Merge pull request #131 from fslds/feat/yamllinting

Adding yamllinting github action and some minor syntax corrections in yml-files.
This commit is contained in:
Oddvar Moe 2021-10-22 15:20:54 +02:00 committed by GitHub
commit e480be182e
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
14 changed files with 71 additions and 33 deletions

12
.github/workflows/yamllinting.yml vendored Normal file
View File

@ -0,0 +1,12 @@
---
name: Yaml Lint
on: [push, pull_request]
jobs:
lintFiles:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v1
- name: yaml-lint
uses: ibiqlik/action-yamllint@v3
with:
config_file: .yamllint

15
.yamllint Normal file
View File

@ -0,0 +1,15 @@
---
extends: default
yaml-files:
- '*.yml'
rules:
new-line-at-end-of-file:
level: warning
trailing-spaces:
level: warning
line-length:
level: warning
new-lines:
level: warning
indentation:
level: warning

View File

@ -2,7 +2,7 @@
Name: Binary.exe Name: Binary.exe
Description: Something general about the binary Description: Something general about the binary
Author: The person that created this file Author: The person that created this file
Created: Date the person created this file (use YYYY-MM-DD without quotes) Created: Date the person created this file
Commands: Commands:
- Command: The command - Command: The command
Description: Description of the command Description: Description of the command
@ -37,4 +37,3 @@ Acknowledgement:
Handle: '@johndoe' Handle: '@johndoe'
- Person: Ola Norman - Person: Ola Norman
Handle: '@olaNor' Handle: '@olaNor'
---

View File

@ -2,7 +2,8 @@
Name: Explorer.exe Name: Explorer.exe
Description: Execute Description: Execute
Author: '' Author: ''
Created: 2018-05-25 Created: '2018-05-25'
Categories: []
Commands: Commands:
- Command: explorer.exe calc.exe - Command: explorer.exe calc.exe
Description: 'Executes calc.exe as a subprocess of explorer.exe.' Description: 'Executes calc.exe as a subprocess of explorer.exe.'
@ -16,4 +17,3 @@ Resources:
Acknowledgement: Acknowledgement:
- Person: Jimmy - Person: Jimmy
Handle: '@bohops' Handle: '@bohops'

View File

@ -2,7 +2,8 @@
Name: Netsh.exe Name: Netsh.exe
Description: Execute, Surveillance Description: Execute, Surveillance
Author: '' Author: ''
Created: 2018-05-25 Created: '2018-05-25'
Categories: []
Commands: Commands:
- Command: | - Command: |
netsh.exe trace start capture=yes filemode=append persistent=yes tracefile=\\server\share\file.etl IPv4.Address=!(<IPofRemoteFileShare>) netsh.exe trace start capture=yes filemode=append persistent=yes tracefile=\\server\share\file.etl IPv4.Address=!(<IPofRemoteFileShare>)
@ -21,3 +22,6 @@ Resources:
- https://github.com/redcanaryco/atomic-red-team/blob/master/Windows/Persistence/Netsh_Helper_DLL.md - https://github.com/redcanaryco/atomic-red-team/blob/master/Windows/Persistence/Netsh_Helper_DLL.md
- https://attack.mitre.org/wiki/Technique/T1128 - https://attack.mitre.org/wiki/Technique/T1128
- https://twitter.com/teemuluotio/status/990532938952527873 - https://twitter.com/teemuluotio/status/990532938952527873
Acknowledgement:
- Person: ''
- Handle: ''

View File

@ -2,7 +2,7 @@
Name: Openwith.exe Name: Openwith.exe
Description: Execute Description: Execute
Author: '' Author: ''
Created: 2018-05-25 Created: '2018-05-25'
Commands: Commands:
- Command: OpenWith.exe /c C:\test.hta - Command: OpenWith.exe /c C:\test.hta
Description: Opens the target file with the default application. Description: Opens the target file with the default application.

View File

@ -2,7 +2,7 @@
Name: Powershell.exe Name: Powershell.exe
Description: Execute, Read ADS Description: Execute, Read ADS
Author: '' Author: ''
Created: 2018-05-25 Created: '2018-05-25'
Commands: Commands:
- Command: powershell -ep bypass - < c:\temp:ttt - Command: powershell -ep bypass - < c:\temp:ttt
Description: Execute the encoded PowerShell command stored in an Alternate Data Stream (ADS). Description: Execute the encoded PowerShell command stored in an Alternate Data Stream (ADS).
@ -16,4 +16,3 @@ Resources:
Acknowledgement: Acknowledgement:
- Person: Moriarty - Person: Moriarty
Handle: '@Moriarty_Meng' Handle: '@Moriarty_Meng'

