From ff9f5cff3d61c76ff4ff123f16aabb7704454df0 Mon Sep 17 00:00:00 2001 From: Filipe Spencer Lopes Date: Tue, 9 Mar 2021 15:00:55 +0100 Subject: [PATCH] Removing blank lines --- yml/LOLUtilz/OSBinaries/Explorer.yml | 1 - yml/LOLUtilz/OSBinaries/Netsh.yml | 1 - yml/LOLUtilz/OSBinaries/Openwith.yml | 1 - yml/LOLUtilz/OSBinaries/Powershell.yml | 1 - yml/LOLUtilz/OSBinaries/Psr.yml | 1 - yml/LOLUtilz/OSBinaries/Robocopy.yml | 1 - yml/LOLUtilz/OtherBinaries/Upload.yml | 3 ++- 7 files changed, 2 insertions(+), 7 deletions(-) diff --git a/yml/LOLUtilz/OSBinaries/Explorer.yml b/yml/LOLUtilz/OSBinaries/Explorer.yml index 99a6348..e0e242a 100644 --- a/yml/LOLUtilz/OSBinaries/Explorer.yml +++ b/yml/LOLUtilz/OSBinaries/Explorer.yml @@ -15,4 +15,3 @@ Detection: [] Resources: - https://twitter.com/bohops/status/986984122563391488 Notes: Thanks to Jimmy - @bohops - diff --git a/yml/LOLUtilz/OSBinaries/Netsh.yml b/yml/LOLUtilz/OSBinaries/Netsh.yml index d7dd77f..9e7234c 100644 --- a/yml/LOLUtilz/OSBinaries/Netsh.yml +++ b/yml/LOLUtilz/OSBinaries/Netsh.yml @@ -23,4 +23,3 @@ Resources: - https://attack.mitre.org/wiki/Technique/T1128 - https://twitter.com/teemuluotio/status/990532938952527873 Notes: '' - diff --git a/yml/LOLUtilz/OSBinaries/Openwith.yml b/yml/LOLUtilz/OSBinaries/Openwith.yml index ae20a00..5e3e8f6 100644 --- a/yml/LOLUtilz/OSBinaries/Openwith.yml +++ b/yml/LOLUtilz/OSBinaries/Openwith.yml @@ -17,4 +17,3 @@ Detection: [] Resources: - https://twitter.com/harr0ey/status/991670870384021504 Notes: Thanks to Matt harr0ey - @harr0ey - diff --git a/yml/LOLUtilz/OSBinaries/Powershell.yml b/yml/LOLUtilz/OSBinaries/Powershell.yml index f8d44e6..5cfe767 100644 --- a/yml/LOLUtilz/OSBinaries/Powershell.yml +++ b/yml/LOLUtilz/OSBinaries/Powershell.yml @@ -15,4 +15,3 @@ Detection: [] Resources: - https://twitter.com/Moriarty_Meng/status/984380793383370752 Notes: Thanks to Moriarty - @Moriarty_Meng - diff --git a/yml/LOLUtilz/OSBinaries/Psr.yml b/yml/LOLUtilz/OSBinaries/Psr.yml index b9b9e45..3fe1f86 100644 --- a/yml/LOLUtilz/OSBinaries/Psr.yml +++ b/yml/LOLUtilz/OSBinaries/Psr.yml @@ -19,4 +19,3 @@ Detection: [] Resources: - https://www.sans.org/summit-archives/file/summit-archive-1493861893.pdf Notes: 'Thanks to ' - diff --git a/yml/LOLUtilz/OSBinaries/Robocopy.yml b/yml/LOLUtilz/OSBinaries/Robocopy.yml index 8ebb462..d2b7506 100644 --- a/yml/LOLUtilz/OSBinaries/Robocopy.yml +++ b/yml/LOLUtilz/OSBinaries/Robocopy.yml @@ -17,4 +17,3 @@ Detection: [] Resources: - https://social.technet.microsoft.com/wiki/contents/articles/1073.robocopy-and-a-few-examples.aspx Notes: Thanks to Name of guy - @twitterhandle - diff --git a/yml/LOLUtilz/OtherBinaries/Upload.yml b/yml/LOLUtilz/OtherBinaries/Upload.yml index 6cfa0a3..eaab3dd 100644 --- a/yml/LOLUtilz/OtherBinaries/Upload.yml +++ b/yml/LOLUtilz/OtherBinaries/Upload.yml @@ -3,6 +3,7 @@ Name: Update.exe Description: Binary to update the existing installed Nuget/squirrel package. Part of Whatsapp installation. Author: 'Jesus Galvez' Created: '2020-11-01' +Commands: - Command: Update.exe --processStart payload.exe --process-start-args "whatever args" Description: Copy your payload into "%localappdata%\Whatsapp\app-[version]\". Then run the command. Update.exe will execute the file you copied. Usecase: Execute binary @@ -14,5 +15,5 @@ Created: '2020-11-01' Full_Path: - Path: '%localappdata%\Whatsapp\Update.exe' Detection: - - IOC: "%localappdata%\Whatsapp\Update.exe" spawned an unknown process + - IOC: '"%localappdata%\Whatsapp\Update.exe" spawned an unknown process' ---