mirror of
https://github.com/LOLBAS-Project/LOLBAS
synced 2024-12-28 15:58:24 +01:00
Merge pull request #295 from frack113/sigma_20230610
Add missing Sigma ref
This commit is contained in:
commit
f5a3812c91
@ -28,6 +28,9 @@ Commands:
|
|||||||
Full_Path:
|
Full_Path:
|
||||||
- Path: c:\Program Files\Microsoft\Edge\Application\msedge.exe
|
- Path: c:\Program Files\Microsoft\Edge\Application\msedge.exe
|
||||||
- Path: c:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
|
- Path: c:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
|
||||||
|
Detection:
|
||||||
|
- Sigma: https://github.com/SigmaHQ/sigma/blob/b02e3b698afbaae143ac4fb36236eb0b41122ed7/rules/windows/process_creation/proc_creation_win_browsers_msedge_arbitrary_download.yml
|
||||||
|
- Sigma: https://github.com/SigmaHQ/sigma/blob/b02e3b698afbaae143ac4fb36236eb0b41122ed7/rules/windows/process_creation/proc_creation_win_browsers_chromium_headless_file_download.yml
|
||||||
Resources:
|
Resources:
|
||||||
- Link: https://twitter.com/mrd0x/status/1478116126005641220
|
- Link: https://twitter.com/mrd0x/status/1478116126005641220
|
||||||
- Link: https://twitter.com/mrd0x/status/1478234484881436672
|
- Link: https://twitter.com/mrd0x/status/1478234484881436672
|
||||||
|
@ -31,6 +31,7 @@ Full_Path:
|
|||||||
Code_Sample:
|
Code_Sample:
|
||||||
- Code:
|
- Code:
|
||||||
Detection:
|
Detection:
|
||||||
|
- Sigma: https://github.com/SigmaHQ/sigma/blob/b02e3b698afbaae143ac4fb36236eb0b41122ed7/rules/windows/image_load/image_load_side_load_coregen.yml
|
||||||
- IOC: coregen.exe loading .dll file not in "C:\Program Files (x86)\Microsoft Silverlight\5.1.50918.0\"
|
- IOC: coregen.exe loading .dll file not in "C:\Program Files (x86)\Microsoft Silverlight\5.1.50918.0\"
|
||||||
- IOC: coregen.exe loading .dll file not named coreclr.dll
|
- IOC: coregen.exe loading .dll file not named coreclr.dll
|
||||||
- IOC: coregen.exe command line containing -L or -l
|
- IOC: coregen.exe command line containing -L or -l
|
||||||
|
@ -16,6 +16,7 @@ Full_Path:
|
|||||||
Code_Sample:
|
Code_Sample:
|
||||||
- Code:
|
- Code:
|
||||||
Detection:
|
Detection:
|
||||||
|
- Sigma: https://github.com/SigmaHQ/sigma/blob/b02e3b698afbaae143ac4fb36236eb0b41122ed7/rules/windows/process_creation/proc_creation_win_lolbin_defaultpack.yml
|
||||||
- IOC: DefaultPack.EXE spawned an unknown process
|
- IOC: DefaultPack.EXE spawned an unknown process
|
||||||
Resources:
|
Resources:
|
||||||
- Link: https://twitter.com/checkymander/status/1311509470275604480.
|
- Link: https://twitter.com/checkymander/status/1311509470275604480.
