Merge branch 'master' into windows_11_sprint

yml/OSBinaries/Conhost.yml

@@ -0,0 +1,27 @@
+---
+Name: Conhost.exe
+Description: Console Window host
+Author: Wietze Beukema
+Created: 2022-04-05
+Commands:
+  - Command: "conhost.exe calc.exe"
+    Description: Execute calc.exe with conhost.exe as parent process
+    Usecase: Use conhost.exe as a proxy binary to evade defensive counter-measures
+    Category: Execute
+    Privileges: User
+    MitreID: T1202
+    OperatingSystem: Windows 10, Windows 11
+Full_Path:
+  - Path: c:\windows\system32\conhost.exe
+Detection:
+  - IOC: conhost.exe spawning unexpected processes
+  - Sigma: https://github.com/SigmaHQ/sigma/blob/bea6f18d350d9c9fdc067f93dde0e9b11cc22dc2/rules/windows/process_creation/proc_creation_win_susp_conhost.yml
+Resources:
+  - Link: https://www.hexacorn.com/blog/2020/05/25/how-to-con-your-host/
+  - Link: https://twitter.com/Wietze/status/1511397781159751680
+Acknowledgement:
+  - Person: Adam
+    Handle: '@hexacorn'
+  - Person: Wietze
+    Handle: '@wietze'
+---

yml/OSBinaries/Gpscript.yml

@@ -24,6 +24,7 @@ Full_Path:
 Code_Sample:
   - Code:
 Detection:
+  - Sigma: https://github.com/SigmaHQ/sigma/blob/35a7244c62820fbc5a832e50b1e224ac3a1935da/rules/windows/process_creation/proc_creation_win_lolbin_gpscript.yml
   - IOC: Scripts added in local group policy
   - IOC: Execution of Gpscript.exe after logon
 Resources:

yml/OSBinaries/IMEWDBLD.yml

@@ -14,6 +14,7 @@ Commands:
 Full_Path:
   - Path: C:\Windows\System32\IME\SHARED\IMEWDBLD.exe
 Detection:
+  - Sigma: https://github.com/SigmaHQ/sigma/blob/bea6f18d350d9c9fdc067f93dde0e9b11cc22dc2/rules/windows/network_connection/net_connection_win_imewdbld.yml
 Resources:
   - Link: https://twitter.com/notwhickey/status/1367493406835040265
 Acknowledgement:

yml/OSBinaries/Ie4uinit.yml

@@ -21,6 +21,7 @@ Code_Sample:
 Detection:
   - IOC: ie4uinit.exe copied outside of %windir%
   - IOC: ie4uinit.exe loading an inf file (ieuinit.inf) from outside %windir%
+  - Sigma: https://github.com/SigmaHQ/sigma/blob/bea6f18d350d9c9fdc067f93dde0e9b11cc22dc2/rules/windows/process_creation/proc_creation_win_lolbin_ie4uinit.yml
 Resources:
   - Link: https://bohops.com/2018/03/10/leveraging-inf-sct-fetch-execute-techniques-for-bypass-evasion-persistence-part-2/
 Acknowledgement:

yml/OSBinaries/Ilasm.yml

@@ -25,6 +25,7 @@ Code_Sample:
   - Code:
 Detection:
   - IOC: Ilasm may not be used often in production environments (such as on endpoints)
+  - Sigma: https://github.com/SigmaHQ/sigma/blob/bea6f18d350d9c9fdc067f93dde0e9b11cc22dc2/rules/windows/process_creation/proc_creation_win_lolbin_ilasm.yml
 Resources:
   - Link: https://github.com/LuxNoBulIshit/BeforeCompileBy-ilasm/blob/master/hello_world.txt
 Acknowledgement:

yml/OSBinaries/Jsc.yml

@@ -26,6 +26,7 @@ Full_Path:
 Code_Sample:
   - Code:
 Detection:
+  - Sigma: https://github.com/SigmaHQ/sigma/blob/35a7244c62820fbc5a832e50b1e224ac3a1935da/rules/windows/process_creation/proc_creation_win_lolbin_jsc.yml
   - IOC: Jsc.exe should normally not run a system unless it is used for development.
 Resources:
   - Link: https://twitter.com/DissectMalware/status/998797808907046913

