Merge remote-tracking branch 'upstream/master' into windows_11_sprint

2024-12-28 15:58:24 +01:00 · 2022-09-02 17:23:45 +01:00 · 2022-09-02 17:23:45 +01:00 · e1df4e9f83
commit e1df4e9f83
parent c5c227a7ba 68a6f0a35f
3 changed files with 11 additions and 63 deletions
--- a/yml/OSBinaries/Dllhost.yml
+++ b/yml/OSBinaries/Dllhost.yml
@ -1,36 +0,0 @@
---
-Name: Dllhost.exe
-Description: Used by Windows to DLL Surrogate COM Objects
-Author: 'Nasreddine Bencherchali'
-Created: 2020-11-07
-Commands:
-  - Command: dllhost.exe /Processid:{CLSID}
-    Description: Use dllhost.exe to load a registered or hijacked COM Server payload.
-    Usecase: Execute a DLL Surrogate COM Object.
-    Category: Execute
-    Privileges: User
-    MitreID: T1546.015
-    OperatingSystem: Windows 10 (and likely previous versions)
-Full_Path:
-  - Path: C:\Windows\System32\dllhost.exe
-  - Path: C:\Windows\SysWOW64\dllhost.exe
-Code_Sample:
- Code:
-Detection:
- - Sigma: https://github.com/SigmaHQ/sigma/blob/08ca62cc8860f4660e945805d0dd615ce75258c1/rules/windows/network_connection/sysmon_dllhost_net_connections.yml
- - Splunk: https://github.com/splunk/security_content/blob/552b67da9452fb0765e3624b3d6e3ef6c0508bda/detections/endpoint/dllhost_with_no_command_line_arguments_with_network.yml
- - Splunk: https://github.com/splunk/security_content/blob/961a81d4a5cb5c5febec4894d6d812497171a85c/detections/endpoint/suspicious_dllhost_no_command_line_arguments.yml
- - Elastic: https://github.com/elastic/detection-rules/blob/82ec6ac1eeb62a1383792719a1943b551264ed16/rules/windows/defense_evasion_suspicious_managedcode_host_process.toml
- - Elastic: https://github.com/elastic/detection-rules/blob/c457614e37bf7b6db02de84c7fa71a5620783236/rules/windows/defense_evasion_unusual_network_connection_via_dllhost.toml
- - IOC: DotNet CLR libraries loaded into dllhost.exe
- - IOC: DotNet CLR Usage Log - dllhost.exe.log
- - IOC: Suspicious network connectings originating from dllhost.exe
-Resources:
-  - Link: https://twitter.com/CyberRaiju/status/1167415118847598594
-  - Link: https://nasbench.medium.com/what-is-the-dllhost-exe-process-actually-running-ef9fe4c19c08
-Acknowledgement:
-  - Person: Jai Minton
-    Handle: '@CyberRaiju'
-  - Person: Nasreddine Bencherchali
-    Handle: '@nas_bench'
---
--- a/yml/OSScripts/CL_LoadAssembly.yml
+++ b/yml/OSScripts/CL_LoadAssembly.yml
@ -1,29 +1,3 @@
-<<<<<<< HEAD
---
-Name: CL_LoadAssembly.ps1
-Description: PowerShell Diagnostic Script
-Author: Jimmy (@bohops)
-Created: 2021-09-26
-Commands:
-  - Command: 'powershell.exe -ep bypass -command "set-location -path C:\Windows\diagnostics\system\Audio; import-module .\CL_LoadAssembly.ps1; LoadAssemblyFromPath ..\..\..\..\testing\fun.dll;[Program]::Fun()"'
-    Description: Proxy execute Managed DLL with PowerShell
-    Usecase: Execute proxied payload with Microsoft signed binary
-    Category: Execute
-    Privileges: User
-    MitreID: T1216
-    OperatingSystem: Windows 10 21H1 (likely other versions as well), Windows 11
-Full_Path:
-  - Path: C:\Windows\diagnostics\system\Audio\CL_LoadAssembly.ps1
-Code_Sample:
-  - Code:
-Detection:
-Resources:
-  - Link: https://bohops.com/2018/01/07/executing-commands-and-bypassing-applocker-with-powershell-diagnostic-scripts/
-Acknowledgement:
-  - Person: Jimmy
-    Handle: '@bohops'
---
-=======
 ---
 Name: CL_LoadAssembly.ps1
 Description: PowerShell Diagnostic Script
@ -49,4 +23,3 @@ Acknowledgement:
  - Person: Jimmy
    Handle: '@bohops'
 ---
->>>>>>> 9135005 (Add sigma references to CL_LoadAssembly, CLMutexVerifiers entries (#221))
--- a/yml/OSScripts/pester.yml
+++ b/yml/OSScripts/pester.yml
@ -18,6 +18,13 @@ Commands:
    Privileges: User
    MitreID: T1216
    OperatingSystem: Windows 10, Windows 11
+  - Command: Pester.bat ;calc.exe
+    Description: Execute code using Pester. Example here executes calc.exe
+    Usecase: Proxy execution
+    Category: Execute
+    Privileges: User
+    MitreID: T1216
+    OperatingSystem: Windows 10, Windows 11
 Full_Path:
  - Path: c:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\bin\Pester.bat
  - Path: c:\Program Files\WindowsPowerShell\Modules\Pester\*\bin\Pester.bat
@ -26,12 +33,16 @@ Code_Sample:
 Detection:
  - Sigma: https://github.com/SigmaHQ/sigma/blob/08ca62cc8860f4660e945805d0dd615ce75258c1/rules/windows/process_creation/win_susp_pester.yml
  - Sigma: https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_susp_pester_parent.yml
+  - Sigma: https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_susp_pester_parent.yml
 Resources:
  - Link: https://twitter.com/Oddvarmoe/status/993383596244258816
  - Link: https://twitter.com/_st0pp3r_/status/1560072680887525378
+  - Link: https://twitter.com/_st0pp3r_/status/1560072680887525378
 Acknowledgement:
  - Person: Emin Atac
    Handle: '@p0w3rsh3ll'
  - Person: Stamatis Chatzimangou
    Handle: '@_st0pp3r_'
+  - Person: Stamatis Chatzimangou
+    Handle: '@_st0pp3r_'
 ---