Adding GitHub Actions workflow test for duplicate filenames (#340)

* Adding GitHub Actions workflow test for duplicate filenames

* Adding generic error message

* Deduping fsutil.exe and teams.exe

.github/workflows/yaml-linting.yml

@@ -12,10 +12,20 @@ jobs:
         run: |
           files=$(find "$GITHUB_WORKSPACE/yml" -type f -not -name "*.yml");
           if [[ $files ]]; then
-            echo "Files with unexpected extension found, please ensure you use '.yml' (all lower case) for files in the yml/ folder.";
+            echo "::error::Files with unexpected extension found, please ensure you use '.yml' (all lower case) for files in the yml/ folder.";
             for i in $files; do echo "::error file=$i,line=1::Unexpected extension"; done
             exit 1;
           fi
+          unset files
+      - name: Check duplicate file names
+        run: |
+          files=$(find "$GITHUB_WORKSPACE/yml/OSBinaries" "$GITHUB_WORKSPACE/yml/OtherMSBinaries" -type f -printf '%h %f\n' -iname "*.yml" | sort -t ' ' -k 2,2 -f | uniq -i -f 1 --all-repeated=separate | tr ' ' '/')
+          if [[ $files ]]; then
+            echo "::error::Files with duplicate filenames detected, please make sure you don't create duplicate entries.";
+            for i in $files; do echo "::error file=$i,line=1::Duplicate filename"; done
+            exit 1;
+          fi
+          unset files
       - name: yaml-lint
         uses: ibiqlik/action-yamllint@v3
         with:

yml/OSBinaries/Fsutil.yml

@@ -1,10 +1,24 @@
 ---
-Name: fsutil.exe
-Description: Filesystem management utility
-Author: gtworek
-Created: 2023-11-04
+Name: Fsutil.exe
+Description: File System Utility
+Author: 'Elliot Killick'
+Created: 2021-08-16
 Commands:
-  - Command: 'fsutil trace decode'
+  - Command: fsutil.exe file setZeroData offset=0 length=9999999999 C:\Windows\Temp\payload.dll
+    Description: Zero out a file
+    Usecase: Can be used to forensically erase a file
+    Category: Tamper
+    Privileges: User
+    MitreID: T1485
+    OperatingSystem: Windows XP, Windows Vista, Windows 7, Windows 8, Windows 8.1, Windows 10
+  - Command: 'fsutil.exe usn deletejournal /d c:'
+    Description: Delete the USN journal volume to hide file creation activity
+    Usecase: Can be used to hide file creation activity
+    Category: Tamper
+    Privileges: User
+    MitreID: T1485
+    OperatingSystem: Windows XP, Windows Vista, Windows 7, Windows 8, Windows 8.1, Windows 10
+  - Command: fsutil.exe trace decode
     Description: Executes a pre-planted binary named netsh.exe from the current directory.
     Usecase: Spawn a pre-planted executable from fsutil.exe.
     Category: Execute
@@ -13,12 +27,20 @@ Commands:
     OperatingSystem: Windows 11
 Full_Path:
   - Path: C:\Windows\System32\fsutil.exe
+  - Path: C:\Windows\SysWOW64\fsutil.exe
 Detection:
+  - IOC: fsutil.exe should not be run on a normal workstation
+  - IOC: file setZeroData (not case-sensitive) in the process arguments
   - IOC: Sysmon Event ID 1
   - IOC: Execution of process fsutil.exe with trace decode could be suspicious
   - IOC: Non-Windows netsh.exe execution
+  - Sigma: https://github.com/SigmaHQ/sigma/blob/ff5102832031425f6eed011dd3a2e62653008c94/rules/windows/process_creation/proc_creation_win_susp_fsutil_usage.yml
 Resources:
   - Link: https://twitter.com/0gtweet/status/1720724516324704404
 Acknowledgement:
+  - Person: Elliot Killick
+    Handle: '@elliotkillick'
+  - Person: Jimmy
+    Handle: '@bohops'
   - Person: Grzegorz Tworek
     Handle: '@0gtweet'

yml/OSBinaries/Teams.yml

@@ -1,21 +0,0 @@
----
-Name: Teams.exe
-Description: Microsoft Teams
-Author: mr.d0x
-Created: 2023-05-27
-Commands:
-  - Command: teams.exe --disable-gpu-sandbox --gpu-launcher="C:\Windows\system32\cmd.exe /c ping google.com &&"
-    Description: Teams spawns cmd.exe as a child process of teams.exe and executes the ping command
-    Usecase: Executes a process under a trusted Microsoft signed binary
-    Category: Execute
-    Privileges: User
-    MitreID: T1218
-    OperatingSystem: Windows 10, Windows 11
-Full_Path:
-  - Path: c:\Users\username\AppData\Local\Microsoft\Teams\current\Teams.exe
-Detection:
-  - Sigma: https://github.com/SigmaHQ/sigma/blob/43277f26fc1c81fc98fc79147b711189e901b757/rules/windows/process_creation/proc_creation_win_susp_electron_exeuction_proxy.yml
-Resources:
-Acknowledgement:
-  - Person: mr.d0x
-    Handle: '@mrd0x'