yml/OSBinaries/OfflineScannerShell.yml

@@ -14,6 +14,7 @@ Commands:
 Full_Path:
   - Path: C:\Program Files\Windows Defender\Offline\OfflineScannerShell.exe
 Detection:
+  - Sigma: https://github.com/SigmaHQ/sigma/blob/bea6f18d350d9c9fdc067f93dde0e9b11cc22dc2/rules/windows/process_creation/proc_creation_win_lolbas_offlinescannershell.yml
   - IOC: OfflineScannerShell.exe should not be run on a normal workstation
 Acknowledgement:
   - Person: Elliot Killick

yml/OSBinaries/Pktmon.yml

@@ -24,6 +24,7 @@ Full_Path:
 Code_Sample:
   - Code:
 Detection:
+  - Sigma: https://github.com/SigmaHQ/sigma/blob/35a7244c62820fbc5a832e50b1e224ac3a1935da/rules/windows/process_creation/proc_creation_win_lolbin_pktmon.yml
   - IOC: .etl files found on system
 Resources:
   - Link: https://binar-x79.com/windows-10-secret-sniffer/

yml/OSBinaries/PrintBrm.yml

@@ -21,6 +21,7 @@ Commands:
 Full_Path:
   - Path: C:\Windows\System32\spool\tools\PrintBrm.exe
 Detection:
+  - Sigma: https://github.com/SigmaHQ/sigma/blob/35a7244c62820fbc5a832e50b1e224ac3a1935da/rules/windows/process_creation/proc_creation_win_lolbin_printbrm.yml
   - IOC: PrintBrm.exe should not be run on a normal workstation
 Resources:
   - Link: https://twitter.com/elliotkillick/status/1404117015447670800

yml/OSBinaries/Rdrleakdiag.yml

@@ -0,0 +1,44 @@
+---
+Name: rdrleakdiag.exe
+Description: Microsoft Windows resource leak diagnostic tool
+Author: 'John Dwyer'
+Created: 2022-05-18
+Commands:
+  - Command: rdrleakdiag.exe /p 940 /o c:\evil /fullmemdmp /wait 1
+    Description: Dump process by PID and create a dump file (Creates files called minidump_<PID>.dmp and results_<PID>.hlk).
+    Usecase: Dump process by PID.
+    Category: Dump
+    Privileges: User
+    MitreID: T1003
+    OperatingSystem: Windows
+  - Command: rdrleakdiag.exe /p 832 /o c:\evil /fullmemdmp /wait 1
+    Description: Dump LSASS process by PID and create a dump file (Creates files called minidump_<PID>.dmp and results_<PID>.hlk).
+    Usecase: Dump LSASS process.
+    Category: Dump
+    Privileges: Administrator
+    MitreID: T1003.001
+    OperatingSystem: Windows
+  - Command: rdrleakdiag.exe /p 832 /o c:\evil /fullmemdmp /snap
+    Description: After dumping a process using /wait 1, subsequent dumps must use /snap (Creates files called minidump_<PID>.dmp and results_<PID>.hlk).
+    Usecase: Dump LSASS process mutliple times.
+    Category: Dump
+    Privileges: Administrator
+    MitreID: T1003.001
+    OperatingSystem: Windows
+Full_Path:
+  - Path: c:\windows\system32\rdrleakdiag.exe
+  - Path: c:\Windows\SysWOW64\rdrleakdiag.exe
+Code_Sample:
+  - Code:
+Detection:
+  - Sigma: https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_process_dump_rdrleakdiag.yml
+  - Elastic: https://www.elastic.co/guide/en/security/current/potential-credential-access-via-windows-utilities.html
+  - Elastic: https://github.com/elastic/detection-rules/blob/5bdf70e72c6cd4547624c521108189af994af449/rules/windows/credential_access_cmdline_dump_tool.toml
+Resources:
+  - Link: https://twitter.com/0gtweet/status/1299071304805560321?s=21
+  - Link: https://www.pureid.io/dumping-abusing-windows-credentials-part-1/
+  - Link: https://github.com/LOLBAS-Project/LOLBAS/issues/84
+Acknowledgement:
+  - Person: Grzegorz Tworek
+    Handle: '@0gtweet'
+---

