc_creation_win_susp_conhost.yml Resources: - Link: https://www.hexacorn.com/blog/2020/05/25/how-to-con-your-host/ - Link: https://twitter.com/Wietze/status/1511397781159751680 diff --git a/yml/OSBinaries/IMEWDBLD.yml b/yml/OSBinaries/IMEWDBLD.yml index 1dba16d..2199ed5 100644 --- a/yml/OSBinaries/IMEWDBLD.yml +++ b/yml/OSBinaries/IMEWDBLD.yml @@ -14,8 +14,8 @@ Commands: Full_Path: - Path: C:\Windows\System32\IME\SHARED\IMEWDBLD.exe Detection: + - Sigma: https://github.com/SigmaHQ/sigma/blob/bea6f18d350d9c9fdc067f93dde0e9b11cc22dc2/rules/windows/network_connection/net_connection_win_imewdbld.yml Resources: - - Sigma: https://github.com/SigmaHQ/sigma/blob/35a7244c62820fbc5a832e50b1e224ac3a1935da/rules/windows/network_connection/net_connection_win_imewdbld.yml - Link: https://twitter.com/notwhickey/status/1367493406835040265 Acknowledgement: - Person: Wade Hickey diff --git a/yml/OSBinaries/Ie4uinit.yml b/yml/OSBinaries/Ie4uinit.yml index cec66ea..f5a9e3d 100644 --- a/yml/OSBinaries/Ie4uinit.yml +++ b/yml/OSBinaries/Ie4uinit.yml @@ -21,6 +21,7 @@ Code_Sample: Detection: - IOC: ie4uinit.exe copied outside of %windir% - IOC: ie4uinit.exe loading an inf file (ieuinit.inf) from outside %windir% + - Sigma: https://github.com/SigmaHQ/sigma/blob/bea6f18d350d9c9fdc067f93dde0e9b11cc22dc2/rules/windows/process_creation/proc_creation_win_lolbin_ie4uinit.yml Resources: - Link: https://bohops.com/2018/03/10/leveraging-inf-sct-fetch-execute-techniques-for-bypass-evasion-persistence-part-2/ Acknowledgement: diff --git a/yml/OSBinaries/Ilasm.yml b/yml/OSBinaries/Ilasm.yml index 23bce1d..98bf87c 100644 --- a/yml/OSBinaries/Ilasm.yml +++ b/yml/OSBinaries/Ilasm.yml @@ -24,6 +24,7 @@ Code_Sample: - Code: Detection: - IOC: Ilasm may not be used often in production environments (such as on endpoints) + - Sigma: https://github.com/SigmaHQ/sigma/blob/bea6f18d350d9c9fdc067f93dde0e9b11cc22dc2/rules/windows/process_creation/proc_creation_win_lolbin_ilasm.yml Resources: - Link: https://github.com/LuxNoBulIshit/BeforeCompileBy-ilasm/blob/master/hello_world.txt Acknowledgement: diff --git a/yml/OSBinaries/OfflineScannerShell.yml b/yml/OSBinaries/OfflineScannerShell.yml index cb5f184..fd85398 100644 --- a/yml/OSBinaries/OfflineScannerShell.yml +++ b/yml/OSBinaries/OfflineScannerShell.yml @@ -12,9 +12,9 @@ Commands: MitreID: T1218 OperatingSystem: Windows 10 Full_Path: - - Sigma: https://github.com/SigmaHQ/sigma/blob/35a7244c62820fbc5a832e50b1e224ac3a1935da/rules/windows/process_creation/proc_creation_win_lolbas_offlinescannershell.yml - Path: C:\Program Files\Windows Defender\Offline\OfflineScannerShell.exe Detection: + - Sigma: https://github.com/SigmaHQ/sigma/blob/bea6f18d350d9c9fdc067f93dde0e9b11cc22dc2/rules/windows/process_creation/proc_creation_win_lolbas_offlinescannershell.yml - IOC: OfflineScannerShell.exe should not be run on a normal workstation Acknowledgement: - Person: Elliot Killick diff --git a/yml/OSBinaries/Replace.yml b/yml/OSBinaries/Replace.yml index 41e3b1e..23a6d3f 100644 --- a/yml/OSBinaries/Replace.yml +++ b/yml/OSBinaries/Replace.yml @@ -25,6 +25,7 @@ Code_Sample: - Code: Detection: - IOC: Replace.exe retrieving files from remote server + - Sigma: https://github.com/SigmaHQ/sigma/blob/bea6f18d350d9c9fdc067f93dde0e9b11cc22dc2/rules/windows/process_creation/proc_creation_win_lolbas_replace.yml Resources: - Link: https://twitter.com/elceef/status/986334113941655553 - Link: https://twitter.com/elceef/status/986842299861782529