Merge pull request #131 from fslds/feat/yamllinting

Adding yamllinting github action and some minor syntax corrections in yml-files.

.github/workflows/yamllinting.yml

@@ -0,0 +1,12 @@
+---
+name: Yaml Lint
+on: [push, pull_request]
+jobs:
+  lintFiles:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v1
+      - name: yaml-lint
+        uses: ibiqlik/action-yamllint@v3
+        with:
+          config_file: .yamllint

.yamllint

@@ -0,0 +1,15 @@
+---
+extends: default
+yaml-files:
+  - '*.yml'
+rules:
+  new-line-at-end-of-file:
+    level: warning
+  trailing-spaces:
+    level: warning
+  line-length:
+    level: warning
+  new-lines:
+    level: warning
+  indentation:
+    level: warning

YML-Template.yml

@@ -2,7 +2,7 @@
 Name: Binary.exe
 Description: Something general about the binary
 Author: The person that created this file
-Created: Date the person created this file (use YYYY-MM-DD without quotes)
+Created: Date the person created this file
 Commands:
   - Command: The command
     Description: Description of the command
@@ -37,4 +37,3 @@ Acknowledgement:
     Handle: '@johndoe'
   - Person: Ola Norman
     Handle: '@olaNor'
----

yml/LOLUtilz/OSBinaries/Explorer.yml

@@ -2,7 +2,8 @@
 Name: Explorer.exe
 Description: Execute
 Author: ''
-Created: 2018-05-25
+Created: '2018-05-25'
+Categories: []
 Commands:
   - Command: explorer.exe calc.exe
     Description: 'Executes calc.exe as a subprocess of explorer.exe.'
@@ -16,4 +17,3 @@ Resources:
 Acknowledgement:
   - Person: Jimmy
     Handle: '@bohops'
-

yml/LOLUtilz/OSBinaries/Netsh.yml

@@ -2,7 +2,8 @@
 Name: Netsh.exe
 Description: Execute, Surveillance
 Author: ''
-Created: 2018-05-25
+Created: '2018-05-25'
+Categories: []
 Commands:
   - Command: |
           netsh.exe trace start capture=yes filemode=append persistent=yes tracefile=\\server\share\file.etl IPv4.Address=!(<IPofRemoteFileShare>)
@@ -21,3 +22,6 @@ Resources:
   - https://github.com/redcanaryco/atomic-red-team/blob/master/Windows/Persistence/Netsh_Helper_DLL.md
   - https://attack.mitre.org/wiki/Technique/T1128
   - https://twitter.com/teemuluotio/status/990532938952527873
+Acknowledgement:
+  - Person: ''
+  - Handle: ''

yml/LOLUtilz/OSBinaries/Openwith.yml

@@ -2,7 +2,7 @@
 Name: Openwith.exe
 Description: Execute
 Author: ''
-Created: 2018-05-25
+Created: '2018-05-25'
 Commands:
   - Command: OpenWith.exe /c C:\test.hta
     Description: Opens the target file with the default application.

yml/LOLUtilz/OSBinaries/Powershell.yml

@@ -2,7 +2,7 @@
 Name: Powershell.exe
 Description: Execute, Read ADS
 Author: ''
-Created: 2018-05-25
+Created: '2018-05-25'
 Commands:
   - Command: powershell -ep bypass - < c:\temp:ttt
     Description: Execute the encoded PowerShell command stored in an Alternate Data Stream (ADS).
@@ -16,4 +16,3 @@ Resources:
 Acknowledgement:
   - Person: Moriarty
     Handle: '@Moriarty_Meng'
-

yml/LOLUtilz/OSBinaries/Psr.yml

@@ -2,7 +2,8 @@
 Name: Psr.exe
 Description: Surveillance
 Author: ''
-Created: 2018-05-25
+Created: '2018-05-25'
+Categories: []
 Commands:
   - Command: psr.exe /start /gui 0 /output c:\users\user\out.zip
     Description: Capture screenshots of the desktop and save them in the target .ZIP file.
@@ -17,4 +18,6 @@ Code_Sample: []
 Detection: []
 Resources:
   - https://www.sans.org/summit-archives/file/summit-archive-1493861893.pdf
-
+Acknowledgement:
+  - Person: ''
+  - Handle: ''

yml/LOLUtilz/OSBinaries/Robocopy.yml

@@ -3,6 +3,7 @@ Name: Robocopy.exe
 Description: Copy
 Author: ''
 Created: 2018-05-25
+Categories: []
 Commands:
   - Command: Robocopy.exe C:\SourceFolder C:\DestFolder
     Description: Copy the entire contents of the SourceFolder to the DestFolder.
@@ -15,3 +16,6 @@ Code_Sample: []
 Detection: []
 Resources:
   - https://social.technet.microsoft.com/wiki/contents/articles/1073.robocopy-and-a-few-examples.aspx
+Acknowledgement:
+  - Person: ''
+  - Handle: ''

