From 91350057cef1ecf798bfa29c6500eca6ac597295 Mon Sep 17 00:00:00 2001 From: frack113 <62423083+frack113@users.noreply.github.com> Date: Sat, 4 Jun 2022 12:50:35 +0200 Subject: [PATCH 1/5] Add sigma references to CL_LoadAssembly, CLMutexVerifiers entries (#221) --- yml/OSScripts/CL_LoadAssembly.yml | 1 + yml/OSScripts/CL_mutexverifiers.yml | 1 + 2 files changed, 2 insertions(+) diff --git a/yml/OSScripts/CL_LoadAssembly.yml b/yml/OSScripts/CL_LoadAssembly.yml index 945d373..638cea1 100644 --- a/yml/OSScripts/CL_LoadAssembly.yml +++ b/yml/OSScripts/CL_LoadAssembly.yml @@ -16,6 +16,7 @@ Full_Path: Code_Sample: - Code: Detection: + - Sigma: https://github.com/SigmaHQ/sigma/blob/ff6c54ded6b52f379cec11fe17c1ccb956faa660/rules/windows/process_creation/proc_creation_win_lolbas_cl_loadassembly.yml Resources: - Link: https://bohops.com/2018/01/07/executing-commands-and-bypassing-applocker-with-powershell-diagnostic-scripts/ Acknowledgement: diff --git a/yml/OSScripts/CL_mutexverifiers.yml b/yml/OSScripts/CL_mutexverifiers.yml index 5a55cf1..08d6674 100644 --- a/yml/OSScripts/CL_mutexverifiers.yml +++ b/yml/OSScripts/CL_mutexverifiers.yml @@ -20,6 +20,7 @@ Full_Path: Code_Sample: - Code: Detection: + - Sigma: https://github.com/SigmaHQ/sigma/blob/ff6c54ded6b52f379cec11fe17c1ccb956faa660/rules/windows/process_creation/proc_creation_win_lolbas_cl_mutexverifiers.yml Resources: - Link: https://twitter.com/pabraeken/status/995111125447577600 Acknowledgement: From 8283d8d91552213ded165fd36deb6cb9534cb443 Mon Sep 17 00:00:00 2001 From: Oddvar Moe Date: Thu, 9 Jun 2022 10:51:40 +0200 Subject: [PATCH 2/5] Delete Dllhost.yml https://twitter.com/0gtweet/status/1533804788038647808 --- yml/OSBinaries/Dllhost.yml | 36 ------------------------------------ 1 file changed, 36 deletions(-) delete mode 100644 yml/OSBinaries/Dllhost.yml diff --git a/yml/OSBinaries/Dllhost.yml b/yml/OSBinaries/Dllhost.yml deleted file mode 100644 index beda52f..0000000 --- a/yml/OSBinaries/Dllhost.yml +++ /dev/null @@ -1,36 +0,0 @@ ---- -Name: Dllhost.exe -Description: Used by Windows to DLL Surrogate COM Objects -Author: 'Nasreddine Bencherchali' -Created: '2020-11-07' -Commands: - - Command: dllhost.exe /Processid:{CLSID} - Description: Use dllhost.exe to load a registered or hijacked COM Server payload. - Usecase: Execute a DLL Surrogate COM Object. - Category: Execute - Privileges: User - MitreID: T1546.015 - OperatingSystem: Windows 10 (and likely previous versions) -Full_Path: - - Path: C:\Windows\System32\dllhost.exe - - Path: C:\Windows\SysWOW64\dllhost.exe -Code_Sample: -- Code: -Detection: - - Sigma: https://github.com/SigmaHQ/sigma/blob/08ca62cc8860f4660e945805d0dd615ce75258c1/rules/windows/network_connection/sysmon_dllhost_net_connections.yml - - Splunk: https://github.com/splunk/security_content/blob/552b67da9452fb0765e3624b3d6e3ef6c0508bda/detections/endpoint/dllhost_with_no_command_line_arguments_with_network.yml - - Splunk: https://github.com/splunk/security_content/blob/961a81d4a5cb5c5febec4894d6d812497171a85c/detections/endpoint/suspicious_dllhost_no_command_line_arguments.yml - - Elastic: https://github.com/elastic/detection-rules/blob/82ec6ac1eeb62a1383792719a1943b551264ed16/rules/windows/defense_evasion_suspicious_managedcode_host_process.toml - - Elastic: https://github.com/elastic/detection-rules/blob/c457614e37bf7b6db02de84c7fa71a5620783236/rules/windows/defense_evasion_unusual_network_connection_via_dllhost.toml - - IOC: DotNet CLR libraries loaded into dllhost.exe - - IOC: DotNet CLR Usage Log - dllhost.exe.log - - IOC: Suspicious network connectings originating from dllhost.exe -Resources: - - Link: https://twitter.com/CyberRaiju/status/1167415118847598594 - - Link: https://nasbench.medium.com/what-is-the-dllhost-exe-process-actually-running-ef9fe4c19c08 -Acknowledgement: - - Person: Jai Minton - Handle: '@CyberRaiju' - - Person: Nasreddine Bencherchali - Handle: '@nas_bench' ---- From fdc1b2c82759f25417c3cedf9ee88d0ce7c1968e Mon Sep 17 00:00:00 2001 From: Oddvar Moe Date: Tue, 23 Aug 2022 15:44:57 +0200 Subject: [PATCH 3/5] Update pester.bat with an additional example --- yml/OSScripts/pester.yml | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/yml/OSScripts/pester.yml b/yml/OSScripts/pester.yml index 7d525f8..d3e8b04 100644 --- a/yml/OSScripts/pester.yml +++ b/yml/OSScripts/pester.yml @@ -11,6 +11,13 @@ Commands: Privileges: User MitreID: T1216 OperatingSystem: Windows 10 + - Command: Pester.bat ;calc.exe + Description: Execute code using Pester. The third parameter can be anything. The fourth is the payload. Example here executes notepad + Usecase: Proxy execution + Category: Execute + Privileges: User + MitreID: T1216 + OperatingSystem: Windows 10 Full_Path: - Path: c:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\bin\Pester.bat - Path: c:\Program Files\WindowsPowerShell\Modules\Pester\*\bin\Pester.bat @@ -20,7 +27,10 @@ Detection: - Sigma: https://github.com/SigmaHQ/sigma/blob/08ca62cc8860f4660e945805d0dd615ce75258c1/rules/windows/process_creation/win_susp_pester.yml Resources: - Link: https://twitter.com/Oddvarmoe/status/993383596244258816 + - Link: https://twitter.com/_st0pp3r_/status/1560072680887525378 Acknowledgement: - Person: Emin Atac Handle: '@p0w3rsh3ll' + - Person: Stamatis Chatzimangou + Handle: '@_st0pp3r_' --- From c53a8ea06eb982932ca65c05786d3fe83864d79b Mon Sep 17 00:00:00 2001 From: Oddvar Moe Date: Tue, 23 Aug 2022 15:47:17 +0200 Subject: [PATCH 4/5] Adjusted comment in command --- yml/OSScripts/pester.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/yml/OSScripts/pester.yml b/yml/OSScripts/pester.yml index d3e8b04..96c1fb4 100644 --- a/yml/OSScripts/pester.yml +++ b/yml/OSScripts/pester.yml @@ -12,7 +12,7 @@ Commands: MitreID: T1216 OperatingSystem: Windows 10 - Command: Pester.bat ;calc.exe - Description: Execute code using Pester. The third parameter can be anything. The fourth is the payload. Example here executes notepad + Description: Execute code using Pester. Example here executes calc.exe Usecase: Proxy execution Category: Execute Privileges: User From 68a6f0a35f30edc58d59e46ddaf8f35cda958592 Mon Sep 17 00:00:00 2001 From: Oddvar Moe Date: Wed, 24 Aug 2022 12:32:48 +0200 Subject: [PATCH 5/5] added sigma detection for pester --- yml/OSScripts/pester.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/yml/OSScripts/pester.yml b/yml/OSScripts/pester.yml index 96c1fb4..bc19377 100644 --- a/yml/OSScripts/pester.yml +++ b/yml/OSScripts/pester.yml @@ -25,6 +25,7 @@ Code_Sample: - Code: Detection: - Sigma: https://github.com/SigmaHQ/sigma/blob/08ca62cc8860f4660e945805d0dd615ce75258c1/rules/windows/process_creation/win_susp_pester.yml + - Sigma: https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_susp_pester_parent.yml Resources: - Link: https://twitter.com/Oddvarmoe/status/993383596244258816 - Link: https://twitter.com/_st0pp3r_/status/1560072680887525378