From 80267d91dd26ac1296dfba09511f3efbd1641327 Mon Sep 17 00:00:00 2001 From: Wietze Date: Wed, 8 Nov 2023 01:55:24 +0000 Subject: [PATCH] Adding GitHub Actions workflow test for duplicate filenames (#340) * Adding GitHub Actions workflow test for duplicate filenames * Adding generic error message * Deduping fsutil.exe and teams.exe --- .github/workflows/yaml-linting.yml | 12 ++++++++++- yml/OSBinaries/Fsutil.yml | 32 +++++++++++++++++++++++++----- yml/OSBinaries/Teams.yml | 21 -------------------- yml/OSBinaries/fsutil.yml | 32 ------------------------------ yml/OtherMSBinaries/Teams.yml | 18 +++++++++++++---- 5 files changed, 52 insertions(+), 63 deletions(-) delete mode 100644 yml/OSBinaries/Teams.yml delete mode 100644 yml/OSBinaries/fsutil.yml diff --git a/.github/workflows/yaml-linting.yml b/.github/workflows/yaml-linting.yml index e5d948f..bdf6d09 100644 --- a/.github/workflows/yaml-linting.yml +++ b/.github/workflows/yaml-linting.yml @@ -12,10 +12,20 @@ jobs: run: | files=$(find "$GITHUB_WORKSPACE/yml" -type f -not -name "*.yml"); if [[ $files ]]; then - echo "Files with unexpected extension found, please ensure you use '.yml' (all lower case) for files in the yml/ folder."; + echo "::error::Files with unexpected extension found, please ensure you use '.yml' (all lower case) for files in the yml/ folder."; for i in $files; do echo "::error file=$i,line=1::Unexpected extension"; done exit 1; fi + unset files + - name: Check duplicate file names + run: | + files=$(find "$GITHUB_WORKSPACE/yml/OSBinaries" "$GITHUB_WORKSPACE/yml/OtherMSBinaries" -type f -printf '%h %f\n' -iname "*.yml" | sort -t ' ' -k 2,2 -f | uniq -i -f 1 --all-repeated=separate | tr ' ' '/') + if [[ $files ]]; then + echo "::error::Files with duplicate filenames detected, please make sure you don't create duplicate entries."; + for i in $files; do echo "::error file=$i,line=1::Duplicate filename"; done + exit 1; + fi + unset files - name: yaml-lint uses: ibiqlik/action-yamllint@v3 with: diff --git a/yml/OSBinaries/Fsutil.yml b/yml/OSBinaries/Fsutil.yml index f7d1d71..63ef859 100644 --- a/yml/OSBinaries/Fsutil.yml +++ b/yml/OSBinaries/Fsutil.yml @@ -1,10 +1,24 @@ --- -Name: fsutil.exe -Description: Filesystem management utility -Author: gtworek -Created: 2023-11-04 +Name: Fsutil.exe +Description: File System Utility +Author: 'Elliot Killick' +Created: 2021-08-16 Commands: - - Command: 'fsutil trace decode' + - Command: fsutil.exe file setZeroData offset=0 length=9999999999 C:\Windows\Temp\payload.dll + Description: Zero out a file + Usecase: Can be used to forensically erase a file + Category: Tamper + Privileges: User + MitreID: T1485 + OperatingSystem: Windows XP, Windows Vista, Windows 7, Windows 8, Windows 8.1, Windows 10 + - Command: 'fsutil.exe usn deletejournal /d c:' + Description: Delete the USN journal volume to hide file creation activity + Usecase: Can be used to hide file creation activity + Category: Tamper + Privileges: User + MitreID: T1485 + OperatingSystem: Windows XP, Windows Vista, Windows 7, Windows 8, Windows 8.1, Windows 10 + - Command: fsutil.exe trace decode Description: Executes a pre-planted binary named netsh.exe from the current directory. Usecase: Spawn a pre-planted executable from fsutil.exe. Category: Execute @@ -13,12 +27,20 @@ Commands: OperatingSystem: Windows 11 Full_Path: - Path: C:\Windows\System32\fsutil.exe + - Path: C:\Windows\SysWOW64\fsutil.exe Detection: + - IOC: fsutil.exe should not be run on a normal workstation + - IOC: file setZeroData (not case-sensitive) in the process arguments - IOC: Sysmon Event ID 1 - IOC: Execution of process fsutil.exe with trace decode could be suspicious - IOC: Non-Windows netsh.exe execution + - Sigma: https://github.com/SigmaHQ/sigma/blob/ff5102832031425f6eed011dd3a2e62653008c94/rules/windows/process_creation/proc_creation_win_susp_fsutil_usage.yml Resources: - Link: https://twitter.com/0gtweet/status/1720724516324704404 Acknowledgement: + - Person: Elliot Killick + Handle: '@elliotkillick' + - Person: Jimmy + Handle: '@bohops' - Person: Grzegorz Tworek Handle: '@0gtweet' diff --git a/yml/OSBinaries/Teams.yml b/yml/OSBinaries/Teams.yml deleted file mode 100644 index ba85b65..0000000 --- a/yml/OSBinaries/Teams.yml +++ /dev/null @@ -1,21 +0,0 @@ ---- -Name: Teams.exe -Description: Microsoft Teams -Author: mr.d0x -Created: 2023-05-27 -Commands: - - Command: teams.exe --disable-gpu-sandbox --gpu-launcher="C:\Windows\system32\cmd.exe /c ping google.com &&" - Description: Teams spawns cmd.exe as a child process of teams.exe and executes the ping command - Usecase: Executes a process under a trusted Microsoft signed binary - Category: Execute - Privileges: User - MitreID: T1218 - OperatingSystem: Windows 10, Windows 11 -Full_Path: - - Path: c:\Users\username\AppData\Local\Microsoft\Teams\current\Teams.exe -Detection: - - Sigma: https://github.com/SigmaHQ/sigma/blob/43277f26fc1c81fc98fc79147b711189e901b757/rules/windows/process_creation/proc_creation_win_susp_electron_exeuction_proxy.yml -Resources: -Acknowledgement: - - Person: mr.d0x - Handle: '@mrd0x' diff --git a/yml/OSBinaries/fsutil.yml b/yml/OSBinaries/fsutil.yml deleted file mode 100644 index 5a973eb..0000000 --- a/yml/OSBinaries/fsutil.yml +++ /dev/null @@ -1,32 +0,0 @@ ---- -Name: fsutil.exe -Description: File System Utility -Author: 'Elliot Killick' -Created: '2021-08-16' -Commands: - - Command: fsutil.exe file setZeroData offset=0 length=9999999999 C:\Windows\Temp\payload.dll - Description: Zero out a file - Usecase: Can be used to forensically erase a file - Category: Tamper - Privileges: User - MitreID: T1485 - OperatingSystem: Windows XP, Windows Vista, Windows 7, Windows 8, Windows 8.1, Windows 10 - - Command: 'fsutil.exe usn deletejournal /d c:' - Description: Delete the USN journal volume to hide file creation activity - Usecase: Can be used to hide file creation activity - Category: Tamper - Privileges: User - MitreID: T1485 - OperatingSystem: Windows XP, Windows Vista, Windows 7, Windows 8, Windows 8.1, Windows 10 -Full_Path: - - Path: C:\Windows\System32\fsutil.exe - - Path: C:\Windows\SysWOW64\fsutil.exe -Detection: - - IOC: fsutil.exe should not be run on a normal workstation - - IOC: file setZeroData (not case-sensitive) in the process arguments - - Sigma: https://github.com/SigmaHQ/sigma/blob/ff5102832031425f6eed011dd3a2e62653008c94/rules/windows/process_creation/proc_creation_win_susp_fsutil_usage.yml -Acknowledgement: - - Person: Elliot Killick - Handle: '@elliotkillick' - - Person: Jimmy - Handle: '@bohops' diff --git a/yml/OtherMSBinaries/Teams.yml b/yml/OtherMSBinaries/Teams.yml index 4ff119a..79ae4b2 100644 --- a/yml/OtherMSBinaries/Teams.yml +++ b/yml/OtherMSBinaries/Teams.yml @@ -4,20 +4,27 @@ Description: Electron runtime binary which runs the Teams application Author: Andrew Kisliakov Created: 2022-01-17 Commands: - - Command: Teams.exe + - Command: teams.exe Description: Generate JavaScript payload and package.json, and save to "%LOCALAPPDATA%\\Microsoft\\Teams\\current\\app\\" before executing. Usecase: Execute JavaScript code Category: Execute Privileges: User MitreID: T1218 - OperatingSystem: Windows - - Command: Teams.exe + OperatingSystem: Windows 10, Windows 11 + - Command: teams.exe Description: Generate JavaScript payload and package.json, archive in ASAR file and save to "%LOCALAPPDATA%\\Microsoft\\Teams\\current\\app.asar" before executing. Usecase: Execute JavaScript code Category: Execute Privileges: User MitreID: T1218 - OperatingSystem: Windows + OperatingSystem: Windows 10, Windows 11 + - Command: teams.exe --disable-gpu-sandbox --gpu-launcher="C:\Windows\system32\cmd.exe /c ping google.com &&" + Description: Teams spawns cmd.exe as a child process of teams.exe and executes the ping command + Usecase: Executes a process under a trusted Microsoft signed binary + Category: Execute + Privileges: User + MitreID: T1218 + OperatingSystem: Windows 10, Windows 11 Full_Path: - Path: "%LOCALAPPDATA%\\Microsoft\\Teams\\current\\Teams.exe" Code_Sample: @@ -25,7 +32,10 @@ Code_Sample: Detection: - IOC: "%LOCALAPPDATA%\\Microsoft\\Teams\\current\\app directory created" - IOC: "%LOCALAPPDATA%\\Microsoft\\Teams\\current\\app.asar file created/modified by non-Teams installer/updater" + - Sigma: https://github.com/SigmaHQ/sigma/blob/43277f26fc1c81fc98fc79147b711189e901b757/rules/windows/process_creation/proc_creation_win_susp_electron_exeuction_proxy.yml Resources: - Link: https://l--k.uk/2022/01/16/microsoft-teams-and-other-electron-apps-as-lolbins/ Acknowledgement: - Person: Andrew Kisliakov + - Person: mr.d0x + Handle: '@mrd0x'