yml/LOLUtilz/OtherBinaries/Upload.yml

@@ -3,6 +3,7 @@ Name: Update.exe
 Description: Binary to update the existing installed Nuget/squirrel package. Part of Whatsapp installation.
 Author: 'Jesus Galvez'
 Created: '2020-11-01'
+Commands:
   - Command: Update.exe --processStart payload.exe --process-start-args "whatever args"
     Description: Copy your payload into "%localappdata%\Whatsapp\app-[version]\". Then run the command. Update.exe will execute the file you copied.
     Usecase: Execute binary
@@ -14,5 +15,5 @@ Created: '2020-11-01'
 Full_Path:
   - Path: '%localappdata%\Whatsapp\Update.exe'
 Detection: 
-  - IOC: "%localappdata%\Whatsapp\Update.exe" spawned an unknown process
+  - IOC: '"%localappdata%\Whatsapp\Update.exe" spawned an unknown process'
 ---

yml/LOLUtilz/OtherBinaries/aswrundll.yml

@@ -1,18 +1,20 @@
 Name: aswrundll.exe
 Description: This process is used by AVAST antivirus to run and execute any modules
 Author: Eli Salem
-Created: 2019-03-19
+Created: '2019-03-19'
 Commands:
-  - Command: "\"C:\\Program Files\\Avast Software\\Avast\\aswrundll\" \"C:\\Users\\Public\\Libraries\\tempsys\\module.dll\""
+  - Command: '"C:\Program Files\Avast Software\Avast\aswrundll" "C:\Users\Public\Libraries\tempsys\module.dll"'
     Description: Load and execute modules using aswrundll
     Usecase: Execute malicious modules using aswrundll.exe
     Category: Execute
     Privileges: Any
     OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
 Full_Path:
-  - Path: C:\Program Files\Avast Software\Avast\aswrundll
+- Path: 'C:\Program Files\Avast Software\Avast\aswrundll'
+Code_Sample: 
+- Code: '["C:\Program Files\Avast Software\Avast\aswrundll" "C:\Users\Public\Libraries\tempsys\module.dll" "C:\Users\module.dll"]'
 Resources:
  - Link: https://www.cybereason.com/blog/information-stealing-malware-targeting-brazil-full-research
 Acknowledgement:
   - Person: Eli Salem 
-    Handle: https://www.linkedin.com/in/eli-salem-954728150
+    handle: 'https://www.linkedin.com/in/eli-salem-954728150'

yml/OSLibraries/Ieframe.yml

@@ -2,15 +2,15 @@
 Name: Ieaframe.dll
 Description: Internet Browser DLL for translating HTML code.
 Author:
-Created: 2018-05-25
+Created: '2018-05-25'
 Commands:
   - Command: rundll32.exe ieframe.dll,OpenURL "C:\test\calc.url"
     Description: Launch an executable payload via proxy through a(n) URL (information) file by calling OpenURL.
-    Usecase: Load an executable payload by calling a .url file with or without quotes.  The .url file extension can be renamed.
+    UseCase: Load an executable payload by calling a .url file with or without quotes.  The .url file extension can be renamed.
     Category: Execute
     Privileges: User
     MitreID: T1085
-    MitreLink: https://attack.mitre.org/wiki/Technique/T1085
+    MItreLink: https://attack.mitre.org/wiki/Technique/T1085
     OperatingSystem: Windows
 Full_Path:
   - Path: c:\windows\system32\ieframe.dll
@@ -30,4 +30,3 @@ Acknowledgement:
   - Person: Adam
     Handle: '@hexacorn'
 ---
-

yml/OSLibraries/Setupapi.yml

@@ -2,11 +2,11 @@
 Name: Setupapi.dll
 Description: Windows Setup Application Programming Interface
 Author:
-Created: 2018-05-25
+Created: '2018-05-25'
 Commands:
   - Command: rundll32.exe setupapi.dll,InstallHinfSection DefaultInstall 128 C:\Tools\shady.inf
     Description: Execute the specified (local or remote) .wsh/.sct script with scrobj.dll in the .inf file by calling an information file directive (section name specified).
-    Usecase: Run local or remote script(let) code through INF file specification.
+    UseCase: Run local or remote script(let) code through INF file specification.
     Category: AWL Bypass
     Privileges: User
     MitreID: T1085
@@ -14,7 +14,7 @@ Commands:
     OperatingSystem: Windows
   - Command: rundll32.exe setupapi.dll,InstallHinfSection DefaultInstall 128 C:\\Tools\\calc_exe.inf
     Description: Launch an executable file via the InstallHinfSection function and .inf file section directive.
-    Usecase: Load an executable payload.
+    UseCase: Load an executable payload.
     Category: Execute
     Privileges: User
     MitreID: T1085