View File

@ -2,7 +2,8 @@
Name: Psr.exe Name: Psr.exe
Description: Surveillance Description: Surveillance
Author: '' Author: ''
Created: 2018-05-25 Created: '2018-05-25'
Categories: []
Commands: Commands:
- Command: psr.exe /start /gui 0 /output c:\users\user\out.zip - Command: psr.exe /start /gui 0 /output c:\users\user\out.zip
Description: Capture screenshots of the desktop and save them in the target .ZIP file. Description: Capture screenshots of the desktop and save them in the target .ZIP file.
@ -17,4 +18,6 @@ Code_Sample: []
Detection: [] Detection: []
Resources: Resources:
- https://www.sans.org/summit-archives/file/summit-archive-1493861893.pdf - https://www.sans.org/summit-archives/file/summit-archive-1493861893.pdf
Acknowledgement:
- Person: ''
- Handle: ''

View File

@ -3,6 +3,7 @@ Name: Robocopy.exe
Description: Copy Description: Copy
Author: '' Author: ''
Created: 2018-05-25 Created: 2018-05-25
Categories: []
Commands: Commands:
- Command: Robocopy.exe C:\SourceFolder C:\DestFolder - Command: Robocopy.exe C:\SourceFolder C:\DestFolder
Description: Copy the entire contents of the SourceFolder to the DestFolder. Description: Copy the entire contents of the SourceFolder to the DestFolder.
@ -15,3 +16,6 @@ Code_Sample: []
Detection: [] Detection: []
Resources: Resources:
- https://social.technet.microsoft.com/wiki/contents/articles/1073.robocopy-and-a-few-examples.aspx - https://social.technet.microsoft.com/wiki/contents/articles/1073.robocopy-and-a-few-examples.aspx
Acknowledgement:
- Person: ''
- Handle: ''

View File

@ -3,6 +3,7 @@ Name: Update.exe
Description: Binary to update the existing installed Nuget/squirrel package. Part of Whatsapp installation. Description: Binary to update the existing installed Nuget/squirrel package. Part of Whatsapp installation.
Author: 'Jesus Galvez' Author: 'Jesus Galvez'
Created: '2020-11-01' Created: '2020-11-01'
Commands:
- Command: Update.exe --processStart payload.exe --process-start-args "whatever args" - Command: Update.exe --processStart payload.exe --process-start-args "whatever args"
Description: Copy your payload into "%localappdata%\Whatsapp\app-[version]\". Then run the command. Update.exe will execute the file you copied. Description: Copy your payload into "%localappdata%\Whatsapp\app-[version]\". Then run the command. Update.exe will execute the file you copied.
Usecase: Execute binary Usecase: Execute binary
@ -14,5 +15,5 @@ Created: '2020-11-01'
Full_Path: Full_Path:
- Path: '%localappdata%\Whatsapp\Update.exe' - Path: '%localappdata%\Whatsapp\Update.exe'
Detection: Detection:
- IOC: "%localappdata%\Whatsapp\Update.exe" spawned an unknown process - IOC: '"%localappdata%\Whatsapp\Update.exe" spawned an unknown process'
--- ---

View File

@ -1,18 +1,20 @@
Name: aswrundll.exe Name: aswrundll.exe
Description: This process is used by AVAST antivirus to run and execute any modules Description: This process is used by AVAST antivirus to run and execute any modules
Author: Eli Salem Author: Eli Salem
Created: 2019-03-19 Created: '2019-03-19'
Commands: Commands:
- Command: "\"C:\\Program Files\\Avast Software\\Avast\\aswrundll\" \"C:\\Users\\Public\\Libraries\\tempsys\\module.dll\"" - Command: '"C:\Program Files\Avast Software\Avast\aswrundll" "C:\Users\Public\Libraries\tempsys\module.dll"'
Description: Load and execute modules using aswrundll Description: Load and execute modules using aswrundll
Usecase: Execute malicious modules using aswrundll.exe Usecase: Execute malicious modules using aswrundll.exe
Category: Execute Category: Execute
Privileges: Any Privileges: Any
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
Full_Path: Full_Path:
- Path: C:\Program Files\Avast Software\Avast\aswrundll - Path: 'C:\Program Files\Avast Software\Avast\aswrundll'
Code_Sample:
- Code: '["C:\Program Files\Avast Software\Avast\aswrundll" "C:\Users\Public\Libraries\tempsys\module.dll" "C:\Users\module.dll"]'
Resources: Resources:
- Link: https://www.cybereason.com/blog/information-stealing-malware-targeting-brazil-full-research - Link: https://www.cybereason.com/blog/information-stealing-malware-targeting-brazil-full-research
Acknowledgement: Acknowledgement:
- Person: Eli Salem - Person: Eli Salem
Handle: https://www.linkedin.com/in/eli-salem-954728150 handle: 'https://www.linkedin.com/in/eli-salem-954728150'