yml/OSBinaries/Register-cimprovider.yml

@@ -17,6 +17,7 @@ Full_Path:
 Code_Sample:
   - Code:
 Detection:
+  - Sigma: https://github.com/SigmaHQ/sigma/blob/35a7244c62820fbc5a832e50b1e224ac3a1935da/rules/windows/process_creation/proc_creation_win_susp_register_cimprovider.yml
   - IOC: Register-cimprovider.exe execution and cmdline DLL load may be supsicious
 Resources:
   - Link: https://twitter.com/PhilipTsukerman/status/992021361106268161

yml/OSBinaries/Replace.yml

@@ -25,6 +25,7 @@ Code_Sample:
   - Code:
 Detection:
   - IOC: Replace.exe retrieving files from remote server
+  - Sigma: https://github.com/SigmaHQ/sigma/blob/bea6f18d350d9c9fdc067f93dde0e9b11cc22dc2/rules/windows/process_creation/proc_creation_win_lolbas_replace.yml
 Resources:
   - Link: https://twitter.com/elceef/status/986334113941655553
   - Link: https://twitter.com/elceef/status/986842299861782529

yml/OSBinaries/Ttdinject.yml

@@ -24,6 +24,8 @@ Full_Path:
 Code_Sample:
   - Code:
 Detection:
+  - Sigma: https://github.com/SigmaHQ/sigma/blob/7ea6ed3db65e0bd812b051d9bb4fffd27c4c4d0a/rules/windows/create_remote_thread/create_remote_thread_win_ttdinjec.yml
+  - Sigma: https://github.com/SigmaHQ/sigma/blob/7ea6ed3db65e0bd812b051d9bb4fffd27c4c4d0a/rules/windows/process_creation/proc_creation_win_lolbin_ttdinject.yml
   - IOC: Parent child relationship. Ttdinject.exe parent for executed command
   - IOC: Multiple queries made to the IFEO registry key of an untrusted executable (Ex. "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\payload.exe") from the ttdinject.exe process
 Resources:

yml/OSBinaries/Wlrmdr.yml

@@ -0,0 +1,33 @@
+---
+Name: Wlrmdr.exe
+Description: Windows Logon Reminder executable
+Author: Moshe Kaplan
+Created: 2022-02-16
+Commands:
+  - Command: "wlrmdr.exe -s 3600 -f 0 -t _ -m _ -a 11 -u calc.exe"
+    Description: Execute calc.exe with wlrmdr.exe as parent process
+    Usecase: Use wlrmdr as a proxy binary to evade defensive countermeasures
+    Category: Execute
+    Privileges: User
+    MitreID: T1202
+    OperatingSystem: Windows 10, Windows 11
+Full_Path:
+  - Path: c:\windows\system32\wlrmdr.exe
+Code_Sample:
+  - Code:
+Detection:
+  - Sigma: https://github.com/SigmaHQ/sigma/blob/35a7244c62820fbc5a832e50b1e224ac3a1935da/rules/windows/process_creation/proc_creation_win_lolbin_wlrmdr.yml
+  - IOC: wlrmdr.exe spawning any new processes
+Resources:
+  - Link: https://twitter.com/0gtweet/status/1493963591745220608
+  - Link: https://twitter.com/Oddvarmoe/status/927437787242090496
+  - Link: https://twitter.com/falsneg/status/1461625526640992260
+  - Link: https://docs.microsoft.com/en-us/windows/win32/api/shellapi/ns-shellapi-notifyicondataw
+Acknowledgement:
+  - Person: Grzegorz Tworek
+    Handle: '@0gtweet'
+  - Person: Oddvar Moe
+    Handle: '@Oddvarmoe'
+  - Person: Freddy
+    Handle: '@falsneg'
+---

yml/OSBinaries/Wuauclt.yml

@@ -4,12 +4,12 @@ Description: Windows Update Client
 Author: 'David Middlehurst'
 Created: 2020-09-23
 Commands:
-  - Command: wuauclt.exe /UpdateDeploymentProvider <Full_Path_To_DLL> /RunHandlerComServer
+  - Command: wuauclt.exe /UpdateDeploymentProvider Full_Path_To_DLL /RunHandlerComServer
     Description: Full_Path_To_DLL would be the abosolute path to .DLL file and would execute code on attach.
     Usecase: Execute dll via attach/detach methods
     Category: Execute
     Privileges: User
-    MitreID: T1218.011
+    MitreID: T1218
     OperatingSystem: Windows 10
 Full_Path:
   - Path: C:\Windows\System32\wuauclt.exe

