Merge branch 'master' into windows_11_sprint

yml/OtherMSBinaries/AccCheckConsole.yml

@@ -0,0 +1,37 @@
+---
+Name: AccCheckConsole.exe
+Description: Verifies UI accessibility requirements
+Author: 'bohops'
+Created: 2022-01-02
+Commands:
+  - Command: AccCheckConsole.exe -window "Untitled - Notepad" C:\path\to\your\lolbas.dll
+    Description: Load a managed DLL in the context of AccCheckConsole.exe. The -window switch value can be set to an arbitrary active window name.
+    Usecase: Local execution of managed code from assembly DLL.
+    Category: Execute
+    Privileges: User
+    MitreID: T1218
+    OperatingSystem: Windows
+  - Command: AccCheckConsole.exe -window "Untitled - Notepad" C:\path\to\your\lolbas.dll
+    Description: Load a managed DLL in the context of AccCheckConsole.exe. The -window switch value can be set to an arbitrary active window name.
+    Usecase: Local execution of managed code to bypass AppLocker.
+    Category: AWL Bypass
+    Privileges: User
+    MitreID: T1218
+    OperatingSystem: Windows
+Full_Path:
+  - Path: C:\Program Files (x86)\Windows Kits\10\bin\10.0.22000.0\x86\AccChecker\AccCheckConsole.exe
+  - Path: C:\Program Files (x86)\Windows Kits\10\bin\10.0.22000.0\x64\AccChecker\AccCheckConsole.exe
+  - Path: C:\Program Files (x86)\Windows Kits\10\bin\10.0.22000.0\arm\AccChecker\AccCheckConsole.exe
+  - Path: C:\Program Files (x86)\Windows Kits\10\bin\10.0.22000.0\arm64\AccChecker\AccCheckConsole.exe
+Code_Sample:
+  - Code: https://docs.microsoft.com/en-us/windows/win32/winauto/custom-verification-routines
+Detection:
+  - IOC: Sysmon Event ID 1 - Process Creation
+  - Analysis: https://gist.github.com/bohops/2444129419c8acf837aedda5f0e7f340
+Resources:
+  - Link: https://gist.github.com/bohops/2444129419c8acf837aedda5f0e7f340
+  - Link: https://twitter.com/bohops/status/1477717351017680899
+Acknowledgement:
+  - Person: Jimmy
+    Handle: '@bohops'
+---

yml/OtherMSBinaries/Coregen.yml

@@ -4,7 +4,7 @@ Description: Binary coregen.exe (Microsoft CoreCLR Native Image Generator) loads
 Author: Martin Sohn Christensen
 Created: 2020-10-09
 Commands:
-  - Command: coregon.exe.exe /L C:\folder\evil.dll dummy_assembly_name
+  - Command: coregen.exe /L C:\folder\evil.dll dummy_assembly_name
     Description: Loads the target .DLL in arbitrary path specified with /L.
     Usecase: Execute DLL code
     Category: Execute

yml/OtherMSBinaries/Dump64.yml

@@ -0,0 +1,24 @@
+---
+Name: Dump64.exe
+Description: Memory dump tool that comes with Microsoft Visual Studio
+Author: mr.d0x
+Created: 2021-11-16
+Commands:
+  - Command: dump64.exe <pid> out.dmp
+    Description: Creates a memory dump of the LSASS process.
+    Usecase: Create memory dump and parse it offline to retrieve credentials.
+    Category: Dump
+    Privileges: Administrator
+    MitreID: T1003.001
+    OperatingSystem: Windows 10, Windows 11
+Full_Path:
+  - Path: C:\Program Files (x86)\Microsoft Visual Studio\Installer\Feedback\dump64.exe
+Detection:
+  - Sigma: https://github.com/SigmaHQ/sigma/blob/138b06628380468fb8a41fc27770e1630cb64326/rules/windows/process_creation/process_creation_win_lolbas_dump64.yml
+  - IOC: As a Windows SDK binary, execution on a system may be suspicious
+Resources:
+  - Link: https://twitter.com/mrd0x/status/1460597833917251595
+Acknowledgement:
+  - Person: mr.d0x
+    Handle: '@mrd0x'
+---

yml/OtherMSBinaries/Sqlps.yml

@@ -16,6 +16,7 @@ Full_Path:
   - Path: C:\Program files (x86)\Microsoft SQL Server\110\Tools\Binn\sqlps.exe
   - Path: C:\Program files (x86)\Microsoft SQL Server\120\Tools\Binn\sqlps.exe
   - Path: C:\Program files (x86)\Microsoft SQL Server\130\Tools\Binn\sqlps.exe
+  - Path: C:\Program Files (x86)\Microsoft SQL Server\150\Tools\Binn\SQLPS.exe
 Code_Sample:
   - Code:
 Detection:
@@ -24,9 +25,12 @@ Detection:
   - Elastic: https://github.com/elastic/detection-rules/blob/5bdf70e72c6cd4547624c521108189af994af449/rules/windows/execution_suspicious_powershell_imgload.toml
   - Splunk: https://github.com/splunk/security_content/blob/aa9f7e0d13a61626c69367290ed1b7b71d1281fd/docs/_posts/2021-10-05-suspicious_copy_on_system32.md
 Resources:
+  - Link: https://twitter.com/ManuelBerrueta/status/1527289261350760455
   - Link: https://twitter.com/bryon_/status/975835709587075072
   - Link: https://docs.microsoft.com/en-us/sql/powershell/sql-server-powershell?view=sql-server-2017
 Acknowledgement:
   - Person: Bryon
     Handle: '@bryon_'
+  - Person: Manny
+    Handle: '@ManuelBerrueta'
 ---