yml/OSBinaries/fsutil.yml

@@ -1,32 +0,0 @@
----
-Name: fsutil.exe
-Description: File System Utility
-Author: 'Elliot Killick'
-Created: '2021-08-16'
-Commands:
-  - Command: fsutil.exe file setZeroData offset=0 length=9999999999 C:\Windows\Temp\payload.dll
-    Description: Zero out a file
-    Usecase: Can be used to forensically erase a file
-    Category: Tamper
-    Privileges: User
-    MitreID: T1485
-    OperatingSystem: Windows XP, Windows Vista, Windows 7, Windows 8, Windows 8.1, Windows 10
-  - Command: 'fsutil.exe usn deletejournal /d c:'
-    Description: Delete the USN journal volume to hide file creation activity
-    Usecase: Can be used to hide file creation activity
-    Category: Tamper
-    Privileges: User
-    MitreID: T1485
-    OperatingSystem: Windows XP, Windows Vista, Windows 7, Windows 8, Windows 8.1, Windows 10
-Full_Path:
-  - Path: C:\Windows\System32\fsutil.exe
-  - Path: C:\Windows\SysWOW64\fsutil.exe
-Detection:
-  - IOC: fsutil.exe should not be run on a normal workstation
-  - IOC: file setZeroData (not case-sensitive) in the process arguments
-  - Sigma: https://github.com/SigmaHQ/sigma/blob/ff5102832031425f6eed011dd3a2e62653008c94/rules/windows/process_creation/proc_creation_win_susp_fsutil_usage.yml
-Acknowledgement:
-  - Person: Elliot Killick
-    Handle: '@elliotkillick'
-  - Person: Jimmy
-    Handle: '@bohops'

yml/OtherMSBinaries/Teams.yml

@@ -4,20 +4,27 @@ Description: Electron runtime binary which runs the Teams application
 Author: Andrew Kisliakov
 Created: 2022-01-17
 Commands:
-  - Command: Teams.exe
+  - Command: teams.exe
     Description: Generate JavaScript payload and package.json, and save to "%LOCALAPPDATA%\\Microsoft\\Teams\\current\\app\\" before executing.
     Usecase: Execute JavaScript code
     Category: Execute
     Privileges: User
     MitreID: T1218
-    OperatingSystem: Windows
-  - Command: Teams.exe
+    OperatingSystem: Windows 10, Windows 11
+  - Command: teams.exe
     Description: Generate JavaScript payload and package.json, archive in ASAR file and save to "%LOCALAPPDATA%\\Microsoft\\Teams\\current\\app.asar" before executing.
     Usecase: Execute JavaScript code
     Category: Execute
     Privileges: User
     MitreID: T1218
-    OperatingSystem: Windows
+    OperatingSystem: Windows 10, Windows 11
+  - Command: teams.exe --disable-gpu-sandbox --gpu-launcher="C:\Windows\system32\cmd.exe /c ping google.com &&"
+    Description: Teams spawns cmd.exe as a child process of teams.exe and executes the ping command
+    Usecase: Executes a process under a trusted Microsoft signed binary
+    Category: Execute
+    Privileges: User
+    MitreID: T1218
+    OperatingSystem: Windows 10, Windows 11
 Full_Path:
   - Path: "%LOCALAPPDATA%\\Microsoft\\Teams\\current\\Teams.exe"
 Code_Sample:
@@ -25,7 +32,10 @@ Code_Sample:
 Detection:
   - IOC: "%LOCALAPPDATA%\\Microsoft\\Teams\\current\\app directory created"
   - IOC: "%LOCALAPPDATA%\\Microsoft\\Teams\\current\\app.asar file created/modified by non-Teams installer/updater"
+  - Sigma: https://github.com/SigmaHQ/sigma/blob/43277f26fc1c81fc98fc79147b711189e901b757/rules/windows/process_creation/proc_creation_win_susp_electron_exeuction_proxy.yml
 Resources:
   - Link: https://l--k.uk/2022/01/16/microsoft-teams-and-other-electron-apps-as-lolbins/
 Acknowledgement:
   - Person: Andrew Kisliakov
+  - Person: mr.d0x
+    Handle: '@mrd0x'