yml/OSLibraries/Desk.yml

@@ -0,0 +1,44 @@
+---
+Name: Desk.cpl
+Description: Desktop Settings Control Panel
+Author: Hai Vaknin
+Created: 2022-04-21
+Commands:
+  - Command: rundll32.exe desk.cpl,InstallScreenSaver C:\temp\file.scr
+    Description: Launch an executable with a .scr extension by calling the InstallScreenSaver function.
+    Usecase: Launch any executable payload, as long as it uses the .scr extension.
+    Category: Execute
+    Privileges: User
+    MitreID: T1218.011
+    OperatingSystem: Windows 10, Windows 11
+  - Command: rundll32.exe desk.cpl,InstallScreenSaver \\127.0.0.1\c$\temp\file.scr
+    Description: Launch a remote executable with a .scr extension, located on an SMB share, by calling the InstallScreenSaver function.
+    Usecase: Launch any executable payload, as long as it uses the .scr extension.
+    Category: Execute
+    Privileges: User
+    MitreID: T1218.011
+    OperatingSystem: Windows 10, Windows 11    
+Full_Path:
+  - Path: C:\Windows\System32\desk.cpl
+  - Path: C:\Windows\SysWOW64\desk.cpl
+Detection:
+  - Sigma: https://github.com/SigmaHQ/sigma/blob/master/rules/windows/file_event/file_event_win_new_src_file.yml
+  - Sigma: https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_rundll32_installscreensaver.yml
+  - Sigma: https://github.com/SigmaHQ/sigma/blob/master/rules/windows/registry/registry_set/registry_set_scr_file_executed_by_rundll32.yml
+Resources:
+  - Link: https://vxug.fakedoma.in/zines/29a/29a7/Articles/29A-7.030.txt
+  - Link: https://twitter.com/pabraeken/status/998627081360695297
+  - Link: https://twitter.com/VakninHai/status/1517027824984547329
+  - Link: https://jstnk9.github.io/jstnk9/research/InstallScreenSaver-SCR-files
+Acknowledgement:
+  - Person: Rafael S Marques
+    Handle: '@pegabizu'
+  - Person: Pierre-Alexandre Braeken
+    Handle: '@pabraeken'
+  - Person: hai
+    Handle: '@VakninHai'
+  - Person: Christopher Peacock
+    Handle: '@SecurePeacock'
+  - Person: Jose Luis Sanchez
+    Handle: '@Joseliyo_Jstnk'
+---

yml/OSLibraries/Ieframe.yml

@@ -1,5 +1,5 @@
 ---
-Name: Ieaframe.dll
+Name: Ieframe.dll
 Description: Internet Browser DLL for translating HTML code.
 Author:
 Created: 2018-05-25

yml/OtherMSBinaries/AccCheckConsole.yml

@@ -0,0 +1,37 @@
+---
+Name: AccCheckConsole.exe
+Description: Verifies UI accessibility requirements
+Author: 'bohops'
+Created: 2022-01-02
+Commands:
+  - Command: AccCheckConsole.exe -window "Untitled - Notepad" C:\path\to\your\lolbas.dll
+    Description: Load a managed DLL in the context of AccCheckConsole.exe. The -window switch value can be set to an arbitrary active window name.
+    Usecase: Local execution of managed code from assembly DLL.
+    Category: Execute
+    Privileges: User
+    MitreID: T1218
+    OperatingSystem: Windows
+  - Command: AccCheckConsole.exe -window "Untitled - Notepad" C:\path\to\your\lolbas.dll
+    Description: Load a managed DLL in the context of AccCheckConsole.exe. The -window switch value can be set to an arbitrary active window name.
+    Usecase: Local execution of managed code to bypass AppLocker.
+    Category: AWL Bypass
+    Privileges: User
+    MitreID: T1218
+    OperatingSystem: Windows
+Full_Path:
+  - Path: C:\Program Files (x86)\Windows Kits\10\bin\10.0.22000.0\x86\AccChecker\AccCheckConsole.exe
+  - Path: C:\Program Files (x86)\Windows Kits\10\bin\10.0.22000.0\x64\AccChecker\AccCheckConsole.exe
+  - Path: C:\Program Files (x86)\Windows Kits\10\bin\10.0.22000.0\arm\AccChecker\AccCheckConsole.exe
+  - Path: C:\Program Files (x86)\Windows Kits\10\bin\10.0.22000.0\arm64\AccChecker\AccCheckConsole.exe
+Code_Sample:
+  - Code: https://docs.microsoft.com/en-us/windows/win32/winauto/custom-verification-routines
+Detection:
+  - IOC: Sysmon Event ID 1 - Process Creation
+  - Analysis: https://gist.github.com/bohops/2444129419c8acf837aedda5f0e7f340
+Resources:
+  - Link: https://gist.github.com/bohops/2444129419c8acf837aedda5f0e7f340
+  - Link: https://twitter.com/bohops/status/1477717351017680899
+Acknowledgement:
+  - Person: Jimmy
+    Handle: '@bohops'
+---

