From f85eeb748aad1c6fe1497e76f07662eda6a61cef Mon Sep 17 00:00:00 2001
From: frack113 <62423083+frack113@users.noreply.github.com>
Date: Mon, 23 May 2022 13:35:58 +0200
Subject: [PATCH] Add Sigma references to conhost, imewdbld, ie4uinit, ilasm,
 offlinescannershell and replace (#219)

---
 yml/OSBinaries/Conhost.yml             | 1 +
 yml/OSBinaries/IMEWDBLD.yml            | 2 +-
 yml/OSBinaries/Ie4uinit.yml            | 1 +
 yml/OSBinaries/Ilasm.yml               | 1 +
 yml/OSBinaries/OfflineScannerShell.yml | 2 +-
 yml/OSBinaries/Replace.yml             | 1 +
 6 files changed, 6 insertions(+), 2 deletions(-)

diff --git a/yml/OSBinaries/Conhost.yml b/yml/OSBinaries/Conhost.yml
index 7ce1d4e..0ed5c87 100644
--- a/yml/OSBinaries/Conhost.yml
+++ b/yml/OSBinaries/Conhost.yml
@@ -15,6 +15,7 @@ Full_Path:
   - Path: c:\windows\system32\conhost.exe
 Detection:
   - IOC: conhost.exe spawning unexpected processes
+  - Sigma: https://github.com/SigmaHQ/sigma/blob/bea6f18d350d9c9fdc067f93dde0e9b11cc22dc2/rules/windows/process_creation/proc_creation_win_susp_conhost.yml
 Resources:
   - Link: https://www.hexacorn.com/blog/2020/05/25/how-to-con-your-host/
   - Link: https://twitter.com/Wietze/status/1511397781159751680
diff --git a/yml/OSBinaries/IMEWDBLD.yml b/yml/OSBinaries/IMEWDBLD.yml
index 1dba16d..2199ed5 100644
--- a/yml/OSBinaries/IMEWDBLD.yml
+++ b/yml/OSBinaries/IMEWDBLD.yml
@@ -14,8 +14,8 @@ Commands:
 Full_Path:
   - Path: C:\Windows\System32\IME\SHARED\IMEWDBLD.exe
 Detection:
+  - Sigma: https://github.com/SigmaHQ/sigma/blob/bea6f18d350d9c9fdc067f93dde0e9b11cc22dc2/rules/windows/network_connection/net_connection_win_imewdbld.yml
 Resources:
-  - Sigma: https://github.com/SigmaHQ/sigma/blob/35a7244c62820fbc5a832e50b1e224ac3a1935da/rules/windows/network_connection/net_connection_win_imewdbld.yml
   - Link: https://twitter.com/notwhickey/status/1367493406835040265
 Acknowledgement:
   - Person: Wade Hickey
diff --git a/yml/OSBinaries/Ie4uinit.yml b/yml/OSBinaries/Ie4uinit.yml
index cec66ea..f5a9e3d 100644
--- a/yml/OSBinaries/Ie4uinit.yml
+++ b/yml/OSBinaries/Ie4uinit.yml
@@ -21,6 +21,7 @@ Code_Sample:
 Detection:
   - IOC: ie4uinit.exe copied outside of %windir%
   - IOC: ie4uinit.exe loading an inf file (ieuinit.inf) from outside %windir%
+  - Sigma: https://github.com/SigmaHQ/sigma/blob/bea6f18d350d9c9fdc067f93dde0e9b11cc22dc2/rules/windows/process_creation/proc_creation_win_lolbin_ie4uinit.yml
 Resources:
   - Link: https://bohops.com/2018/03/10/leveraging-inf-sct-fetch-execute-techniques-for-bypass-evasion-persistence-part-2/
 Acknowledgement:
diff --git a/yml/OSBinaries/Ilasm.yml b/yml/OSBinaries/Ilasm.yml
index 23bce1d..98bf87c 100644
--- a/yml/OSBinaries/Ilasm.yml
+++ b/yml/OSBinaries/Ilasm.yml
@@ -24,6 +24,7 @@ Code_Sample:
   - Code:
 Detection:
   - IOC: Ilasm may not be used often in production environments (such as on endpoints)
+  - Sigma: https://github.com/SigmaHQ/sigma/blob/bea6f18d350d9c9fdc067f93dde0e9b11cc22dc2/rules/windows/process_creation/proc_creation_win_lolbin_ilasm.yml
 Resources:
   - Link: https://github.com/LuxNoBulIshit/BeforeCompileBy-ilasm/blob/master/hello_world.txt
 Acknowledgement:
diff --git a/yml/OSBinaries/OfflineScannerShell.yml b/yml/OSBinaries/OfflineScannerShell.yml
index cb5f184..fd85398 100644
--- a/yml/OSBinaries/OfflineScannerShell.yml
+++ b/yml/OSBinaries/OfflineScannerShell.yml
@@ -12,9 +12,9 @@ Commands:
     MitreID: T1218
     OperatingSystem: Windows 10
 Full_Path:
-  - Sigma: https://github.com/SigmaHQ/sigma/blob/35a7244c62820fbc5a832e50b1e224ac3a1935da/rules/windows/process_creation/proc_creation_win_lolbas_offlinescannershell.yml
   - Path: C:\Program Files\Windows Defender\Offline\OfflineScannerShell.exe
 Detection:
+  - Sigma: https://github.com/SigmaHQ/sigma/blob/bea6f18d350d9c9fdc067f93dde0e9b11cc22dc2/rules/windows/process_creation/proc_creation_win_lolbas_offlinescannershell.yml
   - IOC: OfflineScannerShell.exe should not be run on a normal workstation
 Acknowledgement:
   - Person: Elliot Killick
diff --git a/yml/OSBinaries/Replace.yml b/yml/OSBinaries/Replace.yml
index 41e3b1e..23a6d3f 100644
--- a/yml/OSBinaries/Replace.yml
+++ b/yml/OSBinaries/Replace.yml
@@ -25,6 +25,7 @@ Code_Sample:
   - Code:
 Detection:
   - IOC: Replace.exe retrieving files from remote server
+  - Sigma: https://github.com/SigmaHQ/sigma/blob/bea6f18d350d9c9fdc067f93dde0e9b11cc22dc2/rules/windows/process_creation/proc_creation_win_lolbas_replace.yml
 Resources:
   - Link: https://twitter.com/elceef/status/986334113941655553
   - Link: https://twitter.com/elceef/status/986842299861782529