View File

@ -2,15 +2,15 @@
Name: Ieaframe.dll Name: Ieaframe.dll
Description: Internet Browser DLL for translating HTML code. Description: Internet Browser DLL for translating HTML code.
Author: Author:
Created: 2018-05-25 Created: '2018-05-25'
Commands: Commands:
- Command: rundll32.exe ieframe.dll,OpenURL "C:\test\calc.url" - Command: rundll32.exe ieframe.dll,OpenURL "C:\test\calc.url"
Description: Launch an executable payload via proxy through a(n) URL (information) file by calling OpenURL. Description: Launch an executable payload via proxy through a(n) URL (information) file by calling OpenURL.
Usecase: Load an executable payload by calling a .url file with or without quotes. The .url file extension can be renamed. UseCase: Load an executable payload by calling a .url file with or without quotes. The .url file extension can be renamed.
Category: Execute Category: Execute
Privileges: User Privileges: User
MitreID: T1085 MitreID: T1085
MitreLink: https://attack.mitre.org/wiki/Technique/T1085 MItreLink: https://attack.mitre.org/wiki/Technique/T1085
OperatingSystem: Windows OperatingSystem: Windows
Full_Path: Full_Path:
- Path: c:\windows\system32\ieframe.dll - Path: c:\windows\system32\ieframe.dll
@ -30,4 +30,3 @@ Acknowledgement:
- Person: Adam - Person: Adam
Handle: '@hexacorn' Handle: '@hexacorn'
--- ---

View File

@ -2,11 +2,11 @@
Name: Setupapi.dll Name: Setupapi.dll
Description: Windows Setup Application Programming Interface Description: Windows Setup Application Programming Interface
Author: Author:
Created: 2018-05-25 Created: '2018-05-25'
Commands: Commands:
- Command: rundll32.exe setupapi.dll,InstallHinfSection DefaultInstall 128 C:\Tools\shady.inf - Command: rundll32.exe setupapi.dll,InstallHinfSection DefaultInstall 128 C:\Tools\shady.inf
Description: Execute the specified (local or remote) .wsh/.sct script with scrobj.dll in the .inf file by calling an information file directive (section name specified). Description: Execute the specified (local or remote) .wsh/.sct script with scrobj.dll in the .inf file by calling an information file directive (section name specified).
Usecase: Run local or remote script(let) code through INF file specification. UseCase: Run local or remote script(let) code through INF file specification.
Category: AWL Bypass Category: AWL Bypass
Privileges: User Privileges: User
MitreID: T1085 MitreID: T1085
@ -14,7 +14,7 @@ Commands:
OperatingSystem: Windows OperatingSystem: Windows
- Command: rundll32.exe setupapi.dll,InstallHinfSection DefaultInstall 128 C:\\Tools\\calc_exe.inf - Command: rundll32.exe setupapi.dll,InstallHinfSection DefaultInstall 128 C:\\Tools\\calc_exe.inf
Description: Launch an executable file via the InstallHinfSection function and .inf file section directive. Description: Launch an executable file via the InstallHinfSection function and .inf file section directive.
Usecase: Load an executable payload. UseCase: Load an executable payload.
Category: Execute Category: Execute
Privileges: User Privileges: User
MitreID: T1085 MitreID: T1085
@ -37,7 +37,7 @@ Resources:
Acknowledgement: Acknowledgement:
- Person: Kyle Hanslovan (COM Scriptlet) - Person: Kyle Hanslovan (COM Scriptlet)
Handle: '@KyleHanslovan' Handle: '@KyleHanslovan'
- Person: Huntress Labs (COM Scriptlet) - Person: Huntress Labs (COM Scriptlet)
Handle: '@HuntressLabs' Handle: '@HuntressLabs'
- Person: Casey Smith (COM Scriptlet) - Person: Casey Smith (COM Scriptlet)
Handle: '@subTee' Handle: '@subTee'

View File

@ -4,7 +4,7 @@ Description: Used as part of the Powershell pester
Author: 'Oddvar Moe' Author: 'Oddvar Moe'
Created: 2018-05-25 Created: 2018-05-25
Commands: Commands:
- Command: Pester.bat [/help|?|-?|/?] "$null; notepad" - Command: Pester.bat [/help|?|-?|/?] "$null; notepad"
Description: Execute code using Pester. The third parameter can be anything. The fourth is the payload. Example here executes notepad Description: Execute code using Pester. The third parameter can be anything. The fourth is the payload. Example here executes notepad
Usecase: Proxy execution Usecase: Proxy execution
Category: Execute Category: Execute