yml/OtherMSBinaries/Coregen.yml

@@ -4,7 +4,7 @@ Description: Binary coregen.exe (Microsoft CoreCLR Native Image Generator) loads
 Author: Martin Sohn Christensen
 Created: 2020-10-09
 Commands:
-  - Command: coregon.exe.exe /L C:\folder\evil.dll dummy_assembly_name
+  - Command: coregen.exe /L C:\folder\evil.dll dummy_assembly_name
     Description: Loads the target .DLL in arbitrary path specified with /L.
     Usecase: Execute DLL code
     Category: Execute

yml/OtherMSBinaries/Dump64.yml

@@ -0,0 +1,24 @@
+---
+Name: Dump64.exe
+Description: Memory dump tool that comes with Microsoft Visual Studio
+Author: mr.d0x
+Created: 2021-11-16
+Commands:
+  - Command: dump64.exe <pid> out.dmp
+    Description: Creates a memory dump of the LSASS process.
+    Usecase: Create memory dump and parse it offline to retrieve credentials.
+    Category: Dump
+    Privileges: Administrator
+    MitreID: T1003.001
+    OperatingSystem: Windows 10, Windows 11
+Full_Path:
+  - Path: C:\Program Files (x86)\Microsoft Visual Studio\Installer\Feedback\dump64.exe
+Detection:
+  - Sigma: https://github.com/SigmaHQ/sigma/blob/138b06628380468fb8a41fc27770e1630cb64326/rules/windows/process_creation/process_creation_win_lolbas_dump64.yml
+  - IOC: As a Windows SDK binary, execution on a system may be suspicious
+Resources:
+  - Link: https://twitter.com/mrd0x/status/1460597833917251595
+Acknowledgement:
+  - Person: mr.d0x
+    Handle: '@mrd0x'
+---

yml/OtherMSBinaries/Sqlps.yml

@@ -16,6 +16,7 @@ Full_Path:
   - Path: C:\Program files (x86)\Microsoft SQL Server\110\Tools\Binn\sqlps.exe
   - Path: C:\Program files (x86)\Microsoft SQL Server\120\Tools\Binn\sqlps.exe
   - Path: C:\Program files (x86)\Microsoft SQL Server\130\Tools\Binn\sqlps.exe
+  - Path: C:\Program Files (x86)\Microsoft SQL Server\150\Tools\Binn\SQLPS.exe
 Code_Sample:
   - Code:
 Detection:
@@ -24,9 +25,12 @@ Detection:
   - Elastic: https://github.com/elastic/detection-rules/blob/5bdf70e72c6cd4547624c521108189af994af449/rules/windows/execution_suspicious_powershell_imgload.toml
   - Splunk: https://github.com/splunk/security_content/blob/aa9f7e0d13a61626c69367290ed1b7b71d1281fd/docs/_posts/2021-10-05-suspicious_copy_on_system32.md
 Resources:
+  - Link: https://twitter.com/ManuelBerrueta/status/1527289261350760455
   - Link: https://twitter.com/bryon_/status/975835709587075072
   - Link: https://docs.microsoft.com/en-us/sql/powershell/sql-server-powershell?view=sql-server-2017
 Acknowledgement:
   - Person: Bryon
     Handle: '@bryon_'
+  - Person: Manny
+    Handle: '@ManuelBerrueta'
 ---