|
||||||
|
@ -14,6 +14,8 @@ Commands:
|
|||||||
Full_Path:
|
Full_Path:
|
||||||
- Path: C:\Program Files\Microsoft Visual Studio\*\Community\Common7\Tools\devinit\devinit.exe
|
- Path: C:\Program Files\Microsoft Visual Studio\*\Community\Common7\Tools\devinit\devinit.exe
|
||||||
- Path: C:\Program Files (x86)\Microsoft Visual Studio\*\Community\Common7\Tools\devinit\devinit.exe
|
- Path: C:\Program Files (x86)\Microsoft Visual Studio\*\Community\Common7\Tools\devinit\devinit.exe
|
||||||
|
Detection:
|
||||||
|
- Sigma: https://github.com/SigmaHQ/sigma/blob/b02e3b698afbaae143ac4fb36236eb0b41122ed7/rules/windows/process_creation/proc_creation_win_devinit_lolbin_usage.yml
|
||||||
Resources:
|
Resources:
|
||||||
- Link: https://twitter.com/mrd0x/status/1460815932402679809
|
- Link: https://twitter.com/mrd0x/status/1460815932402679809
|
||||||
Acknowledgement:
|
Acknowledgement:
|
||||||
|
@ -13,6 +13,10 @@ Commands:
|
|||||||
OperatingSystem: Windows 10, Windows 11
|
OperatingSystem: Windows 10, Windows 11
|
||||||
Full_Path:
|
Full_Path:
|
||||||
- Path: C:\Program Files\Microsoft Visual Studio\2022\Community\Common7\IDE\Extensions\TestPlatform\Extensions
|
- Path: C:\Program Files\Microsoft Visual Studio\2022\Community\Common7\IDE\Extensions\TestPlatform\Extensions
|
||||||
|
Detection:
|
||||||
|
- Sigma: https://github.com/SigmaHQ/sigma/blob/b02e3b698afbaae143ac4fb36236eb0b41122ed7/rules/windows/process_creation/proc_creation_win_dumpminitool_execution.yml
|
||||||
|
- Sigma: https://github.com/SigmaHQ/sigma/blob/b02e3b698afbaae143ac4fb36236eb0b41122ed7/rules/windows/process_creation/proc_creation_win_dumpminitool_susp_execution.yml
|
||||||
|
- Sigma: https://github.com/SigmaHQ/sigma/blob/b02e3b698afbaae143ac4fb36236eb0b41122ed7/rules/windows/process_creation/proc_creation_win_devinit_lolbin_usage.yml
|
||||||
Resources:
|
Resources:
|
||||||
- Link: https://twitter.com/mrd0x/status/1511415432888131586
|
- Link: https://twitter.com/mrd0x/status/1511415432888131586
|
||||||
Acknowledgement:
|
Acknowledgement:
|
||||||
|
@ -14,6 +14,9 @@ Commands:
|
|||||||
Full_Path:
|
Full_Path:
|
||||||
- Path: C:\Program Files\Microsoft Visual Studio\*\Community\Common7\IDE\Extensions\Microsoft\NodeJsTools\NodeJsTools\Microsoft.NodejsTools.PressAnyKey.exe
|
- Path: C:\Program Files\Microsoft Visual Studio\*\Community\Common7\IDE\Extensions\Microsoft\NodeJsTools\NodeJsTools\Microsoft.NodejsTools.PressAnyKey.exe
|
||||||
- Path: C:\Program Files (x86)\Microsoft Visual Studio\*\Community\Common7\IDE\Extensions\Microsoft\NodeJsTools\NodeJsTools\Microsoft.NodejsTools.PressAnyKey.exe
|
- Path: C:\Program Files (x86)\Microsoft Visual Studio\*\Community\Common7\IDE\Extensions\Microsoft\NodeJsTools\NodeJsTools\Microsoft.NodejsTools.PressAnyKey.exe
|
||||||
|
Detection:
|
||||||
|
- Sigma: https://github.com/SigmaHQ/sigma/blob/b02e3b698afbaae143ac4fb36236eb0b41122ed7/rules/windows/process_creation/proc_creation_win_renamed_pressanykey.yml
|
||||||
|
- Sigma: https://github.com/SigmaHQ/sigma/blob/b02e3b698afbaae143ac4fb36236eb0b41122ed7/rules/windows/process_creation/proc_creation_win_pressanykey_lolbin_execution.yml
|
||||||
Resources:
|
Resources:
|
||||||
- Link: https://twitter.com/mrd0x/status/1463526834918854661
|
- Link: https://twitter.com/mrd0x/status/1463526834918854661
|
||||||
Acknowledgement:
|
Acknowledgement:
|
||||||
|
@ -21,6 +21,7 @@ Full_Path:
|
|||||||
- Path: C:\Program Files (x86)\Microsoft Office\Office15\ProtocolHandler.exe
|
- Path: C:\Program Files (x86)\Microsoft Office\Office15\ProtocolHandler.exe
|
||||||
- Path: C:\Program Files\Microsoft Office\Office15\ProtocolHandler.exe
|
- Path: C:\Program Files\Microsoft Office\Office15\ProtocolHandler.exe
|
||||||
Detection:
|
Detection:
|
||||||
|
- Sigma: https://github.com/SigmaHQ/sigma/blob/b02e3b698afbaae143ac4fb36236eb0b41122ed7/rules/windows/process_creation/proc_creation_win_lolbin_protocolhandler_download.yml
|
||||||
- IOC: Suspicious Office application Internet/network traffic
|
- IOC: Suspicious Office application Internet/network traffic
|
||||||
Acknowledgement:
|
Acknowledgement:
|
||||||
- Person: Nir Chako (Pentera)
|
- Person: Nir Chako (Pentera)
|
||||||
|
Loading…
Reference in New Issue
Block a user